dcrat | da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda

Analysis

max time kernel
62s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda.exe
Size

1.3MB
MD5

f4ab3f8180d3a51da8a4d4eb40286f7b
SHA1

3bd4afd466003caa935b4b656794e4c5c8cd6e07
SHA256

da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda
SHA512

ebcb73579133637f91e344dd3ca89e771628c1e354f57141d37ddf273c1ce9a76e52253eafbf481fa2b1a04da7e911a57135ff0e12c1883d1bbe8af8d03ef6a7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3944	schtasks.exe	18
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3944	schtasks.exe	18

DCRat payload 27 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000200000001e2c7-137.dat	dcrat
behavioral1/files/0x000200000001e2c7-138.dat	dcrat
behavioral1/memory/1036-139-0x0000000000500000-0x0000000000610000-memory.dmp	dcrat
behavioral1/files/0x000200000001e2c7-161.dat	dcrat
behavioral1/files/0x0006000000022e9c-218.dat	dcrat
behavioral1/files/0x0006000000022e9c-220.dat	dcrat
behavioral1/files/0x0006000000022e9c-246.dat	dcrat
behavioral1/files/0x0006000000022e9c-263.dat	dcrat
behavioral1/files/0x0006000000022e9c-260.dat	dcrat
behavioral1/files/0x0006000000022e9c-257.dat	dcrat
behavioral1/files/0x0006000000022e9c-254.dat	dcrat
behavioral1/files/0x0006000000022e9c-251.dat	dcrat
behavioral1/files/0x0006000000022e9c-248.dat	dcrat
behavioral1/files/0x0006000000022e9c-244.dat	dcrat
behavioral1/files/0x0006000000022e9c-241.dat	dcrat
behavioral1/files/0x0006000000022e9c-238.dat	dcrat
behavioral1/files/0x0006000000022e9c-234.dat	dcrat
behavioral1/files/0x0006000000022e9c-232.dat	dcrat
behavioral1/files/0x0006000000022e9c-230.dat	dcrat
behavioral1/files/0x0006000000022e9c-228.dat	dcrat
behavioral1/files/0x0006000000022e9c-226.dat	dcrat
behavioral1/files/0x0006000000022e9c-224.dat	dcrat
behavioral1/files/0x0006000000022e9c-222.dat	dcrat
behavioral1/files/0x0006000000022e9c-216.dat	dcrat
behavioral1/files/0x0006000000022e9c-215.dat	dcrat
behavioral1/files/0x0006000000022e84-285.dat	dcrat
behavioral1/files/0x0006000000022e84-284.dat	dcrat

Executes dropped EXE 23 IoCs

pid	Process
1036	DllCommonsvc.exe
5064	DllCommonsvc.exe
5904	powershell.exe
5916	powershell.exe
5952	powershell.exe
5992	powershell.exe
6060	powershell.exe
6100	powershell.exe
2704	powershell.exe
1432	powershell.exe
2400	powershell.exe
4672	powershell.exe
3024	powershell.exe
3720	powershell.exe
696	powershell.exe
1776	powershell.exe
4916	powershell.exe
368	powershell.exe
2588	powershell.exe
3476	powershell.exe
1324	powershell.exe
1192	powershell.exe
2812	conhost.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\ee2ad38f3d4382	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\DiagTrack\Scenarios\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\DiagTrack\Scenarios\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4092	schtasks.exe
2588	schtasks.exe
4424	schtasks.exe
5596	schtasks.exe
5564	schtasks.exe
5500	schtasks.exe
5468	schtasks.exe
4884	schtasks.exe
5324	schtasks.exe
5820	schtasks.exe
5356	schtasks.exe
4788	schtasks.exe
3264	schtasks.exe
960	schtasks.exe
1480	schtasks.exe
5852	schtasks.exe
5276	schtasks.exe
5484	schtasks.exe
4276	schtasks.exe
1772	schtasks.exe
3276	schtasks.exe
5788	schtasks.exe
5628	schtasks.exe
5388	schtasks.exe
3436	schtasks.exe
2828	schtasks.exe
5772	schtasks.exe
5420	schtasks.exe
4728	schtasks.exe
3712	schtasks.exe
1496	schtasks.exe
2740	schtasks.exe
2588	schtasks.exe
4680	schtasks.exe
1272	schtasks.exe
1092	schtasks.exe
2428	schtasks.exe
5404	schtasks.exe
4612	schtasks.exe
3180	schtasks.exe
2400	schtasks.exe
3820	schtasks.exe
2332	schtasks.exe
4680	schtasks.exe
5548	schtasks.exe
5244	schtasks.exe
1588	schtasks.exe
3900	schtasks.exe
1232	schtasks.exe
2132	schtasks.exe
4292	schtasks.exe
5452	schtasks.exe
5516	schtasks.exe
5804	schtasks.exe
5868	schtasks.exe
5644	schtasks.exe
1104	schtasks.exe
3708	schtasks.exe
3180	schtasks.exe
4480	schtasks.exe
2588	schtasks.exe
3992	schtasks.exe
3728	schtasks.exe
3736	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
1036	DllCommonsvc.exe
364	powershell.exe
364	powershell.exe
2092	powershell.exe
2092	powershell.exe
2464	powershell.exe
2464	powershell.exe
4988	powershell.exe
4988	powershell.exe
1668	powershell.exe
1668	powershell.exe
2192	powershell.exe
2192	powershell.exe
2372	powershell.exe
2372	powershell.exe
3308	powershell.exe
3308	powershell.exe
3780	powershell.exe
3780	powershell.exe
2192	powershell.exe
5056	powershell.exe
5056	powershell.exe
4152	powershell.exe
4152	powershell.exe
1456	powershell.exe
1456	powershell.exe
4472	powershell.exe
4472	powershell.exe
4940	powershell.exe
4940	powershell.exe
4536	powershell.exe
4536	powershell.exe
1188	powershell.exe
1188	powershell.exe
4192	powershell.exe
4192	powershell.exe
5064	DllCommonsvc.exe
5064	DllCommonsvc.exe
2092	powershell.exe
2092	powershell.exe
364	powershell.exe
364	powershell.exe
2464	powershell.exe
2464	powershell.exe
4988	powershell.exe
4988	powershell.exe
2372	powershell.exe
2372	powershell.exe
1668	powershell.exe
1668	powershell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	DllCommonsvc.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	5064	DllCommonsvc.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeDebugPrivilege	5916	powershell.exe
Token: SeDebugPrivilege	5952	powershell.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	6060	powershell.exe
Token: SeDebugPrivilege	6100	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	2812	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3744	1368	da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda.exe	81
PID 1368 wrote to memory of 3744	1368	da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda.exe	81
PID 1368 wrote to memory of 3744	1368	da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda.exe	81
PID 3744 wrote to memory of 2236	3744	WScript.exe	82
PID 3744 wrote to memory of 2236	3744	WScript.exe	82
PID 3744 wrote to memory of 2236	3744	WScript.exe	82
PID 2236 wrote to memory of 1036	2236	cmd.exe	84
PID 2236 wrote to memory of 1036	2236	cmd.exe	84
PID 1036 wrote to memory of 2372	1036	DllCommonsvc.exe	133
PID 1036 wrote to memory of 2372	1036	DllCommonsvc.exe	133
PID 1036 wrote to memory of 4988	1036	DllCommonsvc.exe	134
PID 1036 wrote to memory of 4988	1036	DllCommonsvc.exe	134
PID 1036 wrote to memory of 2464	1036	DllCommonsvc.exe	135
PID 1036 wrote to memory of 2464	1036	DllCommonsvc.exe	135
PID 1036 wrote to memory of 364	1036	DllCommonsvc.exe	136
PID 1036 wrote to memory of 364	1036	DllCommonsvc.exe	136
PID 1036 wrote to memory of 2092	1036	DllCommonsvc.exe	137
PID 1036 wrote to memory of 2092	1036	DllCommonsvc.exe	137
PID 1036 wrote to memory of 2192	1036	DllCommonsvc.exe	167
PID 1036 wrote to memory of 2192	1036	DllCommonsvc.exe	167
PID 1036 wrote to memory of 1668	1036	DllCommonsvc.exe	141
PID 1036 wrote to memory of 1668	1036	DllCommonsvc.exe	141
PID 1036 wrote to memory of 3308	1036	DllCommonsvc.exe	142
PID 1036 wrote to memory of 3308	1036	DllCommonsvc.exe	142
PID 1036 wrote to memory of 3780	1036	DllCommonsvc.exe	143
PID 1036 wrote to memory of 3780	1036	DllCommonsvc.exe	143
PID 1036 wrote to memory of 1456	1036	DllCommonsvc.exe	163
PID 1036 wrote to memory of 1456	1036	DllCommonsvc.exe	163
PID 1036 wrote to memory of 5056	1036	DllCommonsvc.exe	146
PID 1036 wrote to memory of 5056	1036	DllCommonsvc.exe	146
PID 1036 wrote to memory of 4152	1036	DllCommonsvc.exe	147
PID 1036 wrote to memory of 4152	1036	DllCommonsvc.exe	147
PID 1036 wrote to memory of 4940	1036	DllCommonsvc.exe	149
PID 1036 wrote to memory of 4940	1036	DllCommonsvc.exe	149
PID 1036 wrote to memory of 4472	1036	DllCommonsvc.exe	150
PID 1036 wrote to memory of 4472	1036	DllCommonsvc.exe	150
PID 1036 wrote to memory of 4536	1036	DllCommonsvc.exe	158
PID 1036 wrote to memory of 4536	1036	DllCommonsvc.exe	158
PID 1036 wrote to memory of 1188	1036	DllCommonsvc.exe	157
PID 1036 wrote to memory of 1188	1036	DllCommonsvc.exe	157
PID 1036 wrote to memory of 4192	1036	DllCommonsvc.exe	153
PID 1036 wrote to memory of 4192	1036	DllCommonsvc.exe	153
PID 1036 wrote to memory of 5064	1036	DllCommonsvc.exe	159
PID 1036 wrote to memory of 5064	1036	DllCommonsvc.exe	159
PID 5064 wrote to memory of 5904	5064	DllCommonsvc.exe	217
PID 5064 wrote to memory of 5904	5064	DllCommonsvc.exe	217
PID 5064 wrote to memory of 5916	5064	DllCommonsvc.exe	216
PID 5064 wrote to memory of 5916	5064	DllCommonsvc.exe	216
PID 5064 wrote to memory of 5952	5064	DllCommonsvc.exe	215
PID 5064 wrote to memory of 5952	5064	DllCommonsvc.exe	215
PID 5064 wrote to memory of 5992	5064	DllCommonsvc.exe	212
PID 5064 wrote to memory of 5992	5064	DllCommonsvc.exe	212
PID 5064 wrote to memory of 6060	5064	DllCommonsvc.exe	211
PID 5064 wrote to memory of 6060	5064	DllCommonsvc.exe	211
PID 5064 wrote to memory of 6100	5064	DllCommonsvc.exe	210
PID 5064 wrote to memory of 6100	5064	DllCommonsvc.exe	210
PID 5064 wrote to memory of 2704	5064	DllCommonsvc.exe	209
PID 5064 wrote to memory of 2704	5064	DllCommonsvc.exe	209
PID 5064 wrote to memory of 1432	5064	DllCommonsvc.exe	208
PID 5064 wrote to memory of 1432	5064	DllCommonsvc.exe	208
PID 5064 wrote to memory of 2400	5064	DllCommonsvc.exe	193
PID 5064 wrote to memory of 2400	5064	DllCommonsvc.exe	193
PID 5064 wrote to memory of 4672	5064	DllCommonsvc.exe	194
PID 5064 wrote to memory of 4672	5064	DllCommonsvc.exe	194

C:\Users\Admin\AppData\Local\Temp\da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda.exe
"C:\Users\Admin\AppData\Local\Temp\da56c10f40021a4207be6348e853bd8fdf00e9b0a3d12c5f15acc02f4c450cda.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\afBW9UHbPq.bat"
        6⤵
        
        PID:4444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4512
        
        C:\Recovery\WindowsRE\conhost.exe
        
        "C:\Recovery\WindowsRE\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\powershell.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\RuntimeBroker.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\dllhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6100
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6060
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5992
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\RuntimeBroker.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\powershell.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5916
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Scenarios\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Scenarios\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\odt\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhostw.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\providercommon\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
PID:5672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\odt\powershell.exe'" /f
1⤵
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
1⤵
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\RuntimeBroker.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:5340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\Registry.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:5256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /f
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\conhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\afBW9UHbPq.bat

Filesize
198B

MD5
d8f7ff6723c4d9caa385b15002b02915

SHA1
d58cad32314c06fdef9dff550f6569fdf384a7ad

SHA256
f5e02051a484ae3d13bbb45e583fdf6f9e574ae57bf94c8913ecb91b502196cf

SHA512
33dadbd275378e67dc2fba06c35d3dc0a7e5ba1f8fc7d9ff29220c65a32bfc719dee8c992ebdae1998c94610049f45a80a046d58f701ea30d1e23c8154991bd2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/364-196-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/364-164-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/368-265-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/696-274-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1036-163-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1036-139-0x0000000000500000-0x0000000000610000-memory.dmp

Filesize
1.1MB

Download
memory/1036-140-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1188-176-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1188-213-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1192-279-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1324-278-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1432-259-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1456-205-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1456-171-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1668-167-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1668-199-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/1776-275-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2092-165-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2092-157-0x0000026132470000-0x0000026132492000-memory.dmp

Filesize
136KB

Download
memory/2092-204-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2192-166-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2192-193-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2372-168-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2372-200-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2400-262-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2464-162-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2464-197-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2588-276-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2704-286-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/2704-256-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/3024-272-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/3308-169-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/3308-195-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/3476-277-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/3720-273-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/3780-194-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/3780-170-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4152-173-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4152-202-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4192-212-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4192-177-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4472-174-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4472-201-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4536-209-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4536-178-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4672-270-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4916-264-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4940-175-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4940-207-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4988-198-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/4988-160-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5056-172-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5056-203-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5064-271-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5064-190-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5904-235-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5904-280-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5916-237-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5916-282-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5952-281-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5952-240-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/5992-243-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/6060-250-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download
memory/6100-253-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp

Filesize
10.8MB

Download