larrytash

My msdt.exe file also reports from VirusTotal as not being detected, but again if you switch to the "Behavior" tab you find it's copying the clipboard, keystroke logging, and all kinds of other malicious behavior. I also found one suspicious log with Chinese wording in it, but it could be from a vendor: accept command line arguments PowerShell T1059.001 run PowerShell expression Shared Modules T1129 parse PE header link function at runtime on Windows Defense Evasion TA0005 Obfuscated Files or Information T1027 encode data using XOR File and Directory Permissions Modification T1222 set file attributes Credential Access TA0006 Keylogging T1056.001 log keystrokes via polling Discovery TA0007 Query Registry T1012 query or enumerate registry value System Owner/User Discovery T1033 get session user name get token membership System Information Discovery T1082 query environment variable Reads software policies File and Directory Discovery T1083 check if file exists enumerate files on windows enumerate files recursively get common file path get file size enumerate files on Windows Account Discovery T1087 get session user name Collection TA0009 Keylogging T1056.001 log keystrokes via polling Clipboard Data T1115 open clipboard mdst exe.zip

VirusTotal says that "windowsupdatebg.s.llnwi.net" from the behavior tab of svchost.exe is malicious according to ForcepoinThreatseeker, for instance. So there has been some sort of swap of genuine Windows files to signed but malicious files as far as I can figure.

Also this svchost.exe seems to be at the root of the problem. VirusTotal says the timestamp of the file is suspicious. It appears the attack involves switching out SVCHost.exe to this version (attached). It leads to all kinds of suspicious services that can't be disabled, such as BcastDVRUserService_47d69 and they always come with that ending sequence, they all can't be turned off, they all come from svchost.exe cmd line prompts, and they all have to do with networking, screen grabbing, etc. This svchost.ext comes up signed but if you actually look at the VirusTotal -> Behavior tab, it is resolving to these DNS locations: fp2E7A.wpc.2BE4.phicdn.net fp2e7a.wpc.2be4.phicdn.net fp2e7a.wpc.phicdn.net prda.aadg.msidentity.com windowsupdatebg.s.llnwi.net x1.c.lencr.org It mentions these IP traffic locations: 13.107.12.50:80 (TCP) 131.253.33.203:80 (TCP) 192.168.0.12:137 (UDP) 192.168.0.1:137 (UDP) 192.229.211.108:80 (TCP) 20.22.113.133:443 (TCP) 20.62.24.77:443 (TCP) 20.80.129.13:443 (TCP) 20.99.132.105:443 (TCP) 20.99.133.109:443 (TCP) 20.99.184.37:443 (TCP) 20.99.185.48:443 (TCP) 20.99.186.246:443 (TCP) 23.209.116.9:443 (TCP) 23.215.176.163:443 (TCP) 23.216.147.62:443 (TCP) 23.216.147.64:443 (TCP) 23.216.147.76:443 (TCP) 23.40.197.137:443 (TCP) 23.40.197.184:443 (TCP) 23.40.197.40:443 (TCP) 52.154.209.174:443 (TCP) 52.185.73.156:443 (TCP) a83f:8110:0:0:0:0:2002:0:53 (UDP) a83f:8110:0:0:0:8000:0:0:53 (UDP) a83f:8110:0:0:100:0:0:0:53 (UDP) a83f:8110:0:0:100:0:1800:0:53 (UDP) a83f:8110:0:0:1400:1400:2800:3800:53 (UDP) a83f:8110:0:0:1b00:100:2800:0:53 (UDP) a83f:8110:0:0:2800:0:0:0:53 (UDP) a83f:8110:0:0:4d8a:21:0:0:53 (UDP) a83f:8110:0:0:629b:2800:0:0:53 (UDP) a83f:8110:0:0:700:700:2800:4000:53 (UDP) a83f:8110:0:0:e600:0:0:0:53 (UDP) a83f:8110:0:33c0:3985:9000:0:f84:53 (UDP) a83f:8110:1a1a:1aff:1a1a:1aff:1a1a:1aff:53 (UDP) a83f:8110:1a1a:1aff:1b1b:1bff:1b1b:1bff:53 (UDP) a83f:8110:2800:1800:4000:1800:1800:100:53 (UDP) a83f:8110:4747:47ff:4747:47ff:4747:47ff:53 (UDP) a83f:8110:508:10ff:70a:12ff:70a:12ff:53 (UDP) a83f:8110:584a:b5b1:17cb:1ec8:0:0:53 (UDP) a83f:8110:7300:6b00:7600:6f00:6c00:7500:53 (UDP) a83f:8110:7600:6900:6c00:6500:6700:6500:53 (UDP) a83f:8110:9004:200:6a00:0:5c00:6400:53 (UDP) a83f:8110:aa01:0:0:0:0:0:53 (UDP) a83f:8110:ffff:ffff:0:0:0:0:53 (UDP) It dropped 300 files according to VirusTotal, here are some of them: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F0.tmp C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F0.tmp.WERInternalMetadata.xml C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAAB.tmp C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAAB.tmp.csv C:\ProgramData\Microsoft\Windows\WER\Temp\WERFACC.tmp C:\ProgramData\Microsoft\Windows\WER\Temp\WERFACC.tmp.txt C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAFA.tmp C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAFA.tmp.WERInternalMetadata.xml C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB1B.tmp C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB1B.tmp.csv C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB4B.tmp C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB4B.tmp.txt C:\Windows\System32\spp\store\2.0\cache\cache.dat C:\Windows\System32\spp\store\2.0\data.dat.tmp svchost exe.zip

Attached are Farbar logs, Malware bytes quickscan logs, malwarebytes support logs (in the zip includes MBAM service folder with logs, mbst-check-results, setup logs, etc). So these are, indeed, your logs and FRST logs MB Scan report.txt mbst-check-results.txt mbst-grab-results.zip Addition.txt FRST.txt

VirusTotal said this powershell script had 2 Mitre tactics based on Zenbox behavior analysis First PS script.txt

I used VirusTotal to check IP 205.171.2.65 which came out of the DNS settings flagged by FARBAR on a totally clean partition reinstall of Windows. It came back "FortinetMalware, Xcitium Verdict Cloud Malware" So this malware has routed traffic from my computer to an IP that VirusTotal believes to contain malware at least from two sources

When I try to run the repair function of the MWB Support Tool it exits

Another 4104 Powershell script: Creating Scriptblock text (2 of 4): $sb = New-Object System.Text.StringBuilder $textToEscape.Length; for($i=0; $i -lt $textToEscape.Length; $i++) { $curChar = $textToEscape[$i]; if($curChar -eq '\n') { $null = $sb.Append("\par"); } elseif(($curChar -lt 0x20) -or ($curChar -eq '{') -or ($curChar -eq '}') -or ($curChar -eq '\\')) { $null = $sb.Append("\'"); $null = $sb.Append(([int]$curChar).ToString("X2", [System.Globalization.CultureInfo]::InvariantCulture)); } elseif($curChar -lt 0x80) { $null = $sb.Append($curChar); } else { $null = $sb.Append("\u"); $null = $sb.Append(([int]$curChar).ToString([System.Globalization.CultureInfo]::InvariantCulture)); $null = $sb.Append('?'); } } return $sb.ToString(); } function IsValidURL($URL) { &{ $uri = [System.URI]($URL); $scheme = $uri.scheme; if(($scheme -eq "http" ) -or ($scheme -eq "https") -or ($scheme -eq "ftp")) { return $uri.ToString(); } else { return $null; } } trap [Exception] { return $null; } } function GetDefaultBrowser() { [string]$assocString = $null $dll = "NetworkDiagnosticSnapIn.dll" try { RegSnapin $dll $assocString = [Microsoft.Windows.Diagnosis.Network.AssociationInfo]::GetAssociation("http","open"); trap [Exception] { $assocString = $null; } } finally { UnregSnapin $dll } return $assocString; } function GetWebNDFIncidentData($URL, $DefaultConnectivity) { #build entry point parameters $haXML = "<HelperAttributes><HelperAttribute><Name>URL</Name><Type>AT_STRING</Type><Value><![CDATA[" + $URL + "]]></Value></HelperAttribute>" if($DefaultConnectivity) { #sqm explorer as the client rather than sdiaghost.exe $haXML += "<HelperAttribute><Name>NDFSQMCallerApplication</Name><Type>AT_STRING</Type><Value>Windows\Explorer.EXE</Value></HelperAttribute>" $defaultBrowser = GetDefaultBrowser; if($defaultBrowser) { $haXML += "<HelperAttribute><Name>AppID</Name><Type>AT_STRING</Type><Value>"+ $defaultBrowser + "</Value></HelperAttribute>" } } $haXML += "</HelperAttributes>" return @{"HelperClassName" = "WinInetHelperClass"; "HelperAttributes" =$haXML} } function GetValidURL($CandidateURL) { $toReturn = $null $url = IsValidURL $CandidateURL if($url -eq $null) { if($CandidateURL.IndexOf("://") -eq -1) { $updatedURL = "http://" + $CandidateURL $url = IsValidURL $updatedURL if($url) { $toReturn = $url } } } else { $toReturn = $url } return $toReturn } function GetErrorRTF($Description, $Error) { $escapedDesc = EscapeForRTF $Description; $escapedError = EscapeForRTF $Error; $rtf = LoadResourceString($ERROR_MSG_RTF_RESOURCE); return $rtf.Replace("%DESC%", $escapedDesc).Replace("%ERROR%", $escapedError); } function WebEntry() { $IT_WebChoice = Get-DiagInput -ID "IT_WebChoice" if($IT_WebChoice -eq $null) { #Failed retriving Web Choice return $null } $IT_URL = $DefaultDiagURL if(!($IT_WebChoice -eq "Internet")) { $IT_URL = Get-DiagInput -ID "IT_URL" if($IT_URL -eq $null) { #Failed retriving URL return $null } #verify that it is a valid URL $validURL = GetValidURL $IT_URL[0] while($validURL -eq $null) { #build the RTF text $replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidURL_FormatError, $IT_URL[0]); $RTFText = GetErrorRTF ($localizationString.interaction_InvalidURL_Desc) ($replacedError); #reprompt for input $IT_URL = Get-DiagInput -ID "IT_Invalid_URL" -p @{"URL" = $IT_URL; "RTFText" = $RTFText} if($IT_URL -eq $null) { #Failed retriving URL return $null } $validURL = GetValidURL $IT_URL[0] } } return GetWebNDFIncidentData $validURL $false } function IsUNCFormat($UNC) { &{ $uri = [System.URI]($UNC); $scheme = $uri.scheme; if(($scheme -eq "file" )) { if($uri.IsUnc) { return $uri.LocalPath; } } return $null; } trap [Exception] { return $null; } } #function assumes passed in UNC is in \\host\share form (share can be missing) function ContainsInvalidUNCChars($UNC) { &{ #will return an exception if the string has invalid characters $ignoreResult = [System.IO.Path]::IsPathRooted($UNC) #check the path for invalid characters #remove the starting slashes $tmp = $UNC.Substring(2) $nextSlash = $tmp.IndexOf("\") if(($nextSlash -lt 0) -or ($nextSlash -eq ($nextSlash.Length - 1))) { #string only contains hostname #hostname is already validated in IsUNCFormat function return $false } #remove host and backslash after host $UNCPath = $tmp.Substring($nextSlash+1) #under certain circumstances some of these make it through the above check #so we do a direct sanity check here if(!($UNCPath.IndexOfAny(@('/',':','*','?','"','<','>','|')) -eq -1)) { return $true; } return $false; } trap [Exception] { return $true; } } function GetValidUNC($CandidateUNC) { $toReturn = $null #is it valid $unc = IsUNCFormat $CandidateUNC if($unc) { $invalidChars = ContainsInvalidUNCChars $unc if($invalidChars) { $toReturn = -1; } else { $toReturn = $unc } } return $toReturn; } function GetUNCNDFIncidentData($UNC) { #build entry point parameters $haXML = "<HelperAttributes><HelperAttribute><Name>UNCPath</Name><Type>AT_STRING</Type><Value><![CDATA[" + $UNC + "]]></Value></HelperAttribute></HelperAttributes>" return @{"HelperClassName" = "SMBHelperClass"; "HelperAttributes" =$haXML} } function FileSharingEntry() { $IT_UNC = Get-DiagInput -ID "IT_UNC" if($IT_UNC -eq $null) { #Failed retriving UNC path return $null } #assign input to non-array variable to facilitate usage and transform $validUNC = GetValidUNC $IT_UNC[0] while((!$validUNC) -or ($validUNC -eq -1)) { #build the RTF text #use original entry for re-prompt even though "file://" UNC may have been transformed $replacedError = ""; if(!$validUNC) { $replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_FormatError, $IT_UNC[0]); } else { $replacedError = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.interaction_InvalidUNC_CharError, $IT_UNC[0]); } $RTFText = GetErrorRTF ($localizationString.interaction_InvalidUNC_Desc) ($replacedError); #reprompt for input $IT_UNC = Get-DiagInput -ID "IT_Invalid_UNC" -p @{"UNC" = $IT_UNC; "RTFText" = $RTFText} if($IT_UNC -eq $null) { #Failed retriving UNC path return $null } $validUNC = GetValidUNC $IT_UNC[0] } return GetUNCNDFIncidentData $validUNC } function NetworkAdapterEntry() { #enumerate interfaces to build options list $interfaces = get-wmiobject -class Win32_NetworkAdapter #hash table with options $optionList = @() foreach($curInterface in $interfaces) { if($curInterface.GUID -ne $null) { $curHash = @{"Name"=$curInterface.NetConnectionID} $curHash += @{"Description"=$curInterface.NetConnectionID} $curHash += @{"Value"=$curInterface.GUID} $optionList += @($curHash) } } if($optionList.Count -gt 1) { #add zero guid entry to check all interfaces $optionList += @(@{"Name"=$localizationString.interaction_AllAdapters; "Description"=$localizationString.interaction_AllAdapters; "Value"="{00000000-0000-0000-0000-000000000000}"; "ExtensionPoint"="<Default />"}) #get interface selection from user $IT_NetworkAdapter = Get-DiagInput -ID "IT_NetworkAdapter" -c $optionList if($IT_NetworkAdapter -eq $null) { throw "Failed retriving Network Connetion ID from user" } } elseif($optionList.Count -eq 1) { $IT_NetworkAdapter = $optionList[0]["Value"] } else { #No NICs, do zero GUID diag $IT_NetworkAdapter = "{00000000-0000-0000-0000-000000000000}" } #build entry point parameters $haXML = "<HelperAttributes><HelperAttribute><Name>guid</Name><Type>AT_GUID</Type><Value>" + $IT_NetworkAdapter + "</Value></HelperAttribute></HelperAttributes>" return @{"HelperClassName" = "NetConnection"; "HelperAttributes" =$haXML} } function WinsockEntry() { $IT_RemoteAddress = Get-DiagInput -ID "IT_RemoteAddress" if($IT_RemoteAddress -eq $null -or $IT_RemoteAddress[0].Length -eq 0) { #Failed retriving Remote Address return $null } $IT_Protocol = Get-DiagInput -ID "IT_Protocol" if($IT_Protocol -eq $null -or $IT_Protocol[0].Length -eq 0) { #Failed retriving Remote Port return $null } $IT_ApplicationID = Get-DiagInput -ID "IT_ApplicationID" if($IT_ApplicationID -eq $null -or $IT_ApplicationID[0].Length -eq 0) { #Failed retriving Application ID return $null } #build entry point parameters $haXML = "<HelperAttributes><HelperAttribute><Name>remoteaddr</Name><Type>AT_SOCKADDR</Type><Value>" + $IT_RemoteAddress + "</Value></HelperAttribute>"; $haXML += "<HelperAttribute><Name>protocol</Name><Type>AT_UINT32</Type><Value>" + $IT_Protocol + "</Value></HelperAttribute>"; $haXML += "<HelperAttribute><Name>localaddr</Name><Type>AT_SOCKADDR</Type><Value>0.0.0.0</Value></HelperAttribute>"; $haXML += "<HelperAttribute><Name>appid</Name><Type>AT_STRING</Type><Value>" + $IT_ApplicationID + "</Value></HelperAttribute>"; $haXML += "</HelperAttributes>"; return @{"HelperClassName" = "Winsock"; "HelperAttributes" =$haXML} } function GroupingEntry() { $IT_GroupName = Get-DiagInput -ID "IT_GroupName" if($IT_GroupName -eq $null -or $IT_GroupName[0].Length -eq 0) { #Failed retriving Remote Address return $null } #build entry point parameters $haXML = "<HelperAttributes><HelperAttribute><Name>groupname</Name><Type>AT_STRING</Type><Value>" + $IT_GroupName + "</Value></HelperAttribute></HelperAttributes>" return @{"HelperClassName" = "GroupingHelperClass"; "HelperAttributes" =$haXML} } function GetValidExePath($File) { &{ $uri = [System.URI]($File); $scheme = $uri.scheme; if(($scheme -eq "file" )) { #make sure it send in .exe if($File.ToLower().IndexOf(".exe") -eq ($File.Length - 4)) { return $File; } } return $null; } trap [Exception] { return $null; } } function InboundEntry() { $staticOptionRes = @($INBOUND_FILESHARE_RESOURCE, $INBOUND_REMOTEDESKTOP_RESOURCE, $INBOUND_DISCOVERY_RESOURCE) $staticOptions = @($INBOUND_FILESHARE_PARAM, $INBOUND_REMOTEDESKTOP_PARAM, $INBOUND_DISCOVERY_PARAM) # If defined for the corresponding option, the item will be filtered out if the current sku matches anything in the list # Sku values as defined in the OperatingSystemSKU property of Win32_OperatingSystem $SKUFilters = @($null, @(2,3,5,11), $null) #get the SKU, to filter out inappropriate static options $SKUObject = get-wmiobject -class Win32_OperatingSystem -property "OperatingSystemSKU" $SKU = $SKUObject.OperatingSystemSKU $optionList = @() $curOptionIndex = 0 for($curStaticOption = 0; $curStaticOption -lt $staticOptions.Length; $curStaticOption++) { $SKUFilter = $SKUFilters[$curStaticOption] if($SKUFilter) { if($SKUFilter -contains $SKU) { #should filter out this option from the list because it is not present in the SKU continue; } } $curApp = LoadResourceString($staticOptionRes[$curStaticOption]) $curHash = @{} $curHash.Add("Name",$curApp) $curHash.Add("Value",$curOptionIndex) $curHash.Add("Description",$curApp) $curHash.Add("HelperAttributeName","serviceid") $curHash.Add("HelperAttributeValue",$staticOptions[$curStaticOption]) $optionList += $curHash $curOptionIndex++ } #add dynamic options (do not fail if call fails) $script:ExpectingException = $true $dll = "NetworkDiagnosticSnapIn.dll" try { RegSnapin $dll $droppedApps = [Microsoft.Windows.Diagnosis.Network.FirewallApi.ManagedMethods]::GetDiagnosticAppInfo() $script:ExpectingException = $false if($droppedApps) { foreach($droppedApp in $droppedApps) { #omit svchosts since we cannot display a friendly name for them if($droppedApp.Path.IndexOf("svchost") -eq -1) { $appEntryDisplayStr = [System.String]::Format([System.Globalization.Cul ScriptBlock ID: 9dde433b-59f7-43ff-9724-da85bd9a7705 Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_fc401818-2c95-4b72-9b00-d91a618105c1\UtilityFunctions.ps1

Powershell script run by 4104: Creating Scriptblock text (1 of 1): { $script:ExpectingException = $true $events = get-winevent -path $TraceFile -Oldest -FilterXPath "*[System[Provider[@Name='Microsoft-Windows-Diagnostics-Networking'] and (EventID=6100)]]" -ErrorAction SilentlyContinue $script:ExpectingException = $false foreach($event in $events) { #events indexed by time they were emitted if(($event -ne $null) -and !$Global:ReportEvents.ContainsKey($event.TimeCreated)) { #Add helper class name to title so that it's easily distinguishable in the report without having to expand it $eventTitle = [System.String]::Format([System.Globalization.CultureInfo]::InvariantCulture, $localizationString.HelperClassEventNameWithHCName, [System.Globalization.CultureInfo]::CurrentUICulture.TextInfo.ToTitleCase($event.Properties[0].Value)); "<Objects><Object Type=""System.String""><PRE><![CDATA["+$event.Message +"]]></PRE></Object></Objects>" | Update-DiagReport -id DiagInformation -name $eventTitle $Global:ReportEvents.Add($event.TimeCreated, $event) } } } ScriptBlock ID: 98faba36-8011-4820-b876-b9a559211c51 Path: C:\Users\Chaz\AppData\Local\Temp\SDIAG_deb8d06e-bbd7-4912-9d13-83133a10a6de\UtilityFunctions.ps1

Logs from MWB Support Tool mbst-grab-results.zip

I’ll get those logs when possible. There’s a log in windows\Panther including “[svchost.exe] Enter WinReIsWimBootEnabled” … “[RelPost.exe] Enter WinReSetTriggerFile” So it would seem they are using Wimboot to create a background environment from early in the boot, possibly storing it in the windows recovery partition. There is some trigger file that causes it to turn on, then it starts opening MoUsoCoreWorker, mstsc.exe, osk.exe etc to take over the computer for powershell scripting When possible I’ll get the MWB support logs

I am sorry I don’t have the setupact.log as it really shows every step but it didn’t zip I ran multiple 4104 powershell scripts through chatgpt to see what they did and they were changing permissions, changing defender and MWB settings, t taking various ownership, etc etc

https://blog.360totalsecurity.com/en/panther-ransomware-strikes-again/

Again, I’m not asking for my computer to be fixed. I’m asking malwarebytes to take it seriously that someone figured out how to use almost all Native windows functions to fully take over computers. I didn’t know I had a game bar, but they appear to have used Xbox game bar to get in, then planted a Trojan which executes the steps down in the .dat file among others, taking over mstsc.exe and osk.exe and multiple other files. Then running powershell commands.. and you’ve got the whole thing I grabbed a number of powershell files to run on virustotal against the AI system but have no public Ethernet to do it on currently

It is responsible. Open the .dat file The xbox gamebar token was used at one point to get in through Microsoft Live

You’re right, providing Remote Desktop control to whoever planted the code, granting full remote powershell scripting rights which are then used to log all files and activity for remote copying, allowing enabling and accessing the guest account even if it is disabled, taking file and folder ownership, injecting the base code into fresh Windows installs from firmware (apparently Nvidia and Realtek device firmware), and rerouting the DNS to the hacker’s computer in Nebraska… that’s not malware because no one else’s software hits on it and it’s doing it through genuine windows files. 360 Global Security has a report on an “oldpanther” ransomware that appears to be the same thing plus encrypting files. Available on Google You can open and read the .dat easily to see its playbook. It’s scripting the file distribution right there When I can find a public Ethernet to plug into I’ll use the MWB support tools and upload. But since this can’t be Removed I can’t plug it into any of my networks currently

Nope- I want Malwarebytes to detect this severe Trojan from now on. That’s NOT what I need to read. Clearly malwarebytes has zero interest in actually stopping new threats

If I plug my computer into any network long enough to do something like that 4104 powershell commands start irreversibly changing all kinds of settings and opening back doors and then I have to reinstall again at best. I’m trying to help identify something that appears sophisticated, which I was under the impression you guys Would be excited about. But if not my apologies There is the FARBAR detection strafed which should substitute

Firmware deploys this trojan that allows complete remote control of a system using almost entirely genuine windows components to avoid detection. 1- There should be a "setupact.log" in here that describes how the file comes out of Firmware and gets around the Windows setup process to infect the machine. It seems that zipping the file may have removed it and the only way I could create a new one would be to reinstall windows -If you can't get this file out of the zip it's very unfortunate as it shows the entire strategy the system deployed with, but it seems the Zipping process may have removed the .log 2- Look through "RunExeActionAllowedList.dat" which is the code that seems to deploy the system for using genuine windows products to take over the machine 3- FRST - Copy.txt are all the detections from FARBAR Run Scan Tool which show a list of what the trojan had done (though some of it was removed in a first-round "Fix" by that tool) 4- The "KnownGameList.Bin" appears to be an access method used in concert with Xbox GameBar The system seems to change the DNS to a different IP and repeatedly triggers (and copies over if you delete it) mstsc.exe. There are dozens of copies of this file in different folders that it uses to restore itself I have previously uploaded more files but apparently that wasn't preferred. Please use these to ask me if you'd like a specific file Panther or Hxtsr trj.zip