Analysis Overview
SHA256
a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b
Threat Level: Known bad
The file a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b was found to be: Known bad.
Malicious Activity Summary
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Drops file in Drivers directory
Sets DLL path for service in the registry
Sets service image path in registry
Loads dropped DLL
Executes dropped EXE
UPX packed file
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Checks SCSI registry key(s)
Runs ping.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-30 15:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 15:23
Reported
2024-05-30 15:25
Platform
win10v2004-20240508-en
Max time kernel
95s
Max time network
95s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
PurpleFox
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\QAssist.sys | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240611343.txt" | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\240611343.txt | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\svchos.exe | N/A |
| File created | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TXPlatforn.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| File created | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\shell\整理桌面\command | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\command\ = "\\JDeskTray.exe --from=rmenu" | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\ = "映射该文件夹到桌面" | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\shell\整理桌面 | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\Position = "Top" | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\Icon = "\\Utils\\mirror.ico" | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\command | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\jiandesk\command\ = "\\DeskAide64.exe --from=rmenu --mirrorPath=\"%1\"" | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\整理桌面\Icon = "\\Utils\\Install.ico" | C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\TXPlatforn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\AppData\Local\Temp\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240611343.txt",MainThread
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
"C:\Users\Admin\Desktop\a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Users\Admin\Desktop\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\svchos.exe
"C:\Users\Admin\AppData\Local\Temp\svchos.exe"
C:\Users\Admin\Desktop\svchos.exe
"C:\Users\Admin\Desktop\svchos.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | s.ludashi.com | udp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| CN | 47.117.76.201:80 | s.ludashi.com | tcp |
| US | 8.8.8.8:53 | hackerinvasion.f3322.net | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | a4329177954d4104005bce3020e5ef59 |
| SHA1 | 23c29e295e2dbb8454012d619ca3f81e4c16e85a |
| SHA256 | 6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd |
| SHA512 | 81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208 |
memory/4260-4-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4260-6-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4260-10-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4260-7-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/724-13-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/724-18-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchos.exe
| MD5 | 3b377ad877a942ec9f60ea285f7119a2 |
| SHA1 | 60b23987b20d913982f723ab375eef50fafa6c70 |
| SHA256 | 62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84 |
| SHA512 | af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f |
C:\Windows\SysWOW64\240611343.txt
| MD5 | a97ae264d4cda16d906cb073f70e442f |
| SHA1 | a5e53fcc7cc87033ea383eccd731cf10e6635853 |
| SHA256 | 7e2648ce94ddabb85c6baf95ed763d905ad54745489a8b509fc65b3de64e3b80 |
| SHA512 | 29d6b287764edd3573e9666681e44443037e1dccb85aa9c4658387dd693be9a8828aa66cc2096064cdf5ffff5600c7a0f36097b608f390d831b5c63b020a7969 |
memory/4968-35-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/724-27-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4968-39-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_a01e216ae8c659d32c22d165009d85c0daee2a9895983736369f8f0aef2f358b.exe
| MD5 | 0180d6e451c4b289bcc4d8be163bd9ad |
| SHA1 | 3f288c137b7d142db11180d2822fe680fdfe85fd |
| SHA256 | 1a9b3c81a7598f942e9c030bd452bac5a97c7ca528e5f575442a55cf836f02ef |
| SHA512 | 8fa31cc994b598e2f555341a3b8942d99fee92c9b10f955f9ff13c1a4ab8adec126a9d5fd8103d703171d532725a72ca91cc788dd22d3e77d6e7ab7e54e2ab4c |
memory/4968-42-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4968-40-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\JianDeskData\config.ini
| MD5 | d5607aeae98eeff64e4fa5bae070f679 |
| SHA1 | 5772ca574c17b4526a4be72963f480b8acdaddaf |
| SHA256 | df91bb7b545c30afaaaea999339fd9d4de80cb6e402e59eaf0ba3725055ddb96 |
| SHA512 | 3ac0f29561e7c5d9c72d227b6797a4885799885f874e2ceb1dcd878053e266c0b4b7b233b42af8caac923ee8775fa5f821a960d29bae8836e64d8f60b4c665fc |
memory/4968-53-0x0000000010000000-0x00000000101B6000-memory.dmp
memory/4968-46-0x0000000010000000-0x00000000101B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 52250986e17600054933532922dd92f4 |
| SHA1 | 919f0ba79e00f62903bad25420898b104121119d |
| SHA256 | 56100ecfdacc8d3354cfe80c3e68db4eabf9e582189ac6a3c7a8fffaf245188f |
| SHA512 | eb85b98c3f20c1a225acaa7265ba6148146a23da0b73b3e5a0aeb5057a13f24187e3c48f38743cf8c9a294aff48e79318c982e3539189970f2adaac334a4193d |
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/4856-106-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-105-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-104-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-116-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-115-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-114-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-113-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-112-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-111-0x000001281EC60000-0x000001281EC61000-memory.dmp
memory/4856-110-0x000001281EC60000-0x000001281EC61000-memory.dmp
C:\Users\Admin\AppData\Roaming\JianDeskData\config.ini
| MD5 | b3d02347bfac3cae60e7bcc4e4c9208c |
| SHA1 | 70a6d5704f5494a27495bd85c8c97cdd69cc8bb6 |
| SHA256 | 5794d2f55f3edd9b2a5923693a1b760d9775f8f171f9cd1c6a78da3888cdada3 |
| SHA512 | f12a5df6cc60eae14cd2b9754e4b30605f119a1d1ab4d94e9ac9063ae5374474e45ece0084cf37b0b123bb173b7fc90e18e89e4edca290f1671a25e7442cf838 |
memory/2000-164-0x0000000000400000-0x00000000005D1000-memory.dmp
C:\Users\Admin\Desktop\config.ini
| MD5 | d118cba0b3c1117e83e08ea5fd4f3965 |
| SHA1 | 2b5a796f0be29bb6e0057e786a87e8bcc41f6ad1 |
| SHA256 | a34382d15f0fb4c059748f4f41a3548b8f424370f81f791fc3faf86439aae312 |
| SHA512 | 4311192d53b2b92271ff6114744ffff69714fd3d4d759cb768cf27fe0499a591bc777861bafb35e3ec65210ba663eee26ea859e7d1220ad4aa5fadef8ce5a57f |
C:\Users\Admin\Desktop\config.ini
| MD5 | 9cf2a8f6b717cc415d5470157f90822b |
| SHA1 | a4e789cfc316db549855834de94f98d0258cf2fc |
| SHA256 | 036ffb8f2e949d21d4e8077416df18566a2ea99fc84f3facb0c732ecc4aa68ce |
| SHA512 | df4bf06dd5f708400240e79a165ea1e7a9c3929fcb3183f0302dd07921116d4d4a7be49f336d271189fea37f2589b59e39fa16f9df392ca7fbadb88a102f244f |