General Info

File name

[email protected]_298479.exe.zip

Full analysis
https://app.any.run/tasks/da9582fc-2fbc-4bcc-8fcd-924a3881d4a8
Verdict
Malicious activity
Analysis date
9/11/2019, 08:32:40
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

loader

adware

evasion

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

ab4f2dac6c7279bc4b3aea0cdb97dd4f

SHA1

0eb692a3da47e7d98033cecbba91ac6e819c3c28

SHA256

213a631c5957c335b0aa1af6dd5060874091fcded971f4b8a4a6145ecadc2f68

SSDEEP

24576:IGoodAGp2dx46VF7JNdfQGFqE80+VW6Zp6aLTYSUY7xe9ocsij7sDl6EIrDWjm9Z:GoyNIeZ9BoVVJr6aLTJUSxeycsy0AmOr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • K8Update.exe (PID: 3288)
  • LdsHelper.exe (PID: 2992)
  • RegSvr32.exe (PID: 3328)
  • TBSWebRenderer.exe (PID: 2244)
  • LDSGameHall.exe (PID: 1400)
  • explorer.exe (PID: 276)
  • RegSvr32.exe (PID: 3080)
  • regsvr32.exe (PID: 3176)
  • regsvr32.exe (PID: 2236)
  • regsvr32.exe (PID: 1520)
  • TenioDL.exe (PID: 2724)
  • svchost.exe (PID: 852)
  • TenioDL.exe (PID: 2452)
  • update.exe (PID: 2556)
  • SoftMgrInst.exe (PID: 3184)
  • ldsgamemaster.exe (PID: 2800)
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • K8GM.exe (PID: 2176)
  • kuai8_c200032_s1_p1.exe (PID: 2696)
  • BirdHelper.exe (PID: 2956)
  • GameDownload.exe (PID: 796)
  • K8Web.exe (PID: 3616)
  • AppMarket.exe (PID: 3720)
  • LDSGameMasterInstRoad_212501.exe (PID: 2744)
  • K8Update.exe (PID: 756)
  • K8Update.exe (PID: 3852)
  • QMEmulatorService.exe (PID: 2736)
  • GameMasterHelper.exe (PID: 3224)
  • K8Bubble.exe (PID: 2444)
  • Tinst.exe (PID: 3952)
  • K8GM.exe (PID: 3428)
Registers / Runs the DLL via REGSVR32.EXE
  • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
  • ldsgamemaster.exe (PID: 2800)
  • kuai8_c200032_s1_p1.exe (PID: 2696)
Application was dropped or rewritten from another process
  • GameDownload.exe (PID: 796)
  • [email protected]_298479.exe (PID: 1632)
  • TenioDL.exe (PID: 2452)
  • GameMasterHelper.exe (PID: 3224)
  • K8GM.exe (PID: 2176)
  • LdsHelper.exe (PID: 2992)
  • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
  • kuai8_c200032_s1_p1.exe (PID: 2696)
  • update.exe (PID: 2556)
  • K8GM.exe (PID: 3428)
  • TenioDL.exe (PID: 2724)
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • TBSWebRenderer.exe (PID: 2244)
  • SoftMgrInst.exe (PID: 3184)
  • BirdHelper.exe (PID: 2956)
  • LDSGameHall.exe (PID: 1400)
  • ldsgamemaster.exe (PID: 2800)
  • K8Web.exe (PID: 3616)
  • AppMarket.exe (PID: 3720)
  • [email protected]_298479.exe (PID: 3756)
  • Tinst.exe (PID: 3952)
  • QMEmulatorService.exe (PID: 2736)
  • LDSGameMasterInstRoad_212501.exe (PID: 2744)
  • K8Update.exe (PID: 756)
  • K8Update.exe (PID: 3852)
  • [email protected]_298479.exe (PID: 2104)
  • K8Bubble.exe (PID: 2444)
  • [email protected]_298479.exe (PID: 3488)
  • [email protected]_298479.exe (PID: 3140)
  • K8Update.exe (PID: 3288)
Changes settings of System certificates
  • AppMarket.exe (PID: 3720)
  • ldsgamemaster.exe (PID: 2800)
Loads the Task Scheduler COM API
  • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
Connects to CnC server
  • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
Downloads executable files from the Internet Changes the autorun value in the registry
  • K8Bubble.exe (PID: 2444)
Adds new firewall rule via NETSH.EXE
  • Tinst.exe (PID: 3952)
Creates files in the user directory
  • TenioDL.exe (PID: 2724)
  • K8Web.exe (PID: 3616)
  • kuai8_c200032_s1_p1.exe (PID: 2696)
  • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
  • TenioDL.exe (PID: 2452)
  • ldsgamemaster.exe (PID: 2800)
  • K8GM.exe (PID: 2176)
  • LDSGameHall.exe (PID: 1400)
  • SoftMgrInst.exe (PID: 3184)
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • K8Update.exe (PID: 756)
  • Tinst.exe (PID: 3952)
  • K8GM.exe (PID: 3428)
  • BirdHelper.exe (PID: 2956)
  • [email protected]_298479.exe (PID: 3488)
  • AppMarket.exe (PID: 3720)
Creates files in the Windows directory
  • svchost.exe (PID: 852)
  • ldsgamemaster.exe (PID: 2800)
Uses NETSH.EXE for network configuration
  • cmd.exe (PID: 3708)
  • cmd.exe (PID: 4072)
  • cmd.exe (PID: 4008)
  • cmd.exe (PID: 3560)
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • Tinst.exe (PID: 3952)
  • cmd.exe (PID: 3588)
Executable content was dropped or overwritten
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • kuai8_c200032_s1_p1.exe (PID: 2696)
  • LDSGameHall.exe (PID: 1400)
  • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
  • LDSGameMasterInstRoad_212501.exe (PID: 2744)
  • [email protected]_298479.exe (PID: 3488)
  • Market.exe (PID: 3384)
  • ldsgamemaster.exe (PID: 2800)
  • Tinst.exe (PID: 3952)
Application launched itself Creates COM task schedule object
  • regsvr32.exe (PID: 3176)
  • regsvr32.exe (PID: 3132)
  • RegSvr32.exe (PID: 3328)
  • RegSvr32.exe (PID: 3080)
  • regsvr32.exe (PID: 2236)
  • regsvr32.exe (PID: 1520)
  • regsvr32.exe (PID: 3648)
Creates or modifies windows services
  • ldsgamemaster.exe (PID: 2800)
  • regsvr32.exe (PID: 3812)
Reads Internet Cache Settings
  • explorer.exe (PID: 276)
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • GameDownload.exe (PID: 796)
  • [email protected]_298479.exe (PID: 3488)
  • K8GM.exe (PID: 3428)
  • K8Web.exe (PID: 3616)
  • ldsgamemaster.exe (PID: 2800)
  • LDSGameMasterInstRoad_212501.exe (PID: 2744)
Changes IE settings (feature browser emulation)
  • kuai8_c200032_s1_p1.exe (PID: 2696)
  • LDSGameHall.exe (PID: 1400)
  • K8GM.exe (PID: 3428)
Low-level read access rights to disk partition
  • BirdHelper.exe (PID: 2956)
  • GameMasterHelper.exe (PID: 3224)
  • LdsHelper.exe (PID: 2992)
  • GameDownload.exe (PID: 796)
  • K8Update.exe (PID: 3288)
  • K8GM.exe (PID: 2176)
  • K8Update.exe (PID: 3852)
  • AppMarket.exe (PID: 3720)
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
  • ldsgamemaster.exe (PID: 2800)
  • K8Bubble.exe (PID: 2444)
  • K8Update.exe (PID: 756)
  • LDSGameMasterInstRoad_212501.exe (PID: 2744)
  • K8GM.exe (PID: 3428)
  • update.exe (PID: 2556)
  • LDSGameHall.exe (PID: 1400)
Adds / modifies Windows certificates
  • AppMarket.exe (PID: 3720)
  • ldsgamemaster.exe (PID: 2800)
Modifies the open verb of a shell class
  • LDSGameHall.exe (PID: 1400)
  • hnote.exe (PID: 3824)
  • Tinst.exe (PID: 3952)
Searches for installed software
  • ldsgamemaster.exe (PID: 2800)
Creates a software uninstall entry
  • HNInstall_Setup_3486648174_jk_001.exe (PID: 3344)
  • kuai8_c200032_s1_p1.exe (PID: 2696)
  • Tinst.exe (PID: 3952)
  • LDSGameHall.exe (PID: 1400)
Uses ICACLS.EXE to modify access control list
  • TenioDL.exe (PID: 2724)
Reads internet explorer settings
  • K8Web.exe (PID: 3616)
  • K8GM.exe (PID: 3428)
  • LDSGameHall.exe (PID: 1400)
Creates files in the program directory
  • AppMarket.exe (PID: 3720)
  • kuai8_c200032_s1_p1.exe (PID: 2696)
  • [email protected]_298479.exe (PID: 3488)
  • ldsgamemaster.exe (PID: 2800)
  • Tinst.exe (PID: 3952)
Starts CMD.EXE for commands execution
  • kuai8_c200032_s1_p1.exe (PID: 2696)
Executed as Windows Service
  • QMEmulatorService.exe (PID: 2736)
Dropped object may contain Bitcoin addresses
  • kuai8_c200032_s1_p1.exe (PID: 2696)
  • ldsgamemaster.exe (PID: 2800)
  • K8GM.exe (PID: 3428)
Reads settings of System Certificates
  • K8Web.exe (PID: 3616)
  • AppMarket.exe (PID: 3720)
  • K8GM.exe (PID: 3428)
  • GameDownload.exe (PID: 796)
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • explorer.exe (PID: 276)
Reads the hosts file
  • AppMarket.exe (PID: 3720)
  • GameDownload_hk_hj_syzs_500202007_jm.exe (PID: 2544)
  • GameDownload.exe (PID: 796)
Manual execution by user

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0009
ZipCompression:
Unknown (99)
ZipModifyDate:
1980:00:00 00:00:00
ZipCRC:
0x00000000
ZipCompressedSize:
1360201
ZipUncompressedSize:
2576384
ZipFileName:
a799857e7d44840d86bf1c4dff23db15e1c4be97fdd8a5a28071b1e1a062d85c

Screenshots

Processes

Total processes
132
Monitored processes
69
Malicious processes
28
Suspicious processes
4

Behavior graph

+
start download and start download and start download and start download and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs [email protected]_298479.exe no specs [email protected]_298479.exe notepad.exe no specs ldsgamemasterinstroad_212501.exe ldsgamemaster.exe softmgrinst.exe [email protected]_298479.exe no specs gamemasterhelper.exe regsvr32.exe no specs regsvr32.exe no specs explorer.exe gamedownload_hk_hj_syzs_500202007_jm.exe svchost.exe ldsgamehall.exe teniodl.exe update.exe icacls.exe no specs market.exe tinst.exe qmemulatorservice.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs [email protected]_298479.exe no specs appmarket.exe tbswebrenderer.exe gamedownload.exe teniodl.exe kuai8_c200032_s1_p1.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs k8gm.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs k8update.exe regsvr32.exe no specs regsvr32.exe no specs k8gm.exe k8bubble.exe [email protected]_298479.exe no specs k8update.exe k8update.exe k8web.exe birdhelper.exe regsvr32.exe no specs ldshelper.exe hninstall_setup_3486648174_jk_001.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs hnote.exe no specs notepaper.exe no specs regedit.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
852
CMD
C:\Windows\system32\svchost.exe -k netsvcs
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gpsvc.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sysntfy.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\themeservice.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\profsvc.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\winsta.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\slc.dll
c:\windows\system32\sens.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\shsvcs.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\schedsvc.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\shell32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\authz.dll
c:\windows\system32\ubpm.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\credssp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\fveapi.dll
c:\windows\system32\tbs.dll
c:\windows\system32\fvecerts.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\wiarpc.dll
c:\windows\system32\samlib.dll
c:\windows\system32\taskcomp.dll
c:\windows\system32\version.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ikeext.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wbem\wmisvc.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\iphlpsvc.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\srvsvc.dll
c:\windows\system32\browser.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\sscore.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\resutils.dll
c:\windows\system32\samcli.dll
c:\windows\system32\nci.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\spinf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wbem\wbemcore.dll
c:\windows\system32\wbem\esscli.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\repdrvfs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wbem\wmiprvsd.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\wbem\wbemess.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\sxs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\tschannel.dll
c:\windows\system32\wbem\ncprov.dll
c:\windows\system32\qmgr.dll
c:\windows\system32\bitsperf.dll
c:\windows\system32\bitsigd.dll
c:\windows\system32\upnp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ssdpapi.dll
c:\windows\system32\wuaueng.dll
c:\windows\system32\esent.dll
c:\windows\system32\winspool.drv
c:\windows\system32\cabinet.dll
c:\windows\system32\mspatcha.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wmsgapi.dll
c:\windows\system32\wer.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\ndiscapcfg.dll
c:\windows\system32\rascfg.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\tcpipcfg.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\es.dll
c:\windows\system32\aelupsvc.dll
c:\windows\system32\windanr.exe
c:\users\admin\desktop\[email protected]_298479.exe
c:\windows\system32\appinfo.dll
c:\ldsgamemaster\softmgr\softmgrinst.exe
c:\ldsgamemaster\utils\gamemasterhelper.exe
c:\ldsgamemaster\gamememoryopt.dll
c:\ldsgamemaster\ldsgamehall\ldsgamehall.exe
c:\users\admin\appdata\roaming\tencent\txgameassistant\gamedownload\teniodl.exe
c:\windows\system32\mmcss.dll
c:\windows\system32\avrt.dll
c:\ldsgamemaster\update.exe
c:\windows\system32\icacls.exe
c:\temp\txgamedownload\component\appmarket\market.exe
c:\temp\txgamedownload\component\appmarket\setup\tinst.exe
c:\program files\txgameassistant\appmarket\qmemulatorservice.exe
c:\program files\txgameassistant\appmarket\appmarket.exe
c:\program files\txgameassistant\appmarket\tbswebrenderer.exe
c:\program files\txgameassistant\appmarket\gamedownload.exe
c:\program files\kuai8\k8gm.exe
c:\program files\kuai8