Analysis Overview
SHA256
e2c178ff3ce63e5df67787e3ad1c2b4a0c080482b4b29cf590c3e75c7910c0be
Threat Level: Known bad
The file RNSM00353.7z was found to be: Known bad.
Malicious Activity Summary
Imminent RAT
Agenttesla family
Windows security bypass
Gandcrab
Remcos family
Class file contains resources related to AdWind
Modifies Windows Defender Real-time Protection settings
BrbBot
Troldesh, Shade, Encoder.858
Troldesh family
AgentTesla
Modifies firewall policy service
Imminent family
GandCrab payload
Brbbot family
Gandcrab family
AdWind
Remcos
Adwind family
Modifies Windows Firewall
Executes dropped EXE
Unexpected DNS network traffic destination
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Reads user/profile data of local email clients
Modifies WinLogon
Adds Run key to start application
Looks up external IP address via web service
Checks installed software on the system
Accesses Microsoft Outlook profiles
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
System Network Configuration Discovery: Internet Connection Discovery
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
outlook_office_path
Suspicious use of WriteProcessMemory
Runs ping.exe
outlook_win_path
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious behavior: CmdExeWriteProcessMemorySpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:42
Reported
2024-11-09 19:45
Platform
win7-20240903-en
Max time kernel
195s
Max time network
195s
Command Line
Signatures
AdWind
Adwind family
AgentTesla
Agenttesla family
BrbBot
Brbbot family
Class file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
GandCrab payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gandcrab
Gandcrab family
Imminent RAT
Imminent family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\T608060874566080\winsvcs.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\rundll32.exe = "C:\\Windows\\system32\\rundll32.exe:*:Enabled:rundll32" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
Remcos
Remcos family
Troldesh family
Troldesh, Shade, Encoder.858
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 107.178.223.183 | N/A | N/A |
| Destination IP | 104.155.138.21 | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\T608060874566080\winsvcs.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brbbot = "C:\\Users\\Admin\\AppData\\Roaming\\Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bqzhnfezutu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\agaiqt.exe\"" | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T608060874566080\\winsvcs.exe" | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T608060874566080\\winsvcs.exe" | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Photoshop = "C:\\Users\\Admin\\AppData\\Roaming\\Photoshop\\Realtek.exe" | C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\winint.exe -boot" | C:\Users\Admin\AppData\Local\winint.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyOtApp\\MyOtApp.exe" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fastrec = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\fastrec.dll\",fastrec" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcc.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Temps\\svcc.exe\"" | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcc.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Temps\\svcc.exe\"" | C:\Users\Admin\AppData\Roaming\Temps\svcc.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Startup = "fastrec" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Impersonate = "1" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\Asynchronous = "1" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\MaxWait = "1" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fastrec\DllName = "C:\\Users\\Admin\\AppData\\Local\\fastrec.dll" | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\test.txt | N/A | N/A |
| File opened for modification | C:\Windows\System32\test.txt | N/A | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\T608060874566080\winsvcs.exe | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe | N/A |
| File opened for modification | C:\Windows\T608060874566080\winsvcs.exe | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe | N/A |
| File opened for modification | C:\Windows\T608060874566080 | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\T608060874566080\winsvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Temps\svcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\nslookup.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0C70D541-9ED3-11EF-9204-FE6EB537C9A6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000009cf626b6a07b0cd12ab16c55fe388fc85570ea332bd018cf7cd10c017a79a58e000000000e800000000200002000000083ca25039aab03f37fb7aab25a8aa5b851fcf8e22dfab3bff59979580611eea720000000d31990b7ea5500557c37a610493c55725273837b90a59d4a4799dccb36c63d4340000000fea87460383e453c0e4db3f79cdcd6a5cb6bbb8e0fa7be72e0d6c6388f03632bf2bc8d9be421c6d09774164f82fd065989e6169d86a34df3de3e945653cec79e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000a67fffd1d00fcbcaab53e4209ec7f0574dade5ba0ff3f08631990d230f9a23c1000000000e80000000020000200000006d174e9f8afe36e3915fd689adc3de5f5ee8dbaacd9f083ebd1d40792ec3fb6b900000006da008e108ad7fa3a1cf8354c4b4e94e11e76666bc3bfbc978d4b146d4c6a00fc0c6363c0e30c10516bd0cce180984ece52675adc40cfe945b90b9b7260525fb2383c5286207f4ea989a141d9f5b748a2649fec7c0539e51c76e7811302411bca30a97bc20bd55bbc0b6cb3c38e83f3cd17f0ff6c7c67425e618b0ac9120ce3deef973c4aeea7f4ed9723aa78bf671c240000000aa1220c8ea1a8925825627d360bb52f47523022b84a18d2ebc03a66218361458588d6a8f9fd2148db153adf31a51320a91cc61103e69db11f6497bd107c61ba8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 108322e2df32db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Temps\svcc.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00353.7z"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
C:\Windows\T608060874566080\winsvcs.exe
C:\Windows\T608060874566080\winsvcs.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe" "C:\Users\Admin\AppData\Local\winint.exe"
C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\fastrec.dll",fastrec C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=out action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Rundll32" dir=in action=allow protocol=any program="C:\Windows\system32\rundll32.exe"
C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
"HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"C:\Users\Admin\AppData\Local\Temp\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda\heur-trojan-ransom.msil.crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
"C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Temps\svcc.exe"
C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winint.exe"
C:\Users\Admin\AppData\Local\winint.exe
"C:\Users\Admin\AppData\Local\winint.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Users\Admin\AppData\Roaming\Temps\svcc.exe
"C:\Users\Admin\AppData\Roaming\Temps\svcc.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | brb.3dtuts.by | udp |
| RU | 185.84.108.232:80 | brb.3dtuts.by | tcp |
| NL | 194.109.206.212:443 | tcp | |
| N/A | 127.0.0.1:49257 | tcp | |
| US | 8.8.8.8:53 | ipv4bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | ns1.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns1.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns1.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns1.wowservers.ru | udp |
| US | 8.8.8.8:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| N/A | 127.0.0.1:49293 | tcp | |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | u.lewd.se | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | paste.is | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| NL | 92.63.197.48:80 | tcp | |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| DE | 193.23.244.244:443 | tcp | |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| NL | 92.63.197.48:80 | tcp | |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| RU | 185.84.108.232:80 | brb.3dtuts.by | tcp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | hicham9risa.duckdns.org | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| NL | 92.63.197.60:80 | tcp | |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| RU | 185.84.108.232:80 | brb.3dtuts.by | tcp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 8.8.8.8:53 | r.driftinhishouse.com | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| BG | 212.73.150.132:9988 | tcp | |
| NL | 92.63.197.60:80 | tcp | |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 23.192.22.89:443 | learn.microsoft.com | tcp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| RU | 185.84.108.232:80 | brb.3dtuts.by | tcp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| BG | 212.73.150.132:5555 | tcp | |
| NL | 92.63.197.112:80 | tcp | |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | hicham9risa.duckdns.org | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 192.169.69.25:9191 | hicham9risa.duckdns.org | tcp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 107.178.223.183:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| US | 104.155.138.21:53 | ns2.wowservers.ru | udp |
| NL | 92.63.197.112:80 | tcp | |
| RU | 185.84.108.232:80 | brb.3dtuts.by | tcp |
| US | 8.8.8.8:53 | rosugoshurgurhus.ru | udp |
| US | 8.8.8.8:53 | gsisirfjjdissofj.ru | udp |
| US | 8.8.8.8:53 | rgouusrsuoonenue.ru | udp |
| US | 8.8.8.8:53 | euignjsosjfhgidi.ru | udp |
| US | 8.8.8.8:53 | oegoafaueoueuueu.ru | udp |
| US | 8.8.8.8:53 | eueininiavaeiiae.ru | udp |
| US | 8.8.8.8:53 | nfaiiaeiinbbivii.ru | udp |
| US | 8.8.8.8:53 | pppsooodlldliifi.ru | udp |
| US | 8.8.8.8:53 | aigiaeuiuueueuer.ru | udp |
| US | 8.8.8.8:53 | cnnaiisdiififiur.ru | udp |
| US | 8.8.8.8:53 | eeiieieiifigigid.ru | udp |
| US | 8.8.8.8:53 | ruuiooototoroidj.ru | udp |
| US | 8.8.8.8:53 | ddissisifigifidi.ru | udp |
| US | 8.8.8.8:53 | cicicicciicciiis.ru | udp |
| US | 8.8.8.8:53 | ssorgurufsogusru.ru | udp |
| US | 8.8.8.8:53 | eoppgjrsokoedosh.ru | udp |
| US | 8.8.8.8:53 | geoaueoafugaeije.ru | udp |
| US | 8.8.8.8:53 | nnvmmsiisirurutt.ru | udp |
| US | 8.8.8.8:53 | auueieieiiighisf.ru | udp |
| US | 8.8.8.8:53 | eoooeghgosofofjs.ru | udp |
| US | 8.8.8.8:53 | eogoehoshefheguh.ru | udp |
| US | 8.8.8.8:53 | sgsourfsuofgsgur.ru | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2896-22-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2896-23-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Blocker.gen-df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9.exe
| MD5 | 432ba153efea3d30c1367b5e041f969f |
| SHA1 | f676f6d61380f1c834e326882337120d25001326 |
| SHA256 | df46d7a13fb63c2a7575a650b83a090f24ae1b8766be004a4c0da3e2cf92aaf9 |
| SHA512 | 953997df300f54482d2097d2055a981a15b971e219a78a204d1c8e1aecce43eb419a68cf9728023e9a31c4c21f2f42cc63f38d2e2c704226fc5431fa90b9896c |
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.Crusis.gen-71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda.exe
| MD5 | 3d0040526a931f0d05a462f135db2f11 |
| SHA1 | 367e4803bda212751b5f3d2d8c2b1e548c31e2a9 |
| SHA256 | 71291d338968aa429dcfddf5b313ffd18e0e8144f50d95f9fcc66750fde15dda |
| SHA512 | bf208959e37f7c20b127335bdf76b6ac68fb99dad67f2a8df19687987f5878d783b15f305354f6acab71b2e99f77518b9fe53fa5f4b20bcaff8e51d1ab5f42ac |
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Blocker.gen-2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49.exe
| MD5 | c48d388865974e298effaff61f218c09 |
| SHA1 | e04d569ad722ea11db98ddec80571b51b30e3e10 |
| SHA256 | 2596926944154f01477fb51f21d48eec37fa8976b139a9ca8293bfc5279fec49 |
| SHA512 | 268aef7ffa271e1361ed12ffa935fff7150e5bdf62ddd4612a9857fce2dc5b755efa2e720ad0acf14f60b8be907689b27e00c4df609f14cbcc842e6764266efe |
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Crypmod.gen-62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a.exe
| MD5 | 5c9bc3f800653cc305609c45079030c7 |
| SHA1 | 7ce9f54cdf4591057f5d5c14fe1db43c4336b9fd |
| SHA256 | 62995e2a5c4384054be5df6c4559a9ddc407b3d02110039213e702085320c22a |
| SHA512 | 330383e0f4b62fc1be225ec31e924bb06d67a51ac740a914a314f2c41e78ca2dbcd92228217589724f9dfc7658c785dfb1f41984b428e9b86c8ae051a6c01e8e |
C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pkb-c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5.exe
| MD5 | 4729e10754540ddf55fcb581e74337c4 |
| SHA1 | e4c630ddf86858b556e743d2a0e8406fc5e4f0aa |
| SHA256 | c80df024a87872e53a1df50061079e2e973673c68fc81dbdfd79d989dd8212b5 |
| SHA512 | a3029af15d97480f77f200aa2784b99b361574cb8e1ecadfb4bf22771414bb5eefbf4eac7fc1fd02fb3dd1a1891b832c26255f3ce3013fff061f0939f8ae4a05 |
C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Shade.pjy-dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553.exe
| MD5 | ece706920bdc5503c1d5dbe105892f70 |
| SHA1 | 0709457d0fc0eed2f2c78e202f2080190ef8b4b8 |
| SHA256 | dc46178df311e85dbac68168f206272d2a49d3823a322fa023dd15691a9c1553 |
| SHA512 | cb20dde4d9b5675cbf9532438f0dc97d36b374f5ec8036837b613b9b40b9ef3c21492c6bc74854e3ed3daa995d91df46304524a4b6027245a4308b3afcd845a7 |
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce.exe
| MD5 | e199ffd9339f042d05d54a0c54402704 |
| SHA1 | 2b5ddebbc69362f01e79075e0e26337f15341969 |
| SHA256 | 96254017c302dfa9b48ccea19f5a089dcd8807c8ca8b5958c373a04b8a07e1ce |
| SHA512 | b14512432d68c332e67147ed933c567ce9c7f45312a6b8a9c11c969603d2f448cde4aad51d917b218bb790a9546cc3ffab3b10ca4200cc6a54376f339cc79bd7 |
C:\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.SageCrypt.dqq-0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea.exe
| MD5 | a67491274285c9f8034e5ab092c61534 |
| SHA1 | cdf8eb16dace3e0dd0e472d4c4d09a7be6c6854f |
| SHA256 | 0d4ade5eb23386bac3650eed6d7e8c311d9cfc399b50674e8489a5328ccc58ea |
| SHA512 | bd891574194c09bbf8b60f8270f4f25a2c2e8073f84853f112700b75c5245e32a8a6214d8374052654f7d98b5df459f57a7bc0637422078e3889b2e1cdfb40ad |
\Users\Admin\Desktop\00353\Trojan-Ransom.Win32.Blocker.ldrx-6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1.exe
| MD5 | 6aa102d454ec4dd8a2d5d65ae76aaa7b |
| SHA1 | 25cee51dd9e17a1156dab013ea3b183f898e0ef0 |
| SHA256 | 6b3c7fc050b45545b98269c1c0d87eab38380510a7238ee1e914ff963d6e06f1 |
| SHA512 | ec7c8832b5daa6b0f39b40468c08126528123d79825074a18034eff606423fe3fb2d9c3d19ba574f9df962ed540387c9fe3ff456537415f4bae6760cd89b4256 |
memory/2540-51-0x0000000000810000-0x00000000008B8000-memory.dmp
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.Generic-29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a.exe
| MD5 | cf7e7fa31187cb6f85a7f5e5011cd9d0 |
| SHA1 | f926b5f2631be6063f4e3c770a4f09d52a96e088 |
| SHA256 | 29d77cf18daae8e6304c61f9c2dfd22ba124576b99e190aa39552225fabf496a |
| SHA512 | 4a598de30417f1205ab5b96dd630e1883d33d05218290e364e38c4e01cc9fc294987dd31983fcdd8f5e6d1b0ad6f4012f74b0445e74a62f12b4669704fc964be |
memory/772-57-0x0000000000400000-0x0000000000433000-memory.dmp
memory/484-58-0x00000000011B0000-0x000000000131E000-memory.dmp
memory/860-59-0x0000000000400000-0x0000000000608000-memory.dmp
memory/772-55-0x0000000000400000-0x0000000000433000-memory.dmp
memory/772-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1664-63-0x0000000000BE0000-0x0000000000C52000-memory.dmp
C:\Users\Admin\Desktop\00353\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca.exe
| MD5 | adfe502690be1a44154128734b8973f7 |
| SHA1 | c1f7c2d94a205ae72418ae3b33763c64a5db6bbe |
| SHA256 | 3cdd857e90e3d210c991232d4c9de9339a7f2fa941aac7c7d27dc321b4e968ca |
| SHA512 | 4bc694f1877daccb70d467d6d29521be5a4a5045e54b074a54a5ca4e5ac86a17cd6e63471ecd5a839dad058cc65842ba8d4bd1e83952f6e54c67bb66931d66e4 |
memory/1748-39-0x0000000000400000-0x0000000000447000-memory.dmp
memory/860-66-0x0000000000400000-0x0000000000608000-memory.dmp
memory/860-69-0x0000000000400000-0x0000000000608000-memory.dmp
memory/860-68-0x0000000000400000-0x0000000000608000-memory.dmp
memory/860-65-0x0000000000400000-0x0000000000608000-memory.dmp
memory/860-64-0x0000000000400000-0x0000000000608000-memory.dmp
memory/536-72-0x0000000000400000-0x000000000045C000-memory.dmp
memory/536-73-0x00000000002A0000-0x00000000002B7000-memory.dmp
memory/2540-75-0x0000000000370000-0x000000000038A000-memory.dmp
memory/484-77-0x0000000000450000-0x000000000046E000-memory.dmp
memory/1664-76-0x0000000000310000-0x000000000032C000-memory.dmp
memory/2636-92-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1748-91-0x0000000000270000-0x00000000002B7000-memory.dmp
memory/1748-90-0x0000000000270000-0x00000000002B7000-memory.dmp
memory/1732-96-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1732-99-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1732-98-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1732-97-0x0000000000400000-0x0000000000608000-memory.dmp
memory/1748-101-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1732-104-0x0000000000400000-0x0000000000608000-memory.dmp
memory/536-110-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1484-109-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/884-112-0x0000000000400000-0x0000000000456000-memory.dmp
memory/884-114-0x0000000000400000-0x0000000000456000-memory.dmp
memory/884-116-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2636-118-0x0000000000400000-0x0000000000447000-memory.dmp
memory/884-124-0x0000000000400000-0x0000000000456000-memory.dmp
memory/884-126-0x0000000000400000-0x0000000000456000-memory.dmp
memory/884-122-0x0000000000400000-0x0000000000456000-memory.dmp
memory/884-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/884-119-0x0000000000400000-0x0000000000456000-memory.dmp
memory/884-127-0x0000000000270000-0x0000000000280000-memory.dmp
memory/884-128-0x0000000004C70000-0x0000000004D1E000-memory.dmp
memory/884-129-0x00000000002D0000-0x00000000002F8000-memory.dmp
memory/884-131-0x0000000000700000-0x0000000000708000-memory.dmp
memory/884-130-0x00000000006A0000-0x00000000006B0000-memory.dmp
memory/484-141-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/484-139-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/484-138-0x0000000000CF0000-0x0000000000CF5000-memory.dmp
memory/484-136-0x0000000000CF0000-0x0000000000CF5000-memory.dmp
memory/484-134-0x0000000000CF0000-0x0000000000CF5000-memory.dmp
memory/484-133-0x0000000000CF0000-0x0000000000CF5000-memory.dmp
memory/484-132-0x0000000000CF0000-0x0000000000CF5000-memory.dmp
memory/552-151-0x0000000000BD0000-0x0000000000C78000-memory.dmp
memory/484-153-0x0000000000CF0000-0x0000000000CF5000-memory.dmp
memory/1964-154-0x0000000000CE0000-0x0000000000D88000-memory.dmp
memory/860-155-0x0000000000400000-0x0000000000608000-memory.dmp
C:\Users\Admin\AppData\Local\fastrec.dll
| MD5 | 7a6aa5753f3c32eb3a9e6871006d05c8 |
| SHA1 | 9ba8c1d8cea27a30c392ad56d2fd6282d7c09e0a |
| SHA256 | 3fa27df6411555b66968caf5b01ea0e77f033291290b520248f80ecb8265a08d |
| SHA512 | 7f7993dbab0591aa089d302d07ff7da07a21e2e402f3888111b853cf6c1ff318e0fdcd2d0423367d3722246e37d6c3aced11328a1d272fdb39a465ca2916ecd0 |
memory/2828-216-0x0000000000B80000-0x0000000000C28000-memory.dmp
memory/1052-218-0x0000000000120000-0x00000000001C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | c9ec5f6d2b4f513c2469eade8709ce77 |
| SHA1 | ba05f16b5588904c597d66d6e4c4306f741c8443 |
| SHA256 | f2f4c6099fdec1210a9c491a52300de3347d8e9c4c202c9f6f811029460fc65f |
| SHA512 | 95a7dc37828aecc456a6b1c8cb5e64aa137b6d70dc1165ebc5faf61f69428cd3d04f96ca4fb44d000909fa5cb0f9c8d4458e568e8799532708dbcc30d635ee53 |
memory/1756-253-0x0000000001190000-0x0000000001202000-memory.dmp
memory/1676-285-0x0000000000080000-0x00000000000D6000-memory.dmp
memory/1800-299-0x0000000000A50000-0x0000000000A66000-memory.dmp
C:\Users\Admin\AppData\Roaming\Imminent\Path.dat
| MD5 | 6a9b3c9f20fc9c4cea9e76bc46d56718 |
| SHA1 | fdc6e31151c94e86024c904de2fd3eb54ac0b94c |
| SHA256 | 0214841138f81fca251c1a266ef0d8162c236c73aabdfd23d2f9b5e77188b48b |
| SHA512 | 66bb2c96db597fe4fd5db7dd9f93d01525596be7971717f2c099981cbd1c62bc747c7aa769cafe5e8f6ca687db750e2f1ab07e5717b555bedd6ccfb2c3d456e4 |
memory/2392-316-0x0000000000880000-0x00000000009EE000-memory.dmp
memory/1800-354-0x0000000000900000-0x000000000090C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBC9B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarBCFE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c4aa777ae729491a9804d76669466fd |
| SHA1 | 1c291cb5c7223ac283dbc82fd26f311c04d364f4 |
| SHA256 | 9380f5f512ff549f0860479af1f2cbc6ed65c713e69159a26cb11f5f03f30dc9 |
| SHA512 | 35102ac5087fde08d9730a90b9001e25f98a0d729ca3f902685e3dfdabe983acd1f703b61efa7fedc5f8706ed20c46856fd89d90973a270297f3a381ba9482b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 03f929c9599aecb9995733caa39f0177 |
| SHA1 | a71d59c6ff4ecdce2815559757d87f1c0e126000 |
| SHA256 | 4c786a613979ff446693af2d5318d602619385800b9c103cc6c6deae19fca9e8 |
| SHA512 | b14120b1ee4609d4bf61ff1478cc15b0106c314f16caffde2f6fbbdd172c46fe96d35b20ba2ecc6bb98d4d853807d22f92646d84b2d619da62f53fe1c9dd3f60 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cb99b47bbc244ebec35d7673746dc8d |
| SHA1 | 33ef51beb6a4f6515e6e0fb6ab3eb16ef088103f |
| SHA256 | 5e8a87d088968eb753de817bd03630ee669c6860d7068bc67480c490edcbb55b |
| SHA512 | 8745d871c06bea6487d9173ce01ab4bed972180ab8ebd2112dad35e3f851e6a8c27137e1aa2d70da36f88cabcd27b33c9ad356fee06de39da795d69268655b4e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8bc3667017ac128aa2bc2dea90243fac |
| SHA1 | 70aa0c85cd5dda96dcda0f48ee51467fb2e29d50 |
| SHA256 | 6ef5d2ee4024c3a0c602b3d750b094d5ddf4cef755b626c404a74c22631d098a |
| SHA512 | 125e7077c29359995161c40d3faa8417fe93a50de8903e25a5c44d0747abb5e29488dcaf70febf7996712c397b9217339bc67d7dd174e9575f1f12858ceb4380 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6282338b485fa3d6d07c36a2063e7a87 |
| SHA1 | 9502ce6f8f9d5d0af092e787376535ce921a1700 |
| SHA256 | 55c23eab1c023d66403012fc8ceecb7946aa7af04bb19bb08eae36dfc1e66419 |
| SHA512 | a72b04bb4b58e632b1f4736a14931e0028872b5d85e096c7c5bfc490d04f0ccd40a40fea587a3935006aa41eb2625664ca9324cefc97cdebed8b1f76734ebd33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | 5d6a028bb169af70f786b8c5a24cd992 |
| SHA1 | 0519d9648f03293afc7db57a509b2a0b96e8ddc4 |
| SHA256 | 55f5b9288843798d25c8999185d07201dbf0e06917fa71f0480af4323cb74332 |
| SHA512 | 72e3ad8c15d8e2d9ed5e629eb9a2c0d3b825d6cbc31c36b888bab72e9a5e96f9e7e51a68fec0c20c99d8f1a8761ebe96669172515affc69bc8b8998531e32268 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be08777271c2b7d30fce70ac3dc2549b |
| SHA1 | 072bdcc24aec2a20d5efce860aa5928dc4eab3d5 |
| SHA256 | a222bf1f24438cf4afcdea4de4a7ad7ea9933c68aa645c20778afa65ad90b254 |
| SHA512 | 7011e9e6bab400a9655dbd5f01b183991e4987da50e364de881703707e966d7127a82b6afcfd31853ec6606775e7a66c4518dfa8a8ede740d5850aeca38605bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 558f1de670df35135a861e7b2b8d867b |
| SHA1 | 9da104b55a2b5dafa2735e9cb29ae2f0259e7d33 |
| SHA256 | fe2eaa47c7d8afabbf695b7bd570007819c3e8b3e782bce07b0c9f909b18f4cf |
| SHA512 | 1896458101f321a3286dbfb7bf7d5612695264053fdb7e4e6a4266979eeefce43a7c3266f1742d1a4bc7bc4a8b02845a51d57997d3b88d79410dff4baaf0e084 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58a6fdd8bc2ae0ec58c6a6d426792be8 |
| SHA1 | eeca3c765036d4fdc7fa304c8a3c36a5fe8f951f |
| SHA256 | 539352c63b820cfadd732efd52385859cfb1ecce9d826cbe7153cc4b71feca5b |
| SHA512 | 5e9078117f55e4b3a316837932ea9fcac081c95f37fc0b8a993da6a16514740301be6ae40019c2b488f14cfd848c4194748c7a27174a1d351373d33f3f86cd8a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 04ff7a15aed27ee3c9493bf1fefee657 |
| SHA1 | 67e0e5f29869e912a993631984a0e990b9daf909 |
| SHA256 | 37cedc7444efe1d6b66495c018663bee5016a488ac3b7fa9024468617c7fbd05 |
| SHA512 | 7cb9dea36f952505479fbdbd40eacf0e6ccb85f6b9379913dcdce38db8abd7cb3eb70d36c12c41dff1666953516eae6129bf99db0455685f5809bdc584422032 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 172d752658796181206fa06e853f2dbb |
| SHA1 | f9f1f8258277cfa8148c08501c9d295246f93025 |
| SHA256 | b3a5aa39f7051d2d16db7374dc5569447c4e24911680c7a941958a98b838e483 |
| SHA512 | b126886059812452cfe8aa7c833405cd49697bc2376e1f8cd1985e38249c1909854389992666f6be94116454a9465a78ad3a37e3e401095b13e762fe3dbafb5c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f152fb83c13e917a95b9e4b201a61c3 |
| SHA1 | bc245be351c9858e1f5c9e6fd233810d577750ce |
| SHA256 | 90f7c89ec6c639c7b043f5fd17b3d468ad5069bc9d2e7005621d0d2ae196f32f |
| SHA512 | 3edf3f608e4ffb1ac531a7fe734a4ea5f388aa5f3593419cd441d351dd30b1adc53922c1c6d9a987b5cc9cb9d17468873fd294e9a09ece81de7922ab0ac53757 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 051d9575cbb182289c41e12ee86427fc |
| SHA1 | 1e7a079229f6fe22ca704a2f60f05e9b4331b5fb |
| SHA256 | b5dc961bfab82881b8dac73b9772b19ca907929110f4fcc5a8930dba4a6d35e0 |
| SHA512 | 0af15940badebac3217f109aee4efdc1301339c98245392ecaef7d5371f07b3460b062576c39fc81ad4eecb48baa36fb39d7954258b5e2be943d21ef3ee8ddbd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db2bcfa434b784c1a852263e37119173 |
| SHA1 | 0208ccc937de5f6bd44390830e523569e2d04b00 |
| SHA256 | 8f30f612a4e4d2077f0764c8c19d0764bd203735106fb9bc57df491ffdad5098 |
| SHA512 | 1d750d33e4c2722badf3859749c5ef8ffc8b5cfb1689188b9205c14c1094c47808a69f17eab11a4041dae4b1eaa871c3a13852c111f3a7cfd0d3e71ed4ae5370 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 196f48d971f13d35361b3c4d11a95573 |
| SHA1 | 040ab3c6165e8ab622189d4c4a3c3f20cb2a6e44 |
| SHA256 | d95b5c02975df9018962e7d20c5618729c11301383ca0d5f8ce356d19aa810ed |
| SHA512 | 77463dd57466cb4e86a91593ec46f4abe9c007ce1af5cac3b5b51c66339e8d7b7a4fc8c776b67c350152a73eca6a1b5dd47720325b1526192ba6548503a29782 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ca75cce782f43c580e0a04a1ae7c4cd |
| SHA1 | 837c83911e70e9f361b933074a086cbf7ce064ac |
| SHA256 | d6f7a7ef0edb011e4e13a44ee2679a750a00da726f7b51067e42e5b40ab3f4b2 |
| SHA512 | 4f5a1381bb80383be524638fc54c65db2e83823f76a6963a53db5cb1697580b3b92dc10625102d06e5890b9dee62cf4cfc01cd950e050a9c27dfbcd2ea64c8dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 715a316ae3f04041d88d26a060b53047 |
| SHA1 | c732c09f2af1c7e9b6cbb0c6d0d57a3491a7d456 |
| SHA256 | 070baeaa3b8a329ba36de3cb90df572a055e0ae1eb4789c100a4738d8a410737 |
| SHA512 | 590df7452c02c2975e4a80f7323a69003727a50dd2a4d3d38bf56a11f568476505c93f0e5a213c3d4e5cc3bdfc41f103f3dfb6d33686ec241dfed690d32b67c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9f89e354f7f89b093ce5e9284b3cd881 |
| SHA1 | 62475bb8e25b0800889db140a2ce3454c1488834 |
| SHA256 | ae729776f329e8654e82cad030b95ba5718e6d0d4750f82058acc9522b3577af |
| SHA512 | 1351809cdc798835e119e6cbf9ef01a0955c2b8ffbe2442f3595bf148be251a6770b5581b1707ae41cdb6d7bbe5bba587e37c9f30e19540264a4d7bb3477c214 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6abe65e40e05533ea0f1612b653cfc7f |
| SHA1 | c65da647f3b0a4e97d0444c910fde3b64194ff6f |
| SHA256 | d1781dbcf92a75e956c04247b794540f404be9fde04e7bbc2bab03272255ec9b |
| SHA512 | 8a9961bb2915091ec5670b1e5fa94817a4fddbdca7ccdb0105e12429364e86989e447dd7cefdfcc01c0ea53310785f73777d5f44e19021aec60b2864f98b5e44 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 46079927407b2130051ca0e770e4f082 |
| SHA1 | 973585c9a59d1ae926fedc4f0078942587b9e6d8 |
| SHA256 | c64d57ce951d4d922fc2e00a9111142e8461c0c390b37f32652413a0f50d8d2f |
| SHA512 | 8ada0fc5421be274c38200266fd332d7814ee26ecb76077f18173554e8f79b6111edbeeda246c1eded989af4782c2f927bcabe974982400e3f8c64f6bb887259 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 496328a05e1e8c91c91b14227ad89b1b |
| SHA1 | bfe35d1990f5aa2ce133318034c835a0d75eaf17 |
| SHA256 | 4afbe6bf2f5f45ffafef2cfa6d9f0f0ef79a6d8955fc1fa2b489f3f9453e5aa3 |
| SHA512 | 18c53c56cc463b8198c90f615fae0bddf021f69d2dde0ddfd647b0b770bac08d2049edd8657bae515f62a360ea54f0e3669a4f772ce6b5f1681e321c5233c399 |
memory/39288-1374-0x0000000000080000-0x0000000000156000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar
| MD5 | 7da7000ca39ce69997bbcad56fa8d180 |
| SHA1 | 5178465612c87a838fdfaa03b2148baf05a71768 |
| SHA256 | 9d817b32fd59dbbe3a17f0c73d4be0b3301df89be5389bb2e81532bda93e34f8 |
| SHA512 | 5999a976b75bbc457c1b38fa6e0f8149e9ffeedf3e5895d9b4478ffa94d53bf8d38b1df8aa8238423f6eb5b89c0a4bb36fa342033c6597214d12c6def53887d4 |
memory/39288-1402-0x0000000002030000-0x000000000203A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_0.469376876293055138575535259152420219.class
| MD5 | 781fb531354d6f291f1ccab48da6d39f |
| SHA1 | 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68 |
| SHA256 | 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 |
| SHA512 | 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8 |