Overview

overview

10

Static

static

3

NeverLoseByOxy.exe

windows10-2004-x64

10

NeverLoseByOxy.exe

windows10-ltsc 2021-x64

10

NeverLoseByOxy.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08/11/2024, 10:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NeverLoseByOxy.exe

  • Size

    5.7MB

  • MD5

    24f6e0f1cd42246f176a505f8d7d1c4d

  • SHA1

    5160c3f78672b86970135261941e2ad003d44ba1

  • SHA256

    b5cce9b75d7d336fc8d3ebe678af0a9b25ade673964c86a5527df736fdd3ec84

  • SHA512

    77b48b6652526f4d8a571eaaf539181385c8b3ada0e974caf5c4949fa289c46694bab0e8b0e91048d76be87fe0003ea98bc605f560792df7fefde1465ab7da85

  • SSDEEP

    98304:whhqDOlIP2BtJIx4hpebqKbhAUDdROejIAV/PCqa5oRJ0XkKPdKH10msJ:whhqaIMg6wqKbyUDdROCIAV/PCkIkKFn

Score
10/10
xwormdefense_evasiondiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    SMSvcHost.exe

  • pastebin_url

    https://pastebin.com/raw/ijTrCXN3

Signatures

  • Detect Xworm Payload 10 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 8 IoCs
  • Executes dropped EXE 15 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 60 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:632
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:1000
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:684
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:964
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
            1⤵
              PID:404
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              1⤵
                PID:752
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                1⤵
                  PID:764
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                  1⤵
                    PID:1044
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                    1⤵
                    • Indicator Removal: Clear Windows Event Logs
                    PID:1136
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1180
                    • C:\Windows\system32\taskhostw.exe
                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                      2⤵
                        PID:3220
                      • C:\ProgramData\ApplicationFrameHost.exe
                        "C:\ProgramData\ApplicationFrameHost.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:5876
                      • C:\ProgramData\IAStorDataMgrSvc.exe
                        "C:\ProgramData\IAStorDataMgrSvc.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:4480
                      • C:\ProgramData\SMSvcHost.exe
                        "C:\ProgramData\SMSvcHost.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:6084
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                      1⤵
                        PID:1260
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                        1⤵
                          PID:1288
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                          1⤵
                            PID:1388
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                            1⤵
                              PID:1396
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                              1⤵
                                PID:1452
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                1⤵
                                  PID:1524
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                  1⤵
                                    PID:1564
                                    • C:\Windows\system32\sihost.exe
                                      sihost.exe
                                      2⤵
                                      • Modifies registry class
                                      PID:3024
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                    1⤵
                                      PID:1616
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                      1⤵
                                        PID:1704
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                        1⤵
                                          PID:1740
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                          1⤵
                                            PID:1796
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                            1⤵
                                              PID:1840
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                              1⤵
                                                PID:1948
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                1⤵
                                                  PID:2016
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:2024
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:2040
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      1⤵
                                                        PID:1700
                                                      • C:\Windows\System32\spoolsv.exe
                                                        C:\Windows\System32\spoolsv.exe
                                                        1⤵
                                                          PID:2084
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                          1⤵
                                                            PID:2204
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                            1⤵
                                                              PID:2300
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                              1⤵
                                                                PID:2400
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                1⤵
                                                                  PID:2584
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                  1⤵
                                                                    PID:2592
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                      PID:2752
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2812
                                                                      • C:\Windows\sysmon.exe
                                                                        C:\Windows\sysmon.exe
                                                                        1⤵
                                                                          PID:2844
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                          1⤵
                                                                            PID:2876
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                            1⤵
                                                                              PID:2880
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                              1⤵
                                                                                PID:3108
                                                                              • C:\Windows\system32\wbem\unsecapp.exe
                                                                                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                1⤵
                                                                                  PID:3176
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                  1⤵
                                                                                    PID:3336
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                    1⤵
                                                                                      PID:3596
                                                                                    • C:\Windows\Explorer.EXE
                                                                                      C:\Windows\Explorer.EXE
                                                                                      1⤵
                                                                                        PID:3672
                                                                                        • C:\Users\Admin\AppData\Local\Temp\NeverLoseByOxy.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\NeverLoseByOxy.exe"
                                                                                          2⤵
                                                                                          • Checks computer location settings
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:2684
                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LN.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\LN.exe"
                                                                                            3⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:4456
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.bat" "
                                                                                              4⤵
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:3360
                                                                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX1\L.exe
                                                                                                L.exe -p123567Oxy -dC:\Users\Admin\AppData\Local\Temp
                                                                                                5⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:5000
                                                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\temp.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\temp.exe"
                                                                                                  6⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:644
                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\NeverLose.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\NeverLose.exe"
                                                                                                    7⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:972
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\expl.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\expl.exe"
                                                                                                      8⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:4020
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX2\exp.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\exp.exe"
                                                                                                        9⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:2064
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                                                                                          10⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4180
                                                                                                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                            11⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:2960
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                            11⤵
                                                                                                              PID:420
                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                12⤵
                                                                                                                  PID:700
                                                                                                                • C:\Windows\system32\wusa.exe
                                                                                                                  wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                  12⤵
                                                                                                                    PID:3156
                                                                                                                • C:\Windows\system32\dialer.exe
                                                                                                                  C:\Windows\system32\dialer.exe
                                                                                                                  11⤵
                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                  PID:2536
                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                  C:\Windows\system32\sc.exe delete "svchost.exe"
                                                                                                                  11⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:1104
                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                  C:\Windows\system32\sc.exe create "svchost.exe" binpath= "C:\ProgramData\svchost.exe" start= "auto"
                                                                                                                  11⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:4836
                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                  C:\Windows\system32\sc.exe stop eventlog
                                                                                                                  11⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:3916
                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                  C:\Windows\system32\sc.exe start "svchost.exe"
                                                                                                                  11⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:2892
                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    12⤵
                                                                                                                      PID:4776
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IAStorDataMgrSvc.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\IAStorDataMgrSvc.exe"
                                                                                                                  10⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Drops startup file
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Adds Run key to start application
                                                                                                                  • Suspicious behavior: AddClipboardFormatListener
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                  PID:4684
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\IAStorDataMgrSvc.exe'
                                                                                                                    11⤵
                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:460
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IAStorDataMgrSvc.exe'
                                                                                                                    11⤵
                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:4560
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\IAStorDataMgrSvc.exe'
                                                                                                                    11⤵
                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:4608
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IAStorDataMgrSvc.exe'
                                                                                                                    11⤵
                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                    PID:1828
                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      12⤵
                                                                                                                        PID:856
                                                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                                                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "IAStorDataMgrSvc" /tr "C:\ProgramData\IAStorDataMgrSvc.exe"
                                                                                                                      11⤵
                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                      PID:5512
                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        12⤵
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:696
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SMSvcHost.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SMSvcHost.exe"
                                                                                                                    10⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Drops startup file
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Adds Run key to start application
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                    PID:2528
                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SMSvcHost.exe'
                                                                                                                      11⤵
                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:2820
                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SMSvcHost.exe'
                                                                                                                      11⤵
                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      PID:1688
                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SMSvcHost.exe'
                                                                                                                      11⤵
                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      PID:776
                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SMSvcHost.exe'
                                                                                                                      11⤵
                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                      PID:5064
                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        12⤵
                                                                                                                          PID:436
                                                                                                                      • C:\Windows\System32\schtasks.exe
                                                                                                                        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SMSvcHost" /tr "C:\ProgramData\SMSvcHost.exe"
                                                                                                                        11⤵
                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                        PID:5336
                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          12⤵
                                                                                                                            PID:5396
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe"
                                                                                                                        10⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Drops startup file
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Adds Run key to start application
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                        PID:1160
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe'
                                                                                                                          11⤵
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:3788
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFrameHost.exe'
                                                                                                                          11⤵
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          PID:3236
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ApplicationFrameHost.exe'
                                                                                                                          11⤵
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          PID:1720
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFrameHost.exe'
                                                                                                                          11⤵
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          PID:2148
                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            12⤵
                                                                                                                              PID:3708
                                                                                                                          • C:\Windows\System32\schtasks.exe
                                                                                                                            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ApplicationFrameHost" /tr "C:\ProgramData\ApplicationFrameHost.exe"
                                                                                                                            11⤵
                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                            PID:5528
                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              12⤵
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:1120
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"
                                                                                                                          10⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Drops startup file
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Adds Run key to start application
                                                                                                                          • Suspicious behavior: AddClipboardFormatListener
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                          PID:3188
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'
                                                                                                                            11⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:4300
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
                                                                                                                            11⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            PID:1912
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Realtek HD Audio Universal Service.exe'
                                                                                                                            11⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            PID:2212
                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              12⤵
                                                                                                                                PID:2316
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'
                                                                                                                              11⤵
                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                              PID:4840
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                12⤵
                                                                                                                                  PID:4108
                                                                                                                              • C:\Windows\System32\schtasks.exe
                                                                                                                                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Realtek HD Audio Universal Service" /tr "C:\ProgramData\Realtek HD Audio Universal Service.exe"
                                                                                                                                11⤵
                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                PID:5784
                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                  12⤵
                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                  PID:5788
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\r.bat" "
                                                                                                                        7⤵
                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                        PID:4568
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\NeverLose.exe, C:\Windows\system32\userinit.exe" /f
                                                                                                                          8⤵
                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                          PID:772
                                                                                                            • C:\Windows\system32\taskmgr.exe
                                                                                                              "C:\Windows\system32\taskmgr.exe" /4
                                                                                                              2⤵
                                                                                                              • Checks SCSI registry key(s)
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                              PID:4960
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                            1⤵
                                                                                                              PID:3808
                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:4076
                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                1⤵
                                                                                                                  PID:4132
                                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                  1⤵
                                                                                                                    PID:4380
                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                    1⤵
                                                                                                                    • Suspicious use of UnmapMainImage
                                                                                                                    PID:5048
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                    1⤵
                                                                                                                      PID:4816
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                      1⤵
                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                      PID:1604
                                                                                                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                      1⤵
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                      PID:2140
                                                                                                                    • C:\Windows\system32\SppExtComObj.exe
                                                                                                                      C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                      1⤵
                                                                                                                        PID:2852
                                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                        1⤵
                                                                                                                          PID:2480
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                          1⤵
                                                                                                                            PID:3140
                                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                            1⤵
                                                                                                                              PID:3292
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                              1⤵
                                                                                                                                PID:3260
                                                                                                                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
                                                                                                                                1⤵
                                                                                                                                  PID:2932
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                                                                                                                                  1⤵
                                                                                                                                    PID:660
                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                    1⤵
                                                                                                                                      PID:116
                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                      1⤵
                                                                                                                                        PID:3644
                                                                                                                                      • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                        C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                        1⤵
                                                                                                                                        • Checks processor information in registry
                                                                                                                                        PID:3416
                                                                                                                                      • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                        C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                        1⤵
                                                                                                                                          PID:2664
                                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                          1⤵
                                                                                                                                            PID:1244
                                                                                                                                          • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                            C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                            1⤵
                                                                                                                                              PID:756
                                                                                                                                            • C:\Windows\System32\smartscreen.exe
                                                                                                                                              C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                                                              1⤵
                                                                                                                                                PID:2268
                                                                                                                                              • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                1⤵
                                                                                                                                                  PID:2156
                                                                                                                                                • C:\ProgramData\svchost.exe
                                                                                                                                                  C:\ProgramData\svchost.exe
                                                                                                                                                  1⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                  PID:4500
                                                                                                                                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                                    2⤵
                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                    PID:1108
                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                      3⤵
                                                                                                                                                        PID:1296
                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                      2⤵
                                                                                                                                                        PID:5476
                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          3⤵
                                                                                                                                                            PID:5304
                                                                                                                                                          • C:\Windows\system32\wusa.exe
                                                                                                                                                            wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                            3⤵
                                                                                                                                                              PID:5732
                                                                                                                                                          • C:\Windows\system32\dialer.exe
                                                                                                                                                            C:\Windows\system32\dialer.exe
                                                                                                                                                            2⤵
                                                                                                                                                              PID:5452
                                                                                                                                                            • C:\Windows\system32\dialer.exe
                                                                                                                                                              C:\Windows\system32\dialer.exe
                                                                                                                                                              2⤵
                                                                                                                                                                PID:5384
                                                                                                                                                              • C:\Windows\system32\dialer.exe
                                                                                                                                                                dialer.exe
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:5244

                                                                                                                                                              Network

                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                    Reconnaissance

                                                                                                                                                                    Resource Development

                                                                                                                                                                    Initial Access

                                                                                                                                                                    Execution

                                                                                                                                                                    Command and Scripting Interpreter

                                                                                                                                                                    1
                                                                                                                                                                    T1059

                                                                                                                                                                    PowerShell

                                                                                                                                                                    1
                                                                                                                                                                    T1059.001

                                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                                    1
                                                                                                                                                                    T1053

                                                                                                                                                                    Scheduled Task

                                                                                                                                                                    1
                                                                                                                                                                    T1053.005

                                                                                                                                                                    System Services

                                                                                                                                                                    2
                                                                                                                                                                    T1569

                                                                                                                                                                    Service Execution

                                                                                                                                                                    2
                                                                                                                                                                    T1569.002

                                                                                                                                                                    Persistence

                                                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                                                    2
                                                                                                                                                                    T1547

                                                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                                                    1
                                                                                                                                                                    T1547.001

                                                                                                                                                                    Winlogon Helper DLL

                                                                                                                                                                    1
                                                                                                                                                                    T1547.004

                                                                                                                                                                    Create or Modify System Process

                                                                                                                                                                    2
                                                                                                                                                                    T1543

                                                                                                                                                                    Windows Service

                                                                                                                                                                    2
                                                                                                                                                                    T1543.003

                                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                                    1
                                                                                                                                                                    T1053

                                                                                                                                                                    Scheduled Task

                                                                                                                                                                    1
                                                                                                                                                                    T1053.005

                                                                                                                                                                    Privilege Escalation

                                                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                                                    2
                                                                                                                                                                    T1547

                                                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                                                    1
                                                                                                                                                                    T1547.001

                                                                                                                                                                    Winlogon Helper DLL

                                                                                                                                                                    1
                                                                                                                                                                    T1547.004

                                                                                                                                                                    Create or Modify System Process

                                                                                                                                                                    2
                                                                                                                                                                    T1543

                                                                                                                                                                    Windows Service

                                                                                                                                                                    2
                                                                                                                                                                    T1543.003

                                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                                    1
                                                                                                                                                                    T1053

                                                                                                                                                                    Scheduled Task

                                                                                                                                                                    1
                                                                                                                                                                    T1053.005

                                                                                                                                                                    Defense Evasion

                                                                                                                                                                    Impair Defenses

                                                                                                                                                                    1
                                                                                                                                                                    T1562

                                                                                                                                                                    Indicator Removal

                                                                                                                                                                    1
                                                                                                                                                                    T1070

                                                                                                                                                                    Clear Windows Event Logs

                                                                                                                                                                    1
                                                                                                                                                                    T1070.001

                                                                                                                                                                    Modify Registry

                                                                                                                                                                    2
                                                                                                                                                                    T1112

                                                                                                                                                                    Credential Access

                                                                                                                                                                    Discovery

                                                                                                                                                                    Peripheral Device Discovery

                                                                                                                                                                    1
                                                                                                                                                                    T1120

                                                                                                                                                                    Query Registry

                                                                                                                                                                    4
                                                                                                                                                                    T1012

                                                                                                                                                                    System Information Discovery

                                                                                                                                                                    4
                                                                                                                                                                    T1082

                                                                                                                                                                    System Location Discovery

                                                                                                                                                                    1
                                                                                                                                                                    T1614

                                                                                                                                                                    System Language Discovery

                                                                                                                                                                    1
                                                                                                                                                                    T1614.001

                                                                                                                                                                    Lateral Movement

                                                                                                                                                                    Collection

                                                                                                                                                                    Command and Control

                                                                                                                                                                    Web Service

                                                                                                                                                                    1
                                                                                                                                                                    T1102

                                                                                                                                                                    Exfiltration

                                                                                                                                                                    Impact

                                                                                                                                                                    Service Stop

                                                                                                                                                                    1
                                                                                                                                                                    T1489

                                                                                                                                                                    Replay Monitor

                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                    Downloads

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                                                      Filesize

                                                                                                                                                                      3KB

                                                                                                                                                                      MD5

                                                                                                                                                                      3eb3833f769dd890afc295b977eab4b4

                                                                                                                                                                      SHA1

                                                                                                                                                                      e857649b037939602c72ad003e5d3698695f436f

                                                                                                                                                                      SHA256

                                                                                                                                                                      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                                                                                                                                                                      SHA512

                                                                                                                                                                      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      8eedb2fd419f4f0011eb21ade788df54

                                                                                                                                                                      SHA1

                                                                                                                                                                      fb84530a09dc319ea8c2a8dc2c02672d587eb89e

                                                                                                                                                                      SHA256

                                                                                                                                                                      4b55baf1d0d2663c83d83c1cfb3a8a0c5e96a0ba4f679cfa3c9bfadd1eb9c532

                                                                                                                                                                      SHA512

                                                                                                                                                                      d18f2a0e6ddae682b210b2d3d563773ba37e7b4a58cb3c04f731c00ad32097f1209f7258616d91a061bf092ed4fa4c35f148c477b22c26a05ee17ea75dc6d31c

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      16642242137a65af1597b8f997707529

                                                                                                                                                                      SHA1

                                                                                                                                                                      e3476a37f27a12dad6fb4d465c7a5c6307134bf1

                                                                                                                                                                      SHA256

                                                                                                                                                                      8a109450bcaac1f4aa339273c7e884b5488abcde508efc18647a0aacc2680f50

                                                                                                                                                                      SHA512

                                                                                                                                                                      8abc39ff3f1958426ab4bde7a002115cd5446abdd06af010a96707e2c48605044f8222677ecf3cf10f0e617a1cbb738abad243bf73ee586a51bb055ef72466b8

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      0e225e60e2eb7fd8818d4957e44f409c

                                                                                                                                                                      SHA1

                                                                                                                                                                      cfdceb8dd32485a818215e8f7abaaadf5e3fcb89

                                                                                                                                                                      SHA256

                                                                                                                                                                      44bb6c4ed470a068a973e17b3aa50ee7e837562cbe8b44564585461d03f8632d

                                                                                                                                                                      SHA512

                                                                                                                                                                      4b5e538ddb1968c4b088d89100a7b128805c6214ade709d87ae86206f6c2fdbef4c87e794ea2882ab7b11872e4941039c2e85a7fe73291e7f27374887a785938

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      c67441dfa09f61bca500bb43407c56b8

                                                                                                                                                                      SHA1

                                                                                                                                                                      5a56cf7cbeb48c109e2128c31b681fac3959157b

                                                                                                                                                                      SHA256

                                                                                                                                                                      63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

                                                                                                                                                                      SHA512

                                                                                                                                                                      325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      6a807b1c91ac66f33f88a787d64904c1

                                                                                                                                                                      SHA1

                                                                                                                                                                      83c554c7de04a8115c9005709e5cd01fca82c5d3

                                                                                                                                                                      SHA256

                                                                                                                                                                      155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

                                                                                                                                                                      SHA512

                                                                                                                                                                      29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      112e1a85279fe2131a67e5e693aa96cc

                                                                                                                                                                      SHA1

                                                                                                                                                                      d9605a4a04976613da0575342207c1d51433c5bb

                                                                                                                                                                      SHA256

                                                                                                                                                                      9f28579fd3051f1f8cd189e22c6bd04c8a572dd171125d9b33610ee8b0998252

                                                                                                                                                                      SHA512

                                                                                                                                                                      d75dd93fc17d76abe8f59f5794948ff5ae6e54427d3fbc3f38d62ebd1a91ad1927638f6921d78d9dda99ac161ff8204ad331388448cb61b9061c4ae860b41623

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      db7d060719f9d7de5f776f57b90813ee

                                                                                                                                                                      SHA1

                                                                                                                                                                      c01908627494af508b42df47723dd3761819eb6a

                                                                                                                                                                      SHA256

                                                                                                                                                                      ac5a19ff1c63a954ffb01b424dc0acd201466df4a23da33602518cfe11d63860

                                                                                                                                                                      SHA512

                                                                                                                                                                      3dde090300589475d84d332eab3e5345a4b4c88da6762ccb022cb2f47e9627b5deee2e6a0b8249d336046288497bdc8ccf772cce22a734dfe213fec03880b98c

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      13e75a3f969f37dc72fd4852bdc7083c

                                                                                                                                                                      SHA1

                                                                                                                                                                      7dddedb04f386a47666202ca6597d90a2a04aad1

                                                                                                                                                                      SHA256

                                                                                                                                                                      f6c41d71efdb8e40b75efeeb26cfa0ad2789082baf128aee3a5dca26409077cf

                                                                                                                                                                      SHA512

                                                                                                                                                                      b92b49d957a2726b5001d515495a74f175965212da6c54d5fe6e4d35d8d5f6e38eccd3501dba1b26ac67ff86ffd9ceb1a34a6e0402417fd7583eca47a57dbd07

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      670e69aa9fdf67a75bf6c38af5a59ddb

                                                                                                                                                                      SHA1

                                                                                                                                                                      a7862c8ae8f35374bdd34eb700d84f3e9e26c0e2

                                                                                                                                                                      SHA256

                                                                                                                                                                      7207081544c89f93b82ff93a4249221645b6786d77e0266535c385a8dd5bc005

                                                                                                                                                                      SHA512

                                                                                                                                                                      301e8c22632663ea0dda89d8e010b73649f08a9ba1ade133a5f6c4fe79aab283bc3d1fd591c1eca45676d373b8eea32d63c9db96b4efd31c2aafc97c402370ba

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ApplicationFrameHost.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      73KB

                                                                                                                                                                      MD5

                                                                                                                                                                      9b04a3478e72178a7ca603998121546b

                                                                                                                                                                      SHA1

                                                                                                                                                                      8416891bcd883622f3a6fc40bbcb93e146891374

                                                                                                                                                                      SHA256

                                                                                                                                                                      42c1991170efec389181d034887dbcc66897fb8e9828e51b1c80d95539b4d724

                                                                                                                                                                      SHA512

                                                                                                                                                                      1452a0f58982ca0b5a796258f24c134d17ee0ae3a151d84e2363a1b1ff151d305c50ae455d3eb06dd0d80abdd82a5999f9eb8f98519dd6511eb4c452bfc24c71

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\IAStorDataMgrSvc.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      62KB

                                                                                                                                                                      MD5

                                                                                                                                                                      d3bf4efbd73b5676b4930957fd137c78

                                                                                                                                                                      SHA1

                                                                                                                                                                      ee088c1ad537b5a4ac8daa25b00aaa1312fe2b11

                                                                                                                                                                      SHA256

                                                                                                                                                                      7d8033ddef68563d9fbdc9b5e5c030a39cc7e8b1828508330603931486176e13

                                                                                                                                                                      SHA512

                                                                                                                                                                      f7132900390f99e424cbfcfab424de943b52c03e416c582f6aa892ebc9a95e8673054e06d2692a8162e5da22856fbcb6f694dc066c9fd10ae9c8e9303166ed05

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LN.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      5.1MB

                                                                                                                                                                      MD5

                                                                                                                                                                      05d7d9a925f13945bbc1a724da0158e8

                                                                                                                                                                      SHA1

                                                                                                                                                                      60514a63bd200e29783b5e867f305033de74ac55

                                                                                                                                                                      SHA256

                                                                                                                                                                      a6c2cefa5d79f3893bd35d7bde504390f7062e5e2db4e537a0d83085505ccf25

                                                                                                                                                                      SHA512

                                                                                                                                                                      033117f6ab66536e1b2f8fab9beaa003c347b539f5977c3cf85bb1f64d8e8a5a80e32e6ff95dc42564567f8c94dbb197853b648700627eeb7fcd13346979d415

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\L.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.9MB

                                                                                                                                                                      MD5

                                                                                                                                                                      7aeb396714a0916f251b77ba31324422

                                                                                                                                                                      SHA1

                                                                                                                                                                      516146e2d5868a7f5f19908c1e372de803146a17

                                                                                                                                                                      SHA256

                                                                                                                                                                      cbe2fbc428b3d679ac504eaea682d4161c251924830503760a79228d299cc412

                                                                                                                                                                      SHA512

                                                                                                                                                                      cfae8c64c1ed50c642f38c5a20be338bb3319408d2c57b8c4473c496e8be04e25a4534184d21a64542f2b8bf18a46ed2d1d8dda4a7d7a39a79584905684e9891

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.bat
                                                                                                                                                                      Filesize

                                                                                                                                                                      37B

                                                                                                                                                                      MD5

                                                                                                                                                                      8b37f03071282c420f86e7e35381e306

                                                                                                                                                                      SHA1

                                                                                                                                                                      f1dd4f06e1955f83423dcdaf78496d9588e62c86

                                                                                                                                                                      SHA256

                                                                                                                                                                      6b6102de698a0010cd512b4875b1ae8a7d1522ef2ebe32b41acd682926e6c752

                                                                                                                                                                      SHA512

                                                                                                                                                                      7d01e05a5697ca684700f7395048bfe842a0059f6bd8db82f9b9060a924bd9d17b1c27209e01de92acfc7d012e81b87ec20a744c05ab89bc29e55762429f7577

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\exp.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.6MB

                                                                                                                                                                      MD5

                                                                                                                                                                      07244908a5e27d09bb5865611126e417

                                                                                                                                                                      SHA1

                                                                                                                                                                      f8157b3373ab2a2b763b9778f9a42a906b1d1c86

                                                                                                                                                                      SHA256

                                                                                                                                                                      b7a97bcb6a4a7d6df4b152f3cc117004d1f4b692b84f0a3869eaf1a087e10d27

                                                                                                                                                                      SHA512

                                                                                                                                                                      97be32b64aa0067b9a04ce5bb8d26b1bf81617aafc949125b7fa4ca0d762638bb0fb2627c312027548c47d3e987b638c9cc7026934e91747bdbd92a7ecb67963

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\temp.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.8MB

                                                                                                                                                                      MD5

                                                                                                                                                                      e7c896a9973dc414e75d1fc4c602090b

                                                                                                                                                                      SHA1

                                                                                                                                                                      b91e0ee533dd74e08e98677503b9f6313a1f4360

                                                                                                                                                                      SHA256

                                                                                                                                                                      20ad987a53261bee97ca29546ada7c6639deb401cdf4d50d1717ae1a7d959a1c

                                                                                                                                                                      SHA512

                                                                                                                                                                      d960070bdb9fa9ac4e1336f4091409a1e8b2634ce7e0817dc1735c4be5d68c911ece9876420b0d972bc7d36c56d9e9fde0fc28bcbab85c9cee6866d2937c745b

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      55KB

                                                                                                                                                                      MD5

                                                                                                                                                                      35fffdbf501a12eac2dc7d7a8ee11a25

                                                                                                                                                                      SHA1

                                                                                                                                                                      1cc39d52b436c89edb9f57460293c01ac21a533f

                                                                                                                                                                      SHA256

                                                                                                                                                                      1c316bcb2080d70abc92440baf392d237c5429bf6c5cc7e06b270a706c7587b8

                                                                                                                                                                      SHA512

                                                                                                                                                                      7698531a052a04245f8ee3fbdc2f883805b02a27a1741518ab8ea082649bf65193d34bcc00d57a89fa08d12251f13fd48c4d043de45d8c3b68ebd65833b7073a

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SMSvcHost.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      70KB

                                                                                                                                                                      MD5

                                                                                                                                                                      16aba8688e193f6eff4830ea0cb301b1

                                                                                                                                                                      SHA1

                                                                                                                                                                      bb519c2a28f71b5bcf37d78e1faa73e8069b5908

                                                                                                                                                                      SHA256

                                                                                                                                                                      c2cb03189c7b4396dd914acd11b2ea66854c2bf8238574feeae49058c765788b

                                                                                                                                                                      SHA512

                                                                                                                                                                      cfa6d1c459690b0425e9b5ae1ee526b907e57fddf520bfe7218ef2293556ad19b6feb9f954255957b165e97191e17e3be0cd61e43efc8e26becb3fb331e2057f

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrtwpskr.ikz.ps1
                                                                                                                                                                      Filesize

                                                                                                                                                                      60B

                                                                                                                                                                      MD5

                                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                      SHA1

                                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                      SHA256

                                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                      SHA512

                                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\expl.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.8MB

                                                                                                                                                                      MD5

                                                                                                                                                                      0bef91c9642c825a8602b4ddca6ec2cd

                                                                                                                                                                      SHA1

                                                                                                                                                                      7a29770e305794c9406bad8cf086da5c00dba76c

                                                                                                                                                                      SHA256

                                                                                                                                                                      26bcc4d785b5f66e0a6a1f49d659cc04319078f0ab57f19ac3985118a5994d29

                                                                                                                                                                      SHA512

                                                                                                                                                                      f393c8c89456288a30b71599c1839bc0f6807a17100845bd1cb23500347e97fee6911e215bcf787c524d64c6a571d6f0f45ed69c664032d4aff9b972dcd5b394

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      2.8MB

                                                                                                                                                                      MD5

                                                                                                                                                                      7ec52f65f5f0846958238b0930028f01

                                                                                                                                                                      SHA1

                                                                                                                                                                      3f39b4fa0008a8a6530843da5090e32480598e5f

                                                                                                                                                                      SHA256

                                                                                                                                                                      f31ebd2a2eda3fcc2ce646a60eb88e40cab6fdaafd77e7bcb44eed4f17059d58

                                                                                                                                                                      SHA512

                                                                                                                                                                      d5b966f0caf0d8cd8d2aa71ee347af9f02ccd52f54bb30ec889743ce38812b9df923bd865f2eeadbc380f0d3fdd797be3d7ace31248f2804d19b80185f902d00

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\NeverLose.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.6MB

                                                                                                                                                                      MD5

                                                                                                                                                                      f2ce7ad621b1960ee24da99499dfbcbf

                                                                                                                                                                      SHA1

                                                                                                                                                                      9651c3b51ac38d372fb89f7811cf5ab3371df646

                                                                                                                                                                      SHA256

                                                                                                                                                                      03dd1db1c02a1c104f8c5a9a5b0cdc176db1e97e94f072a1d36a42a307708c54

                                                                                                                                                                      SHA512

                                                                                                                                                                      5986ced2827f5f44499e13fdf0a6751dc9f10fd39d1abe7dbd21da7142cddd8c24b07b882fff92e5cbda65b9036c4dad2ea0e852c34314b127b0e866f00afdea

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\r.bat
                                                                                                                                                                      Filesize

                                                                                                                                                                      246B

                                                                                                                                                                      MD5

                                                                                                                                                                      84ec86467bb98d03b8ef15a45c4dc585

                                                                                                                                                                      SHA1

                                                                                                                                                                      97c180624264102e1e63ef0a56e876ae1554cb35

                                                                                                                                                                      SHA256

                                                                                                                                                                      fed238459de4fc6387c44c7781ec28f36595dfc3dea361b0997e5699a139dbf1

                                                                                                                                                                      SHA512

                                                                                                                                                                      e56b3fe53fb49f6e3b7cc4f39c9b56e67d21d0fd0fd9b464ec9ddbdce35a4c1efbacd177a0f1af486c4df8ed0ec707a7bf3ca6bb44a86194c166de8d93098da1

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.lnk
                                                                                                                                                                      Filesize

                                                                                                                                                                      737B

                                                                                                                                                                      MD5

                                                                                                                                                                      1d55a06a9abe6672e04ea6d5da5b2049

                                                                                                                                                                      SHA1

                                                                                                                                                                      d2d9a7f454c70791f3c61279590f5a7d1b320e71

                                                                                                                                                                      SHA256

                                                                                                                                                                      a2072e17933e299f48bd1591873f028a17a0cd9272ea52ebebd245ece6480953

                                                                                                                                                                      SHA512

                                                                                                                                                                      8331c2157e41592050e0cbc07d47c1db200f87eba2a6371cef7cfec85b5870eb43abe0b7063a016b589156028f6c03c704eff3856753fd06b964dfefb30ca40b

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IAStorDataMgrSvc.lnk
                                                                                                                                                                      Filesize

                                                                                                                                                                      717B

                                                                                                                                                                      MD5

                                                                                                                                                                      46d648839d6805ada1171f78fb4e6546

                                                                                                                                                                      SHA1

                                                                                                                                                                      e7bfd513e1c74e868e4a9b130669a1ce223fff72

                                                                                                                                                                      SHA256

                                                                                                                                                                      4d124380570dfb15d80db26e4a3ea0d8cd0b1e79c3cab5337ebf009e3732c52a

                                                                                                                                                                      SHA512

                                                                                                                                                                      5dd16cbb9145a09911c4b8050658b009f25ed971a9a0e02e8a688e4cf51f0126bb352e76f1096433104f90fb2793199907edaf7de90e1174e8720711f2d82e5f

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.lnk
                                                                                                                                                                      Filesize

                                                                                                                                                                      807B

                                                                                                                                                                      MD5

                                                                                                                                                                      0e922eb70bbd82f3591a41aa377d7841

                                                                                                                                                                      SHA1

                                                                                                                                                                      16eb3cb699483d67b938f4eb595277af6f41e62d

                                                                                                                                                                      SHA256

                                                                                                                                                                      de23ecd8e38118697624ab644b7812b4fff9c1949d567e33a60c3e696096b7d5

                                                                                                                                                                      SHA512

                                                                                                                                                                      70927371106e43a084bd35642db9b7a32d83079ddb7d0d8a0b4d437619f81e6e5287d80fcbbe462e4a0dfbaae5f9acf84da5e289d96f35876b476547db874d9a

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SMSvcHost.lnk
                                                                                                                                                                      Filesize

                                                                                                                                                                      682B

                                                                                                                                                                      MD5

                                                                                                                                                                      5a8d62493a0b20c81f0e7ad293e948bb

                                                                                                                                                                      SHA1

                                                                                                                                                                      c254ad04861bf5043d80b9e1f6c131a2b240e1fb

                                                                                                                                                                      SHA256

                                                                                                                                                                      caac92ffba688199c4ec290f957219b3587376f9bf4d38556316dc7bbea29a58

                                                                                                                                                                      SHA512

                                                                                                                                                                      047a65959cb523e1befcfd995e96e98c80c24543add00b4311912ba9cf1f72d553e8e61acf6419d791529a2989b9d04c9a917579353b50d94aaaa12246cb8201

                                                                                                                                                                      Download Submit

                                                                                                                                                                    • memory/404-628-0x00000201A9FC0000-0x00000201A9FEB000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/404-629-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/460-462-0x00000257FAC50000-0x00000257FAC72000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      136KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/632-605-0x0000020C544E0000-0x0000020C54504000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/632-607-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/632-606-0x0000020C54510000-0x0000020C5453B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/684-611-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/684-610-0x0000015F5BB40000-0x0000015F5BB6B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/752-632-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/752-631-0x00000207803A0000-0x00000207803CB000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/764-640-0x000001E7206B0000-0x000001E7206DB000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/764-641-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/964-614-0x000002C954DD0000-0x000002C954DFB000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/964-615-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/972-82-0x0000000000400000-0x000000000095D000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      5.4MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/972-96-0x0000000000400000-0x000000000095D000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      5.4MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1000-621-0x000001EEBC8E0000-0x000001EEBC90B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1000-622-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1108-1000-0x000001DC6FC90000-0x000001DC6FC9A000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      40KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1108-999-0x000001DC6FBD0000-0x000001DC6FC85000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      724KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1108-998-0x000001DC6FBB0000-0x000001DC6FBCC000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      112KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1136-635-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1136-634-0x000002413E630000-0x000002413E65B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1160-436-0x0000000000490000-0x00000000004A8000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1180-638-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1180-637-0x0000021ADFBA0000-0x0000021ADFBCB000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1260-644-0x00007FFE04890000-0x00007FFE048A0000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/1260-643-0x000001FB406E0000-0x000001FB4070B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2064-113-0x0000000000400000-0x0000000000868000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2064-451-0x0000000000400000-0x0000000000868000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2528-372-0x0000000000EA0000-0x0000000000EB8000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2536-590-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2536-596-0x00007FFE44810000-0x00007FFE44A08000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      2.0MB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2536-592-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2536-595-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2536-593-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2536-601-0x00007FFE42F40000-0x00007FFE42FFD000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      756KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2536-591-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/2536-602-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      172KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/3188-452-0x0000000000660000-0x0000000000674000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      80KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4684-371-0x0000000000340000-0x0000000000356000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      88KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-18-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-19-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-20-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-21-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-22-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-23-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-24-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-12-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-14-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/4960-13-0x000001A486F00000-0x000001A486F01000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      4KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/5876-1365-0x0000000000790000-0x00000000007A8000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                      Download

                                                                                                                                                                    • memory/6084-1373-0x0000000000E40000-0x0000000000E58000-memory.dmp

                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                      Download