adwind | e2c178ff3ce63e5df67787e3ad1c2b4a0c080482b4b29cf590c3e75c7910c0be

Windows Service

Disable or Modify Tools

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winsvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	winsvcs.exe

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

Processes:

Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\rundll32.exe = "C:\\Windows\\system32\\rundll32.exe:*:Enabled:rundll32"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2372 netsh.exe
2348 netsh.exe

pid	process
2372	netsh.exe
2348	netsh.exe

Executes dropped EXE 27 IoCs

Processes:

HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exeTrojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exeTrojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exeTrojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exeHEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exeHEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exeTrojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exeTrojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exewinsvcs.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exesvcc.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exewinint.exesvcc.exe

pid	process
484	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
2540	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
1508	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
1484	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
1664	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
1732	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
772	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
2636	winsvcs.exe
884	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
552	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1964	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
780	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2080	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2828	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1052	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
700	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
1756	svcc.exe
1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1676	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2392	winint.exe
2000	svcc.exe
39288

Loads dropped DLL 15 IoCs

Processes:

cmd.exetaskmgr.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exerundll32.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.execmd.execmd.exe

pid	process
2704	cmd.exe
2704	cmd.exe
2896	taskmgr.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
884	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
552	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2080	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2828	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2140	cmd.exe
888	cmd.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	107.178.223.183
Destination IP	104.155.138.21

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exewinint.exeTrojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exeTrojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exeHEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exesvcc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot = "C:\\Users\\Admin\\AppData\\Roaming\\Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe"	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqzhnfezutu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\agaiqt.exe\""	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T608060874566080\\winsvcs.exe"	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T608060874566080\\winsvcs.exe"	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Photoshop = "C:\\Users\\Admin\\AppData\\Roaming\\Photoshop\\Realtek.exe"	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\winint.exe -boot"	winint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyOtApp\\MyOtApp.exe"
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fastrec = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\fastrec.dll\",fastrec"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcc.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Temps\\svcc.exe\""	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcc.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Temps\\svcc.exe\""	svcc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

description	ioc	process
File opened (read-only)	\??\S:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\A:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\E:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\K:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\N:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\Z:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\B:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\G:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\H:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\O:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\V:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\Y:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\I:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\Q:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\R:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\T:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\U:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\W:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\X:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\J:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\L:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\M:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
File opened (read-only)	\??\P:	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

269 checkip.dyndns.org

flow	ioc
269	checkip.dyndns.org

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

persistence privilege_escalation

Processes:

Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Startup = "fastrec"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Impersonate = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Asynchronous = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\MaxWait = "1"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\DllName = "C:\\Users\\Admin\\AppData\\Local\\fastrec.dll"	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe

Drops file in System32 directory 2 IoCs

Processes:

description ioc process

File created C:\Windows\System32\test.txt
File opened for modification C:\Windows\System32\test.txt

description	ioc	process
File created	C:\Windows\System32\test.txt
File opened for modification	C:\Windows\System32\test.txt

Suspicious use of SetThreadContext 14 IoCs

Processes:

Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exesvcc.exesvcc.exewinint.exe

description	pid	process	target process
PID 2464 set thread context of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2540 set thread context of 884	2540	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 552 set thread context of 780	552	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 1964 set thread context of 2080	1964	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 1664 set thread context of 700	1664	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
PID 2828 set thread context of 1800	2828	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 1052 set thread context of 1676	1052	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 1756 set thread context of 2000	1756	svcc.exe	svcc.exe
PID 2000 set thread context of 1456	2000	svcc.exe	svchost.exe
PID 2000 set thread context of 2728	2000	svcc.exe	svchost.exe
PID 2000 set thread context of 308	2000	svcc.exe	svchost.exe
PID 2000 set thread context of 2028	2000	svcc.exe	svchost.exe
PID 2000 set thread context of 2452	2000	svcc.exe	svchost.exe
PID 2392 set thread context of 39288	2392	winint.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/860-59-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-66-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-69-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-68-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-65-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-64-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-96-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-99-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-98-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-97-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1732-104-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/860-155-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

Processes:

HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe

description	ioc	process
File created	C:\Windows\T608060874566080\winsvcs.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
File opened for modification	C:\Windows\T608060874566080\winsvcs.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
File opened for modification	C:\Windows\T608060874566080	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

nslookup.exenslookup.exenetsh.exenslookup.exenslookup.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exeTrojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exenslookup.exenslookup.exenslookup.exeWScript.exenslookup.exeHEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exePING.EXEnslookup.execmd.exeTrojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exenslookup.exenslookup.exenslookup.exenslookup.exesvchost.exenslookup.exenslookup.exesvchost.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exenslookup.exenslookup.exeHEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exenslookup.exenslookup.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.execmd.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exenslookup.exenslookup.exenslookup.exenslookup.exewinsvcs.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exenslookup.exenslookup.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exenslookup.exenslookup.execmd.exenslookup.exenslookup.exesvcc.exenslookup.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exenslookup.exenslookup.exenslookup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXEcmd.exePING.EXE

pid process

1488 cmd.exe
1404 PING.EXE
1516 cmd.exe
864 PING.EXE

pid	process
1488	cmd.exe
1404	PING.EXE
1516	cmd.exe
864	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C70D541-9ED3-11EF-9204-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000009cf626b6a07b0cd12ab16c55fe388fc85570ea332bd018cf7cd10c017a79a58e000000000e800000000200002000000083ca25039aab03f37fb7aab25a8aa5b851fcf8e22dfab3bff59979580611eea720000000d31990b7ea5500557c37a610493c55725273837b90a59d4a4799dccb36c63d4340000000fea87460383e453c0e4db3f79cdcd6a5cb6bbb8e0fa7be72e0d6c6388f03632bf2bc8d9be421c6d09774164f82fd065989e6169d86a34df3de3e945653cec79e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000a67fffd1d00fcbcaab53e4209ec7f0574dade5ba0ff3f08631990d230f9a23c1000000000e80000000020000200000006d174e9f8afe36e3915fd689adc3de5f5ee8dbaacd9f083ebd1d40792ec3fb6b900000006da008e108ad7fa3a1cf8354c4b4e94e11e76666bc3bfbc978d4b146d4c6a00fc0c6363c0e30c10516bd0cce180984ece52675adc40cfe945b90b9b7260525fb2383c5286207f4ea989a141d9f5b748a2649fec7c0539e51c76e7811302411bca30a97bc20bd55bbc0b6cb3c38e83f3cd17f0ff6c7c67425e618b0ac9120ce3deef973c4aeea7f4ed9723aa78bf671c240000000aa1220c8ea1a8925825627d360bb52f47523022b84a18d2ebc03a66218361458588d6a8f9fd2148db153adf31a51320a91cc61103e69db11f6497bd107c61ba8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 108322e2df32db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

864 PING.EXE
1404 PING.EXE

pid	process
864	PING.EXE
1404	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

Processes:

pid	process
484	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
2540	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
1664	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1484	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
1508	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
1732	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeTrojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exeTrojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exeHEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe

pid	process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
468	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
2896	taskmgr.exe
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
2896	taskmgr.exe
1508	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

pid process

2896 taskmgr.exe
1800 heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

7zFM.exetaskmgr.exeHEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exeHEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeHEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exeheur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exesvcc.exewinint.exe

description	pid	process
Token: SeRestorePrivilege	1916	7zFM.exe
Token: 35	1916	7zFM.exe
Token: SeSecurityPrivilege	1916	7zFM.exe
Token: SeDebugPrivilege	2896	taskmgr.exe
Token: SeDebugPrivilege	1508	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
Token: SeDebugPrivilege	1664	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
Token: SeDebugPrivilege	2540	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	484	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
Token: SeDebugPrivilege	884	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	552	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	1964	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	2080	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	2828	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	1052	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: 33	1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeIncBasePriorityPrivilege	1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
Token: SeDebugPrivilege	1756	svcc.exe
Token: SeDebugPrivilege	2392	winint.exe
Token: SeDebugPrivilege	39288

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exetaskmgr.exe

pid	process
1916	7zFM.exe
1916	7zFM.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exesvcc.exeiexplore.exeIEXPLORE.EXE

pid	process
1800	heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
2000	svcc.exe
2964	iexplore.exe
2964	iexplore.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2540
2552
39288

Suspicious use of UnmapMainImage 2 IoCs

Processes:

Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exeTrojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe

pid	process
860	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
1732	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeTrojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exeHEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exeHEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe

description	pid	process	target process
PID 2704 wrote to memory of 484	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
PID 2704 wrote to memory of 484	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
PID 2704 wrote to memory of 484	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
PID 2704 wrote to memory of 484	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
PID 2704 wrote to memory of 2540	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 2704 wrote to memory of 2540	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 2704 wrote to memory of 2540	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 2704 wrote to memory of 2540	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
PID 2704 wrote to memory of 1664	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
PID 2704 wrote to memory of 1664	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
PID 2704 wrote to memory of 1664	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
PID 2704 wrote to memory of 1664	2704	cmd.exe	HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
PID 2704 wrote to memory of 1748	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
PID 2704 wrote to memory of 1748	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
PID 2704 wrote to memory of 1748	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
PID 2704 wrote to memory of 1748	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
PID 2704 wrote to memory of 1484	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
PID 2704 wrote to memory of 1484	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
PID 2704 wrote to memory of 1484	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
PID 2704 wrote to memory of 1484	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
PID 2704 wrote to memory of 536	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
PID 2704 wrote to memory of 536	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
PID 2704 wrote to memory of 536	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
PID 2704 wrote to memory of 536	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
PID 2704 wrote to memory of 1508	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
PID 2704 wrote to memory of 1508	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
PID 2704 wrote to memory of 1508	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
PID 2704 wrote to memory of 1508	2704	cmd.exe	HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
PID 2704 wrote to memory of 468	2704	cmd.exe	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
PID 2704 wrote to memory of 468	2704	cmd.exe	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
PID 2704 wrote to memory of 468	2704	cmd.exe	Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
PID 2704 wrote to memory of 2464	2704	cmd.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2704 wrote to memory of 2464	2704	cmd.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2704 wrote to memory of 2464	2704	cmd.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2704 wrote to memory of 2464	2704	cmd.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2704 wrote to memory of 860	2704	cmd.exe	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
PID 2704 wrote to memory of 860	2704	cmd.exe	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
PID 2704 wrote to memory of 860	2704	cmd.exe	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
PID 2704 wrote to memory of 860	2704	cmd.exe	Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
PID 2704 wrote to memory of 1732	2704	cmd.exe	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
PID 2704 wrote to memory of 1732	2704	cmd.exe	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
PID 2704 wrote to memory of 1732	2704	cmd.exe	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
PID 2704 wrote to memory of 1732	2704	cmd.exe	Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 2464 wrote to memory of 772	2464	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe	Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
PID 1748 wrote to memory of 2636	1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe	winsvcs.exe
PID 1748 wrote to memory of 2636	1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe	winsvcs.exe
PID 1748 wrote to memory of 2636	1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe	winsvcs.exe
PID 1748 wrote to memory of 2636	1748	HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe	winsvcs.exe
PID 536 wrote to memory of 596	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	nslookup.exe
PID 536 wrote to memory of 596	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	nslookup.exe
PID 536 wrote to memory of 596	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	nslookup.exe
PID 536 wrote to memory of 596	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	nslookup.exe
PID 536 wrote to memory of 1820	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	nslookup.exe
PID 536 wrote to memory of 1820	536	HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe	nslookup.exe

outlook_office_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

outlook_win_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00353.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
  HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
    "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
  - - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
      "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1516
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1000
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe" "C:\Users\Admin\AppData\Local\winint.exe"
    3⤵
    PID:2376
- - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
    "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
  - - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
      "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
      4⤵
      Executes dropped EXE
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winint.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:888
  - - C:\Users\Admin\AppData\Local\winint.exe
      "C:\Users\Admin\AppData\Local\winint.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2392
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
  HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
    "HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
      "C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:552
    - - C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
        5⤵
        Executes dropped EXE
        
        PID:780
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1488
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 1000
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1404
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
  HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- - C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
    "HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:700
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Temps\svcc.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2140
      - C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
        
        C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
        
        "C:\Users\Admin\AppData\Roaming\Temps\svcc.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:308
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:292
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:11384
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
  HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\T608060874566080\winsvcs.exe
    C:\Windows\T608060874566080\winsvcs.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    PID:2636
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
  HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1484
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
  HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:596
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:948
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2100
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1580
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns2.wowservers.ru
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns2.wowservers.ru
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup ransomware.bit ns1.wowservers.ru
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup carder.bit ns1.wowservers.ru
    3⤵
    PID:10316
- C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
  HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
  Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
  Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
    Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - System Location Discovery: System Language Discovery
    PID:772
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\fastrec.dll",fastrec C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
      4⤵
      Loads dropped DLL
      PID:2476
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2372
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2348
- C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
  Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:860
- C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
  Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of UnmapMainImage
  PID:1732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry