Resubmissions

30-05-2024 15:23

240530-ssqdbscg8z 10

29-05-2024 02:55

240529-derlxage98 10

Analysis

  • max time kernel
    95s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 15:23

General

  • Target

    a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe

  • Size

    3.0MB

  • MD5

    f8d5d84914ea87463cb8efbf49a74f55

  • SHA1

    9613d02bc94648af72b9b69be6250479164a48a2

  • SHA256

    a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b

  • SHA512

    b43efbf1d722d51ff1cc78086b3a91817ab2d2c0adcb8f37b01aabc679c8310207c890b7e36fd58096de7465cc3ef44fe0140495c129f6ada946bdc50fb27662

  • SSDEEP

    49152:6QZAdVyVT9n/Gg0P+WhoCsTKyoZ/Pjb6Kt0rbJEuSLz5xXA:jGdVyVT9nOgmh/sTKlZ6K+mLzA

Malware Config

Signatures

  • Detect PurpleFox Rootkit 12 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 13 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 11 IoCs
  • Runs ping.exe 1 TTPs 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
    "C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1384
    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
      2⤵
      • Sets DLL path for service in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:2256
    • C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
      C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:1972
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:724
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:4968
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
    1⤵
      PID:4620
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240611343.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:228
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4856
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4020
      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1584
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 2 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:980
        • C:\Users\Admin\AppData\Local\Temp\svchos.exe
          C:\Users\Admin\AppData\Local\Temp\\svchos.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4652
        • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
          C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
          2⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:3940
      • C:\Windows\SysWOW64\TXPlatforn.exe
        C:\Windows\SysWOW64\TXPlatforn.exe -auto
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Windows\SysWOW64\TXPlatforn.exe
          C:\Windows\SysWOW64\TXPlatforn.exe -acsi
          2⤵
          • Executes dropped EXE
          PID:3016
      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:180
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 2 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:4632
        • C:\Users\Admin\AppData\Local\Temp\svchos.exe
          C:\Users\Admin\AppData\Local\Temp\\svchos.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4372
        • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
          C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
          2⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetWindowsHookEx
          PID:4240
      • C:\Windows\SysWOW64\TXPlatforn.exe
        C:\Windows\SysWOW64\TXPlatforn.exe -auto
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\TXPlatforn.exe
          C:\Windows\SysWOW64\TXPlatforn.exe -acsi
          2⤵
          • Executes dropped EXE
          PID:2452
      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
            3⤵
              PID:1708
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 2 127.0.0.1
                4⤵
                • Runs ping.exe
                PID:1896
          • C:\Users\Admin\AppData\Local\Temp\svchos.exe
            C:\Users\Admin\AppData\Local\Temp\\svchos.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2728
          • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
            C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
            2⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of SetWindowsHookEx
            PID:4368
        • C:\Windows\SysWOW64\TXPlatforn.exe
          C:\Windows\SysWOW64\TXPlatforn.exe -auto
          1⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\SysWOW64\TXPlatforn.exe
            C:\Windows\SysWOW64\TXPlatforn.exe -acsi
            2⤵
            • Executes dropped EXE
            PID:3040
        • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
          "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:2008
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4908
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
              3⤵
                PID:4632
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 2 127.0.0.1
                  4⤵
                  • Runs ping.exe
                  PID:5432
            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1620
            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              2⤵
              • Executes dropped EXE
              PID:5484
          • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
            "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:2652
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
              2⤵
              • Executes dropped EXE
              PID:3944
            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1184
            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              2⤵
              • Executes dropped EXE
              PID:5828
          • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
            "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:4292
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
              2⤵
              • Executes dropped EXE
              PID:1936
            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:5084
            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              2⤵
              • Executes dropped EXE
              PID:5768
          • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
            "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:376
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
              2⤵
              • Executes dropped EXE
              PID:2256
            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2268
            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              2⤵
              • Executes dropped EXE
              PID:5808
          • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
            "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:3424
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
              2⤵
              • Executes dropped EXE
              PID:3436
            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3856
            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              2⤵
              • Executes dropped EXE
              PID:5540
          • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
            "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:1372
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
              2⤵
              • Executes dropped EXE
              PID:4568
            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
              2⤵
              • Executes dropped EXE
              PID:5852
            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              2⤵
              • Writes to the Master Boot Record (MBR)
              PID:2392
          • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
            "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:4432
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
              2⤵
              • Executes dropped EXE
              PID:1572
            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
              2⤵
              • Executes dropped EXE
              PID:5532
            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              2⤵
                PID:5380
            • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
              "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
              1⤵
              • Suspicious use of SetWindowsHookEx
              PID:3120
              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:5096
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
                  3⤵
                    PID:5404
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 2 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:5940
                • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                  2⤵
                    PID:5672
                  • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                    C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                    2⤵
                      PID:6492
                  • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                    "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                    1⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:3688
                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                      2⤵
                      • Executes dropped EXE
                      PID:5352
                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                      2⤵
                        PID:1980
                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                        2⤵
                          PID:6284
                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:4296
                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5208
                        • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                          C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                          2⤵
                          • Executes dropped EXE
                          PID:5888
                        • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                          C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                          2⤵
                            PID:60
                        • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                          "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                          1⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:2608
                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                            2⤵
                            • Executes dropped EXE
                            PID:5184
                          • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                            C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                            2⤵
                            • Executes dropped EXE
                            PID:6132
                          • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                            C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                            2⤵
                              PID:5484
                          • C:\Windows\SysWOW64\TXPlatforn.exe
                            C:\Windows\SysWOW64\TXPlatforn.exe -auto
                            1⤵
                            • Executes dropped EXE
                            PID:4164
                            • C:\Windows\SysWOW64\TXPlatforn.exe
                              C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                              2⤵
                              • Executes dropped EXE
                              PID:3884
                          • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                            "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                            1⤵
                            • Suspicious use of SetWindowsHookEx
                            PID:3520
                            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:5216
                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                              2⤵
                              • Executes dropped EXE
                              PID:5880
                            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                              2⤵
                                PID:4024
                            • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                              "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                              1⤵
                              • Suspicious use of SetWindowsHookEx
                              PID:1460
                              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                2⤵
                                • Executes dropped EXE
                                PID:5200
                              • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                2⤵
                                • Executes dropped EXE
                                PID:3436
                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                2⤵
                                  PID:6020
                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                1⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:4704
                                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                  2⤵
                                  • Executes dropped EXE
                                  PID:5192
                                • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                  2⤵
                                  • Executes dropped EXE
                                  PID:5152
                                • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                  C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                  2⤵
                                    PID:2728
                                • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                  "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                  1⤵
                                    PID:1892
                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                      2⤵
                                        PID:5972
                                      • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                        C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                        2⤵
                                          PID:6552
                                        • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                          C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                          2⤵
                                            PID:376
                                        • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                          "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                          1⤵
                                            PID:1288
                                            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                              2⤵
                                              • Executes dropped EXE
                                              PID:5996
                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                              2⤵
                                                PID:4620
                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                2⤵
                                                  PID:6648
                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                1⤵
                                                • Suspicious use of SetWindowsHookEx
                                                PID:32
                                                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:5948
                                                • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                  2⤵
                                                    PID:6172
                                                  • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                    C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                    2⤵
                                                      PID:6916
                                                  • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                    "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                    1⤵
                                                      PID:4852
                                                      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                        C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:5980
                                                      • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                        C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                        2⤵
                                                          PID:6992
                                                        • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                          C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                          2⤵
                                                            PID:4256
                                                        • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                          "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                          1⤵
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:180
                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:5736
                                                          • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                            C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                            2⤵
                                                              PID:1652
                                                            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                              2⤵
                                                                PID:5096
                                                            • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                              "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                              1⤵
                                                                PID:3660
                                                                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:5940
                                                                • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                  2⤵
                                                                    PID:6164
                                                                  • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                    C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                    2⤵
                                                                      PID:5916
                                                                  • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                    "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                    1⤵
                                                                      PID:4908
                                                                      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        PID:5988
                                                                      • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                        2⤵
                                                                          PID:5296
                                                                        • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                          C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                          2⤵
                                                                            PID:6840
                                                                        • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                          "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                          1⤵
                                                                            PID:5172
                                                                            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              PID:5956
                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                              2⤵
                                                                                PID:6180
                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                2⤵
                                                                                  PID:3436
                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                1⤵
                                                                                  PID:5272
                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:6012
                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                    2⤵
                                                                                      PID:6148
                                                                                    • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                      C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                      2⤵
                                                                                        PID:6764
                                                                                    • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                      C:\Windows\SysWOW64\TXPlatforn.exe -auto
                                                                                      1⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:5284
                                                                                      • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                        C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                                                                                        2⤵
                                                                                          PID:5084
                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                        1⤵
                                                                                          PID:5304
                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                            2⤵
                                                                                              PID:2792
                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                              2⤵
                                                                                                PID:6480
                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                2⤵
                                                                                                  PID:6820
                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                1⤵
                                                                                                  PID:5384
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                    2⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:6004
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
                                                                                                      3⤵
                                                                                                        PID:6440
                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          4⤵
                                                                                                            PID:5768
                                                                                                          • C:\Windows\SysWOW64\PING.EXE
                                                                                                            ping -n 2 127.0.0.1
                                                                                                            4⤵
                                                                                                            • Runs ping.exe
                                                                                                            PID:6012
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                        C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                        2⤵
                                                                                                          PID:6448
                                                                                                        • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                          C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                          2⤵
                                                                                                          • Writes to the Master Boot Record (MBR)
                                                                                                          PID:7012
                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                        1⤵
                                                                                                          PID:5472
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                            2⤵
                                                                                                              PID:4084
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                              2⤵
                                                                                                                PID:6664
                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                2⤵
                                                                                                                  PID:6932
                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                1⤵
                                                                                                                  PID:5504
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                    2⤵
                                                                                                                      PID:3056
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                      2⤵
                                                                                                                        PID:6688
                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                        2⤵
                                                                                                                          PID:5988
                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                        1⤵
                                                                                                                          PID:5572
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                            2⤵
                                                                                                                              PID:5856
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                              2⤵
                                                                                                                                PID:6656
                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                2⤵
                                                                                                                                  PID:5804
                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                1⤵
                                                                                                                                  PID:5616
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                    2⤵
                                                                                                                                      PID:5892
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                      2⤵
                                                                                                                                        PID:7020
                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                        2⤵
                                                                                                                                          PID:6604
                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                        1⤵
                                                                                                                                          PID:5636
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                            2⤵
                                                                                                                                              PID:1832
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                              2⤵
                                                                                                                                                PID:6700
                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                2⤵
                                                                                                                                                  PID:2944
                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                1⤵
                                                                                                                                                  PID:5684
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                    2⤵
                                                                                                                                                      PID:5424
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                      2⤵
                                                                                                                                                        PID:6728
                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                        2⤵
                                                                                                                                                          PID:4224
                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                        1⤵
                                                                                                                                                          PID:5704
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                            2⤵
                                                                                                                                                              PID:4308
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                              2⤵
                                                                                                                                                                PID:7004
                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:2652
                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:5716
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:6300
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:6016
                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:6364
                                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:5784
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:4896
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:5796
                                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:3932
                                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:5840
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:1616
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:6740
                                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:6368
                                                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:5868
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:5152
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:6900
                                                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:6412
                                                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                1⤵
                                                                                                                                                                                                  PID:5896
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:4356
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:6720
                                                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:6000
                                                                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                          PID:5928
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:6036
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:1400
                                                                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:6408
                                                                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:5964
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:5628
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:6316
                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:6332
                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:6056
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:2304
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:1372
                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:7084
                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:6068
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:6292
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:6416
                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:5816
                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:6088
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:5780
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:5412
                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:6876
                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:6096
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:6388
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:6924
                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:6544
                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:3156
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:752
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:6456
                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:6852
                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                  PID:1932
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:5816
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:6748
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:6344
                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                          PID:3132
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:6784
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:6004
                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:6196
                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                  PID:856
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                    PID:6672
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:5736
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                          ping -n 2 127.0.0.1
                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                          • Runs ping.exe
                                                                                                                                                                                                                                                                                          PID:5352
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:1972
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:5228
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                          PID:4484
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:6808
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:5448
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:7044
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                  PID:4536
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:6792
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:1936
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                        C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                        • Writes to the Master Boot Record (MBR)
                                                                                                                                                                                                                                                                                                        PID:5380
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                        PID:5604
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:6796
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:5488
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:6600
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:5312
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                    PID:6940
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:5184
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:6892
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                        PID:5764
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                          PID:1652
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:6496
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                                ping -n 2 127.0.0.1
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                • Runs ping.exe
                                                                                                                                                                                                                                                                                                                                PID:6976
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                              PID:5296
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                PID:4308
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                PID:900
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                    PID:4524
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:6836
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                        PID:5256
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                        PID:4144
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\\svchost.exe
                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                            PID:3432
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\\svchos.exe
                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                              PID:6288
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                PID:6968
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\TXPlatforn.exe -auto
                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                PID:5340
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                    PID:6564
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\TXPlatforn.exe -auto
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                    PID:6856
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                        PID:6236
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\TXPlatforn.exe -auto
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2640
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\TXPlatforn.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                            PID:6080
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\svchos.exe"
                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                            PID:4896
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\Desktop\svchos.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\Desktop\svchos.exe"
                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                              PID:6936

                                                                                                                                                                                                                                                                                                                                                            Network

                                                                                                                                                                                                                                                                                                                                                            MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                                                                                                                                                                                                                                            Persistence

                                                                                                                                                                                                                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                            T1547

                                                                                                                                                                                                                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                            T1547.001

                                                                                                                                                                                                                                                                                                                                                            Pre-OS Boot

                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                            T1542

                                                                                                                                                                                                                                                                                                                                                            Bootkit

                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                            T1542.003

                                                                                                                                                                                                                                                                                                                                                            Privilege Escalation

                                                                                                                                                                                                                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                            T1547

                                                                                                                                                                                                                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                            T1547.001

                                                                                                                                                                                                                                                                                                                                                            Defense Evasion

                                                                                                                                                                                                                                                                                                                                                            Modify Registry

                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                            T1112

                                                                                                                                                                                                                                                                                                                                                            Pre-OS Boot

                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                            T1542

                                                                                                                                                                                                                                                                                                                                                            Bootkit

                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                            T1542.003

                                                                                                                                                                                                                                                                                                                                                            Discovery

                                                                                                                                                                                                                                                                                                                                                            Query Registry

                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                            T1012

                                                                                                                                                                                                                                                                                                                                                            System Information Discovery

                                                                                                                                                                                                                                                                                                                                                            2
                                                                                                                                                                                                                                                                                                                                                            T1082

                                                                                                                                                                                                                                                                                                                                                            Peripheral Device Discovery

                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                            T1120

                                                                                                                                                                                                                                                                                                                                                            Remote System Discovery

                                                                                                                                                                                                                                                                                                                                                            1
                                                                                                                                                                                                                                                                                                                                                            T1018

                                                                                                                                                                                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                            Downloads

                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              52250986e17600054933532922dd92f4

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              919f0ba79e00f62903bad25420898b104121119d

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              56100ecfdacc8d3354cfe80c3e68db4eabf9e582189ac6a3c7a8fffaf245188f

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              eb85b98c3f20c1a225acaa7265ba6148146a23da0b73b3e5a0aeb5057a13f24187e3c48f38743cf8c9a294aff48e79318c982e3539189970f2adaac334a4193d

                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.3MB

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              0180d6e451c4b289bcc4d8be163bd9ad

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              3f288c137b7d142db11180d2822fe680fdfe85fd

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              1a9b3c81a7598f942e9c030bd452bac5a97c7ca528e5f575442a55cf836f02ef

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              8fa31cc994b598e2f555341a3b8942d99fee92c9b10f955f9ff13c1a4ab8adec126a9d5fd8103d703171d532725a72ca91cc788dd22d3e77d6e7ab7e54e2ab4c

                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              93KB

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              3b377ad877a942ec9f60ea285f7119a2

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              60b23987b20d913982f723ab375eef50fafa6c70

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              377KB

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              a4329177954d4104005bce3020e5ef59

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              23c29e295e2dbb8454012d619ca3f81e4c16e85a

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\JianDeskData\config.ini
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              59B

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              b3d02347bfac3cae60e7bcc4e4c9208c

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              70a6d5704f5494a27495bd85c8c97cdd69cc8bb6

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              5794d2f55f3edd9b2a5923693a1b760d9775f8f171f9cd1c6a78da3888cdada3

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              f12a5df6cc60eae14cd2b9754e4b30605f119a1d1ab4d94e9ac9063ae5374474e45ece0084cf37b0b123bb173b7fc90e18e89e4edca290f1671a25e7442cf838

                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\JianDeskData\config.ini
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              53B

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              d5607aeae98eeff64e4fa5bae070f679

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              5772ca574c17b4526a4be72963f480b8acdaddaf

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              df91bb7b545c30afaaaea999339fd9d4de80cb6e402e59eaf0ba3725055ddb96

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              3ac0f29561e7c5d9c72d227b6797a4885799885f874e2ceb1dcd878053e266c0b4b7b233b42af8caac923ee8775fa5f821a960d29bae8836e64d8f60b4c665fc

                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\config.ini
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              68B

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              d118cba0b3c1117e83e08ea5fd4f3965

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              2b5a796f0be29bb6e0057e786a87e8bcc41f6ad1

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              a34382d15f0fb4c059748f4f41a3548b8f424370f81f791fc3faf86439aae312

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              4311192d53b2b92271ff6114744ffff69714fd3d4d759cb768cf27fe0499a591bc777861bafb35e3ec65210ba663eee26ea859e7d1220ad4aa5fadef8ce5a57f

                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\Desktop\config.ini
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              68B

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              9cf2a8f6b717cc415d5470157f90822b

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              a4e789cfc316db549855834de94f98d0258cf2fc

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              036ffb8f2e949d21d4e8077416df18566a2ea99fc84f3facb0c732ecc4aa68ce

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              df4bf06dd5f708400240e79a165ea1e7a9c3929fcb3183f0302dd07921116d4d4a7be49f336d271189fea37f2589b59e39fa16f9df392ca7fbadb88a102f244f

                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\240611343.txt
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              50KB

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              a97ae264d4cda16d906cb073f70e442f

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              a5e53fcc7cc87033ea383eccd731cf10e6635853

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              7e2648ce94ddabb85c6baf95ed763d905ad54745489a8b509fc65b3de64e3b80

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              29d6b287764edd3573e9666681e44443037e1dccb85aa9c4658387dd693be9a8828aa66cc2096064cdf5ffff5600c7a0f36097b608f390d831b5c63b020a7969

                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              60KB

                                                                                                                                                                                                                                                                                                                                                              MD5

                                                                                                                                                                                                                                                                                                                                                              889b99c52a60dd49227c5e485a016679

                                                                                                                                                                                                                                                                                                                                                              SHA1

                                                                                                                                                                                                                                                                                                                                                              8fa889e456aa646a4d0a4349977430ce5fa5e2d7

                                                                                                                                                                                                                                                                                                                                                              SHA256

                                                                                                                                                                                                                                                                                                                                                              6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

                                                                                                                                                                                                                                                                                                                                                              SHA512

                                                                                                                                                                                                                                                                                                                                                              08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

                                                                                                                                                                                                                                                                                                                                                            • memory/724-13-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/724-27-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/724-18-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/2000-164-0x0000000000400000-0x00000000005D1000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.8MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4260-7-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4260-10-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4260-6-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4260-4-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-114-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-111-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-106-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-105-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-104-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-116-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-115-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-110-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-113-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4856-112-0x000001281EC60000-0x000001281EC61000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              4KB

                                                                                                                                                                                                                                                                                                                                                            • memory/4968-46-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4968-53-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4968-40-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4968-42-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4968-39-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB

                                                                                                                                                                                                                                                                                                                                                            • memory/4968-35-0x0000000010000000-0x00000000101B6000-memory.dmp
                                                                                                                                                                                                                                                                                                                                                              Filesize

                                                                                                                                                                                                                                                                                                                                                              1.7MB