dcrat | 15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98.exe
Size

1.3MB
MD5

56e845f819027110c70429ea4c1cdfe8
SHA1

169becc4f2b679afae7dab0adc6420496525cf1d
SHA256

15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98
SHA512

59631694d7f1b80e484fc8201d3ed6bd02d3dbe38b3fcaf01dd42468571316027407d26a54913d7d6b73bbdc720f34844585dfaf639ad536496d4b81adc4b55f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5252	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5380	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5400	3932	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	3932	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022e14-137.dat	dcrat
behavioral1/files/0x0006000000022e14-138.dat	dcrat
behavioral1/memory/1600-139-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/files/0x0006000000022e14-145.dat	dcrat
behavioral1/files/0x0006000000022e14-177.dat	dcrat
behavioral1/files/0x0006000000022e14-268.dat	dcrat
behavioral1/files/0x000b000000022e6a-343.dat	dcrat
behavioral1/files/0x000b000000022e6a-342.dat	dcrat
behavioral1/files/0x000b000000022e6a-350.dat	dcrat
behavioral1/files/0x000b000000022e6a-358.dat	dcrat
behavioral1/files/0x000b000000022e6a-364.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
1600	DllCommonsvc.exe
4588	DllCommonsvc.exe
2716	DllCommonsvc.exe
4976	DllCommonsvc.exe
3456	WmiPrvSE.exe
4364	WmiPrvSE.exe
1100	WmiPrvSE.exe
1424	WmiPrvSE.exe
3720	WmiPrvSE.exe
6008	WmiPrvSE.exe
4400	WmiPrvSE.exe
2760	WmiPrvSE.exe
4992	WmiPrvSE.exe
5524	WmiPrvSE.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\1f93f77a7f4778	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\088424020bedd6	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\powershell.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Google\Policies\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Skins\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Skins\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\9e8d7a4ca61bd9	DllCommonsvc.exe
File opened for modification	C:\Windows\Provisioning\Cosa\Microsoft\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\ImmersiveControlPanel\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\en-US\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\Assets\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Provisioning\Cosa\Microsoft\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\Provisioning\Cosa\Microsoft\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Windows\Fonts\088424020bedd6	DllCommonsvc.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\Assets\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Windows\en-US\services.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\en-US\services.exe	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\SppExtComObj.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2848	schtasks.exe
3160	schtasks.exe
5252	schtasks.exe
5400	schtasks.exe
2144	schtasks.exe
5228	schtasks.exe
4488	schtasks.exe
5564	schtasks.exe
1656	schtasks.exe
1480	schtasks.exe
1608	schtasks.exe
5580	schtasks.exe
3720	schtasks.exe
4024	schtasks.exe
3116	schtasks.exe
4832	schtasks.exe
3636	schtasks.exe
5348	schtasks.exe
744	schtasks.exe
3380	schtasks.exe
3584	schtasks.exe
5204	schtasks.exe
5812	schtasks.exe
2844	schtasks.exe
2760	schtasks.exe
4668	schtasks.exe
5820	schtasks.exe
3368	schtasks.exe
2532	schtasks.exe
364	schtasks.exe
1824	schtasks.exe
1680	schtasks.exe
2036	schtasks.exe
1144	schtasks.exe
4480	schtasks.exe
4316	schtasks.exe
4968	schtasks.exe
4660	schtasks.exe
5516	schtasks.exe
3036	schtasks.exe
3212	schtasks.exe
2668	schtasks.exe
5464	schtasks.exe
4020	schtasks.exe
5672	schtasks.exe
4736	schtasks.exe
5044	schtasks.exe
5724	schtasks.exe
4348	schtasks.exe
4936	schtasks.exe
1776	schtasks.exe
4248	schtasks.exe
3540	schtasks.exe
760	schtasks.exe
5184	schtasks.exe
5392	schtasks.exe
2176	schtasks.exe
4144	schtasks.exe
5928	schtasks.exe
5456	schtasks.exe
4268	schtasks.exe
1912	schtasks.exe
1008	schtasks.exe
4288	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	WmiPrvSE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	DllCommonsvc.exe
4732	powershell.exe
4652	powershell.exe
4476	powershell.exe
4732	powershell.exe
4652	powershell.exe
4476	powershell.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4212	powershell.exe
4212	powershell.exe
2492	powershell.exe
2492	powershell.exe
4332	Conhost.exe
4332	Conhost.exe
4736	schtasks.exe
4736	schtasks.exe
4900	powershell.exe
4900	powershell.exe
1724	powershell.exe
1724	powershell.exe
4344	powershell.exe
4344	powershell.exe
4628	powershell.exe
4628	powershell.exe
4376	schtasks.exe
4376	schtasks.exe
4636	powershell.exe
4636	powershell.exe
1676	powershell.exe
1676	powershell.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	DllCommonsvc.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4588	DllCommonsvc.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	4332	Conhost.exe
Token: SeDebugPrivilege	4736	schtasks.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	4376	schtasks.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2716	DllCommonsvc.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeDebugPrivilege	5908	powershell.exe
Token: SeDebugPrivilege	5964	powershell.exe
Token: SeDebugPrivilege	6020	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	4976	DllCommonsvc.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	6008	powershell.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	5924	powershell.exe
Token: SeDebugPrivilege	5160	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	3456	WmiPrvSE.exe
Token: SeDebugPrivilege	4364	WmiPrvSE.exe
Token: SeDebugPrivilege	1100	WmiPrvSE.exe
Token: SeDebugPrivilege	1424	WmiPrvSE.exe
Token: SeDebugPrivilege	3720	WmiPrvSE.exe
Token: SeDebugPrivilege	6008	WmiPrvSE.exe
Token: SeDebugPrivilege	4400	WmiPrvSE.exe
Token: SeDebugPrivilege	2760	WmiPrvSE.exe
Token: SeDebugPrivilege	4992	WmiPrvSE.exe
Token: SeDebugPrivilege	5524	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 888	5020	15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98.exe	80
PID 5020 wrote to memory of 888	5020	15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98.exe	80
PID 5020 wrote to memory of 888	5020	15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98.exe	80
PID 888 wrote to memory of 4668	888	WScript.exe	84
PID 888 wrote to memory of 4668	888	WScript.exe	84
PID 888 wrote to memory of 4668	888	WScript.exe	84
PID 4668 wrote to memory of 1600	4668	cmd.exe	86
PID 4668 wrote to memory of 1600	4668	cmd.exe	86
PID 1600 wrote to memory of 4476	1600	DllCommonsvc.exe	93
PID 1600 wrote to memory of 4476	1600	DllCommonsvc.exe	93
PID 1600 wrote to memory of 4732	1600	DllCommonsvc.exe	94
PID 1600 wrote to memory of 4732	1600	DllCommonsvc.exe	94
PID 1600 wrote to memory of 4652	1600	DllCommonsvc.exe	97
PID 1600 wrote to memory of 4652	1600	DllCommonsvc.exe	97
PID 1600 wrote to memory of 4588	1600	DllCommonsvc.exe	99
PID 1600 wrote to memory of 4588	1600	DllCommonsvc.exe	99
PID 4588 wrote to memory of 4212	4588	DllCommonsvc.exe	193
PID 4588 wrote to memory of 4212	4588	DllCommonsvc.exe	193
PID 4588 wrote to memory of 2492	4588	DllCommonsvc.exe	192
PID 4588 wrote to memory of 2492	4588	DllCommonsvc.exe	192
PID 4588 wrote to memory of 4332	4588	DllCommonsvc.exe	211
PID 4588 wrote to memory of 4332	4588	DllCommonsvc.exe	211
PID 4588 wrote to memory of 4900	4588	DllCommonsvc.exe	182
PID 4588 wrote to memory of 4900	4588	DllCommonsvc.exe	182
PID 4588 wrote to memory of 4736	4588	DllCommonsvc.exe	247
PID 4588 wrote to memory of 4736	4588	DllCommonsvc.exe	247
PID 4588 wrote to memory of 1724	4588	DllCommonsvc.exe	171
PID 4588 wrote to memory of 1724	4588	DllCommonsvc.exe	171
PID 4588 wrote to memory of 4628	4588	DllCommonsvc.exe	146
PID 4588 wrote to memory of 4628	4588	DllCommonsvc.exe	146
PID 4588 wrote to memory of 4344	4588	DllCommonsvc.exe	148
PID 4588 wrote to memory of 4344	4588	DllCommonsvc.exe	148
PID 4588 wrote to memory of 4376	4588	DllCommonsvc.exe	232
PID 4588 wrote to memory of 4376	4588	DllCommonsvc.exe	232
PID 4588 wrote to memory of 4636	4588	DllCommonsvc.exe	152
PID 4588 wrote to memory of 4636	4588	DllCommonsvc.exe	152
PID 4588 wrote to memory of 1676	4588	DllCommonsvc.exe	168
PID 4588 wrote to memory of 1676	4588	DllCommonsvc.exe	168
PID 4588 wrote to memory of 1892	4588	DllCommonsvc.exe	154
PID 4588 wrote to memory of 1892	4588	DllCommonsvc.exe	154
PID 4588 wrote to memory of 3468	4588	DllCommonsvc.exe	163
PID 4588 wrote to memory of 3468	4588	DllCommonsvc.exe	163
PID 4588 wrote to memory of 2404	4588	DllCommonsvc.exe	162
PID 4588 wrote to memory of 2404	4588	DllCommonsvc.exe	162
PID 4588 wrote to memory of 3640	4588	DllCommonsvc.exe	156
PID 4588 wrote to memory of 3640	4588	DllCommonsvc.exe	156
PID 4588 wrote to memory of 4300	4588	DllCommonsvc.exe	159
PID 4588 wrote to memory of 4300	4588	DllCommonsvc.exe	159
PID 4588 wrote to memory of 2716	4588	DllCommonsvc.exe	164
PID 4588 wrote to memory of 2716	4588	DllCommonsvc.exe	164
PID 2716 wrote to memory of 5868	2716	DllCommonsvc.exe	223
PID 2716 wrote to memory of 5868	2716	DllCommonsvc.exe	223
PID 2716 wrote to memory of 5888	2716	DllCommonsvc.exe	203
PID 2716 wrote to memory of 5888	2716	DllCommonsvc.exe	203
PID 2716 wrote to memory of 5908	2716	DllCommonsvc.exe	221
PID 2716 wrote to memory of 5908	2716	DllCommonsvc.exe	221
PID 2716 wrote to memory of 5964	2716	DllCommonsvc.exe	218
PID 2716 wrote to memory of 5964	2716	DllCommonsvc.exe	218
PID 2716 wrote to memory of 6020	2716	DllCommonsvc.exe	204
PID 2716 wrote to memory of 6020	2716	DllCommonsvc.exe	204
PID 2716 wrote to memory of 3984	2716	DllCommonsvc.exe	215
PID 2716 wrote to memory of 3984	2716	DllCommonsvc.exe	215
PID 2716 wrote to memory of 5220	2716	DllCommonsvc.exe	213
PID 2716 wrote to memory of 5220	2716	DllCommonsvc.exe	213

C:\Users\Admin\AppData\Local\Temp\15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98.exe
"C:\Users\Admin\AppData\Local\Temp\15d52af7136fdbacb8a7bf940ec32002def496c51f9bd5a7736faf05e6202e98.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ImmersiveControlPanel\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Registry.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\conhost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\conhost.exe'
        6⤵
        
        PID:4376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\System.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\RuntimeBroker.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\powershell.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\conhost.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\Assets\DllCommonsvc.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\explorer.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Cosa\Microsoft\OfficeClickToRun.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\powershell.exe'
        7⤵
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Skins\RuntimeBroker.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PZonBuOgLu.bat"
        7⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1104
        
        C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\upfc.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYaKyDQTIv.bat"
        9⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5116
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat"
        11⤵
        
        PID:3504
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"
        13⤵
        
        PID:3980
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"
        15⤵
        
        PID:6072
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        17⤵
        
        PID:3920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:836
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        19⤵
        
        PID:5264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4056
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        21⤵
        
        PID:5868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1248
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        23⤵
        
        PID:3336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4272
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        25⤵
        
        PID:6040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:5676
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        27⤵
        
        PID:5124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:5976
        
        C:\Program Files\Windows Portable Devices\WmiPrvSE.exe
        
        "C:\Program Files\Windows Portable Devices\WmiPrvSE.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\db\lib\csrss.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\sppsvc.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\MoUsoCoreWorker.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\SppExtComObj.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\DllCommonsvc.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\conhost.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\upfc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\conhost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        
        PID:4736
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe'
        6⤵
        
        PID:4332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\services.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\ImmersiveControlPanel\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\ImmersiveControlPanel\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Policies\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Policies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Security\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\Assets\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Policies\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\de-DE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\PrintDialog\Assets\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Policies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Cosa\Microsoft\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\Provisioning\Cosa\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\conhost.exe'" /f
1⤵
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Fonts\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Skins\RuntimeBroker.exe'" /f
1⤵
PID:5640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\powershell.exe'" /f
1⤵
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Skins\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Desktop\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /f
1⤵
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /f
1⤵
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:5152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\odt\MoUsoCoreWorker.exe'" /f
1⤵
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:5848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
PID:5328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\upfc.exe'" /rl HIGHEST /f
1⤵
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Recent\upfc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\upfc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
PID:5900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /f
1⤵
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.8.0_66\db\lib\csrss.exe'" /rl HIGHEST /f
1⤵
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\db\lib\csrss.exe'" /rl HIGHEST /f
1⤵
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.8.0_66\db\lib\csrss.exe'" /f
1⤵
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
PID:3980
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4340

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Windows Portable Devices\WmiPrvSE.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fa3eac4adfddf34e33be071340710084

SHA1
0d592941646e76f981ecc63309e355f79e7b3523

SHA256
2a2c2fc24de43ce0603ccaa94beed45d032d5c985cb2791b77d15998b3cbd937

SHA512
93cf25dcdceed1ae69f035478e39b22fa08b43d142a91c190a4ebff49a08ae55a2e4727f8940c30b0011e130c943a159e91c5c231a8365d8381c104e5a96369b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fa3eac4adfddf34e33be071340710084

SHA1
0d592941646e76f981ecc63309e355f79e7b3523

SHA256
2a2c2fc24de43ce0603ccaa94beed45d032d5c985cb2791b77d15998b3cbd937

SHA512
93cf25dcdceed1ae69f035478e39b22fa08b43d142a91c190a4ebff49a08ae55a2e4727f8940c30b0011e130c943a159e91c5c231a8365d8381c104e5a96369b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d47e29ddad1b8a1416988048556786c

SHA1
bea06b97e763d4daf6c9b54caccfa6947f26a877

SHA256
e2434a634ee5762a2356dc5708e5f1e330d107b89d151352832ed0ccfb6ec915

SHA512
284a0cf7fa6a9b3d9dfb152d1d626d0b86fac1f6c30f6d9ff47d8108f06eee08e6bcdff08f891dbcf47bc3141e5745c3974148cb70dd71f1dadbb6fecd6efe94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbca7cb8af79a54314105f0d8db66ea2

SHA1
dce2f527431de2d30fd766dd3b26109f1a1fecd0

SHA256
23938467f280be0183144dac7dc3205ff9491620d69bbd0e8b0ad9b5887f2a72

SHA512
bd53acfb9315c24ecd3a2ec37aafb9b1d9e996c04be51df12c79b4b3624ba892e90101e28e4baf9db89a05ce7f4e2643ddb3cf198e6f1471a744cc17ffde61eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d47e29ddad1b8a1416988048556786c

SHA1
bea06b97e763d4daf6c9b54caccfa6947f26a877

SHA256
e2434a634ee5762a2356dc5708e5f1e330d107b89d151352832ed0ccfb6ec915

SHA512
284a0cf7fa6a9b3d9dfb152d1d626d0b86fac1f6c30f6d9ff47d8108f06eee08e6bcdff08f891dbcf47bc3141e5745c3974148cb70dd71f1dadbb6fecd6efe94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f2c81667a8cea982b7f2bb26adf2a80

SHA1
0e6a75953b151ebbfac0cccfa06f0ccb69901a43

SHA256
1c0214e371dd8694009f0505d466a82a2680ce3be9c8a3fd6bba01ce7ea4bb41

SHA512
535684a9866227ed79656e5efaea73276fd1e09c6f03afff5cbb487a08e9204865246480977753550c76639f07c1d09c80a98787ee3d588c7526637940c4d36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f2c81667a8cea982b7f2bb26adf2a80

SHA1
0e6a75953b151ebbfac0cccfa06f0ccb69901a43

SHA256
1c0214e371dd8694009f0505d466a82a2680ce3be9c8a3fd6bba01ce7ea4bb41

SHA512
535684a9866227ed79656e5efaea73276fd1e09c6f03afff5cbb487a08e9204865246480977753550c76639f07c1d09c80a98787ee3d588c7526637940c4d36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbca7cb8af79a54314105f0d8db66ea2

SHA1
dce2f527431de2d30fd766dd3b26109f1a1fecd0

SHA256
23938467f280be0183144dac7dc3205ff9491620d69bbd0e8b0ad9b5887f2a72

SHA512
bd53acfb9315c24ecd3a2ec37aafb9b1d9e996c04be51df12c79b4b3624ba892e90101e28e4baf9db89a05ce7f4e2643ddb3cf198e6f1471a744cc17ffde61eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f2c81667a8cea982b7f2bb26adf2a80

SHA1
0e6a75953b151ebbfac0cccfa06f0ccb69901a43

SHA256
1c0214e371dd8694009f0505d466a82a2680ce3be9c8a3fd6bba01ce7ea4bb41

SHA512
535684a9866227ed79656e5efaea73276fd1e09c6f03afff5cbb487a08e9204865246480977753550c76639f07c1d09c80a98787ee3d588c7526637940c4d36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f2c81667a8cea982b7f2bb26adf2a80

SHA1
0e6a75953b151ebbfac0cccfa06f0ccb69901a43

SHA256
1c0214e371dd8694009f0505d466a82a2680ce3be9c8a3fd6bba01ce7ea4bb41

SHA512
535684a9866227ed79656e5efaea73276fd1e09c6f03afff5cbb487a08e9204865246480977753550c76639f07c1d09c80a98787ee3d588c7526637940c4d36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8f2c81667a8cea982b7f2bb26adf2a80

SHA1
0e6a75953b151ebbfac0cccfa06f0ccb69901a43

SHA256
1c0214e371dd8694009f0505d466a82a2680ce3be9c8a3fd6bba01ce7ea4bb41

SHA512
535684a9866227ed79656e5efaea73276fd1e09c6f03afff5cbb487a08e9204865246480977753550c76639f07c1d09c80a98787ee3d588c7526637940c4d36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
71ba98eee81563d0558fef679318ecae

SHA1
b42de1929ae4e7d7323d47510c4dca2d6c1e344f

SHA256
434bd88728df7fd48210e2a144d794e5cd3eb8ff32eae197c47ecb76b44abe80

SHA512
e3a8f07cf0f77a66482e135080f9de774339897250e7d6c4b3bb295ffe78b4a63512bab69413e1bb6270abbaed51a48c091cf84cda5adbcddf6d0766e1cbcc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
71ba98eee81563d0558fef679318ecae

SHA1
b42de1929ae4e7d7323d47510c4dca2d6c1e344f

SHA256
434bd88728df7fd48210e2a144d794e5cd3eb8ff32eae197c47ecb76b44abe80

SHA512
e3a8f07cf0f77a66482e135080f9de774339897250e7d6c4b3bb295ffe78b4a63512bab69413e1bb6270abbaed51a48c091cf84cda5adbcddf6d0766e1cbcc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
71ba98eee81563d0558fef679318ecae

SHA1
b42de1929ae4e7d7323d47510c4dca2d6c1e344f

SHA256
434bd88728df7fd48210e2a144d794e5cd3eb8ff32eae197c47ecb76b44abe80

SHA512
e3a8f07cf0f77a66482e135080f9de774339897250e7d6c4b3bb295ffe78b4a63512bab69413e1bb6270abbaed51a48c091cf84cda5adbcddf6d0766e1cbcc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e553990b19dd2934af78d3052e4842cf

SHA1
633078a30d6973c66f2822c7e1d30f2f9b9c7dd8

SHA256
39dc99ba1deee42edf3ce13e33ff98be19c91ba1336eb2df61d5ae6568770ca0

SHA512
86218c02c0639c7154b413eb75eb917e56d2e78044f908f2c07b38a4e9e002142fbc74b0d35d9636135a41f86219d5d11b849897c9408d0c5b3ebcc9e4802154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e553990b19dd2934af78d3052e4842cf

SHA1
633078a30d6973c66f2822c7e1d30f2f9b9c7dd8

SHA256
39dc99ba1deee42edf3ce13e33ff98be19c91ba1336eb2df61d5ae6568770ca0

SHA512
86218c02c0639c7154b413eb75eb917e56d2e78044f908f2c07b38a4e9e002142fbc74b0d35d9636135a41f86219d5d11b849897c9408d0c5b3ebcc9e4802154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ead2b962a7f7f6bd707b0bd7017c1adf

SHA1
8009f0878eb712c390ad04fd892d9cfc6feca995

SHA256
7dc2ca39c6b6dda4a65f81129f34ea4d7e933fbbdee3e53ff462c99362b9439f

SHA512
228e66af06653bd64cb5b18f4fcbc9a9870f3fe1af71741282eef6692342441464b9ed0925fc07729efcf337611c94e811b89664c40b86fa99cde7b54dbeb28c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ead2b962a7f7f6bd707b0bd7017c1adf

SHA1
8009f0878eb712c390ad04fd892d9cfc6feca995

SHA256
7dc2ca39c6b6dda4a65f81129f34ea4d7e933fbbdee3e53ff462c99362b9439f

SHA512
228e66af06653bd64cb5b18f4fcbc9a9870f3fe1af71741282eef6692342441464b9ed0925fc07729efcf337611c94e811b89664c40b86fa99cde7b54dbeb28c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6a77860cd9c5289dd6e45bbc36a982

SHA1
750d55b0d394bc5716fc3e3204975b029d3dc43b

SHA256
a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

SHA512
e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9006afb2f47b3bb7d3669c647651e29c

SHA1
cdc0d7654be8e516df2c36accd9b52eac1f00ffd

SHA256
a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302

SHA512
f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6a77860cd9c5289dd6e45bbc36a982

SHA1
750d55b0d394bc5716fc3e3204975b029d3dc43b

SHA256
a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

SHA512
e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9006afb2f47b3bb7d3669c647651e29c

SHA1
cdc0d7654be8e516df2c36accd9b52eac1f00ffd

SHA256
a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302

SHA512
f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9006afb2f47b3bb7d3669c647651e29c

SHA1
cdc0d7654be8e516df2c36accd9b52eac1f00ffd

SHA256
a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302

SHA512
f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ab6cc81c5230a598c0ad1711b6bd97

SHA1
de7e270e12d447dfc5896b7c96777eb32725778a

SHA256
900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

SHA512
ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ab6cc81c5230a598c0ad1711b6bd97

SHA1
de7e270e12d447dfc5896b7c96777eb32725778a

SHA256
900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

SHA512
ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89b9b22e2cb6f0b903e7f8755f49d7be

SHA1
e13b62b19dccdbacb5fec9227e34f21e34fe5cad

SHA256
17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537

SHA512
f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89b9b22e2cb6f0b903e7f8755f49d7be

SHA1
e13b62b19dccdbacb5fec9227e34f21e34fe5cad

SHA256
17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537

SHA512
f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89b9b22e2cb6f0b903e7f8755f49d7be

SHA1
e13b62b19dccdbacb5fec9227e34f21e34fe5cad

SHA256
17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537

SHA512
f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
272dc716c99407615cc54be63824cd1e

SHA1
6aeeeee0a254473427af394b161c1020cf74ec0a

SHA256
0e772f1d15426881d1c79b319c8d52919383d1c1b861d1893a94c0e8bd472f06

SHA512
5a32034ea515f358ef4ec2e2f198fdc0dd0c5900645c4a8e8e1da7922ee19836d735ee726ce7d60b3015ab7abc10ebec2602fec24dca4f4e0798db2a7bf5aaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d1232d9ee7b5b363487052aeee9d0ac

SHA1
3659822fbc3bac66338fb08aa1c2ae8834e2fd13

SHA256
d7448c10b621f0a95ae3a30ca41f50da51d9ecb92fa37dc983fdec02bf63c45a

SHA512
b91b86049538b36e467e66045dccedbc72040115a67258dbe1efe1965f8bf941a5a04442fbfdcb8bf57a8c759d042f81e4dc516427843a3b0df10f7a2b3a63a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f6b5bbcd2386512d0b9af775e45d3770

SHA1
a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43

SHA256
50adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999

SHA512
3775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f6b5bbcd2386512d0b9af775e45d3770

SHA1
a3f6c4f46c10ce9d9b7d8a0a7b8a922dbbdd3d43

SHA256
50adabd48c94301dd4c4338e23583a702f7626abf793e6ae2eb919a18c8db999

SHA512
3775a27e3ad5a6149b88214f8bc6e45335e02af4589468ca8c140db758f152a59adf3c56361523b09c6ac2b316bd6c66886f9755a1823fc2c4468a1fad417add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5772860e80a4ad209b363a064b3303d7

SHA1
18da8f9946606bb785740c6f9e24daff3e137d68

SHA256
5e889679e1805fcfacb6971b12ea331d38a58a703f2374fe1eef19f2917d8022

SHA512
207bc482178667f072617c35a84593c0d7e7cbaceed9e93e3365039f043e5f9548f65bf90e51b2dc3735ad0572a90a4271465c653a69498bbb62e472a8d85bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5772860e80a4ad209b363a064b3303d7

SHA1
18da8f9946606bb785740c6f9e24daff3e137d68

SHA256
5e889679e1805fcfacb6971b12ea331d38a58a703f2374fe1eef19f2917d8022

SHA512
207bc482178667f072617c35a84593c0d7e7cbaceed9e93e3365039f043e5f9548f65bf90e51b2dc3735ad0572a90a4271465c653a69498bbb62e472a8d85bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5de4f2c523c725c8fca2d8d8c8d2e09

SHA1
859182503539ec282952960fa783cd3534bf6092

SHA256
98948ea2b32363221f53e54ed638e0abd0a38ca34b4f992b2200f528e276a6ce

SHA512
3f10d0b68cf8ee8ebcfaed5ff158cd006fc596ff85cb3a3e605e54f20745770be4b9e7f8b1048474e71c1b35441649b5de2f4abeacf85bdb57930a00c0b1c526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bf2927575032d77fab2956579e56348

SHA1
55bfbdacbf4a787b232793f19eca4df667722621

SHA256
a8f97ad6d46dc8b95328e3d85c48451537b2c71855a5913f7b2f3305dab0b6f0

SHA512
7649c7f3c6d753ce6d374798f1f9e0bc6aa84fd445407bd0a0a4cfaa6f48c5d54deb0c836b39b5104c9e82922c0daa84fe824c43f84ae89860c7d1c68610decc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bf2927575032d77fab2956579e56348

SHA1
55bfbdacbf4a787b232793f19eca4df667722621

SHA256
a8f97ad6d46dc8b95328e3d85c48451537b2c71855a5913f7b2f3305dab0b6f0

SHA512
7649c7f3c6d753ce6d374798f1f9e0bc6aa84fd445407bd0a0a4cfaa6f48c5d54deb0c836b39b5104c9e82922c0daa84fe824c43f84ae89860c7d1c68610decc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
90c68f484fa2fce5640f5534fb860dc8

SHA1
bd88b601a23b4f68e0be101a46bc51300e5be27d

SHA256
1bd2c6b50913bcd8c28b0b9247f4f8bd55821ba5ffb3591f781f4f15ca057765

SHA512
9854fb9d0db89b5eb22f31ccc63f46a6d34eb8d09d9c7a761e7e314173ca4ef19a8849c05171afb292fd3f49df98a1b225d0cbbc8806c2d82b6759064ae970c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0db76826ef1eb39b10f50c9c98411802

SHA1
88a49701de5a338400b3f5b40deb2608b413ab84

SHA256
f09445a05f2cf45e3d1d8f826bbb4fa78f1fcbf04311a5f5e8e3b7c90e1069ee

SHA512
0247c74dde74f8f1062fd2b28fc57b3bb567e42db8e594f2712fec65e045bdaf4be8c76e9b5f98af48dacdf863091ffa446dfa9583afb4a70c73809cbfa5aaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
06ac741759229a7560289a6696924995

SHA1
e1808432385699095a0761c601437ebe3e0ec256

SHA256
d1d2ad030d1a8aee9d8147ea16c8753c946155300339c6e63803a5f7419f9e3d

SHA512
3f97e1649f3241a64f6cc0e80e9d605c36b5ab658f766066a9326b93db3703710e2bb9e2dd1398bd45a7a854533fed4475d9a61f52d9f092fcb9307853599e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat

Filesize
219B

MD5
cd2ff98e621fe81fff94597cf986b7a6

SHA1
d9df1ddef308e8c3306b3f6eb267a67845bea4cc

SHA256
6f369569b3971457209306b84f150ce2aaa74afd8d2b91a22cbacf6a79bf91f6

SHA512
1dd7677d736c932eb06de741339316676ed75c7dbbdd9c998d61ab8747ad82d585078a7a80353c9a8059ee7e28b0c62a73410e042bd5cec95166e510092060c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYaKyDQTIv.bat

Filesize
219B

MD5
64bec2b90a8278d4787f792f8d3bc2b4

SHA1
c5fcb5507728631eff0c33afaa9686c5d44e3bed

SHA256
9a190766bf2d9e0d9d76047f6726ae01d904f63120b0174fe6582c36e84c8f7f

SHA512
24852f47e4f22d806d00b4f2d1b414c2978524c8fe692190210876d4605b154365d38d5e8f90155fc43250d8a72f1164cc4d7bfd838e78934c7ba848f83fca79

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZonBuOgLu.bat

Filesize
199B

MD5
5f6f178cf4c60beb5509325f6cf0f9aa

SHA1
06635a3f10c98310f66e47d3310c1198b34768cf

SHA256
12603d29b6a7e02b1206b97628d54813ec1870eb068bfdfda591af742c8bdf82

SHA512
ec56d5b437ea435032ab2a28c6de30414d8a7fbb9738dc49e29608ac4f24d0aea00dadf0bf837c41b6b2d948396e6876aca5142b593d549a366657cf756d8a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
219B

MD5
2e9661c70d391ecdcaeba4df4460acd1

SHA1
a8bf8eb99edd0b4809bf2cadee65f2a9e865208c

SHA256
02d470399f5a9744c5e4a351c3070e997aeb0995d06fe46f9d2a74399c84dcfa

SHA512
38a1e201851e4940cb2c0ac0ab509e35a5af053f4277b3558aa7f9288c2327ddbae33ca218bb8b5c6084dda234a6c167ac14da0ccb661e4ea7913022a8c4fde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat

Filesize
219B

MD5
7a86f687d444ad388214acae0831567a

SHA1
14aa1f4330700d982b87101f455fc3fc2872bf8d

SHA256
21bf12f947a0b5831c37e24d27cf0ea2a2dfcda5b5f8611013dd26b51fbf4419

SHA512
b1b5a2ce1599a5947fbd88353c4b0527b5e42ae5c3fab04a751e39e75153920dfcb7584aa9f2b16561c7be411056e5ccaea8c15ed6ab89f5eb7c1d31c24d2c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat

Filesize
219B

MD5
a8b6449d57c7680278a35a17f9362aeb

SHA1
4b077b03b0cf50e36e4af0268bcd07913fd0998a

SHA256
9a443474fbc651bc623acc553951822698c9f3308de1865754611653060ef18d

SHA512
6f91b20bdb795c7fbe4d0817061de6cf4dd2eb2040bee5a086fc79b0590868fd4c94a09b119102c15e475766e10b093776faf2c68308f142997d8bca82c38a74

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/228-249-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/228-252-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/1600-148-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/1600-140-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/1600-139-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/1676-189-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/1676-213-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/1724-184-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/1724-210-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/1892-227-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/1892-190-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/2404-216-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/2404-200-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/2492-178-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/2492-195-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/2716-243-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/2716-192-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/3468-199-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/3468-224-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/3640-223-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/3640-191-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/3984-263-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/3984-241-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4212-175-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4212-196-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4300-198-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4300-230-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4332-181-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4332-197-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4344-185-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4344-217-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4376-187-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4376-214-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4476-158-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4476-151-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4588-152-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4588-180-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4628-186-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4628-211-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4636-188-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4636-215-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4652-147-0x00000167DB090000-0x00000167DB0B2000-memory.dmp

Filesize
136KB

Download
memory/4652-156-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4652-150-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4732-149-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4732-155-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4736-182-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4736-218-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4900-209-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/4900-183-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5220-246-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5220-266-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5480-264-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5480-248-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5868-250-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5868-235-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5888-255-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5888-236-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5908-237-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5908-261-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5964-239-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/5964-262-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/6020-245-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download
memory/6020-258-0x00007FFEE8290000-0x00007FFEE8D51000-memory.dmp

Filesize
10.8MB

Download