dcrat | 22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf

Analysis

max time kernel
146s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2022 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf.exe
Size

1.3MB
MD5

6e54599378ea115e63eaf4ad2484cdad
SHA1

dfb2091e633165604ca64441bcbf1ee5ef5b56d2
SHA256

22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf
SHA512

edcdc477a9d8b08a1c4c4e6362a7910e1d87373713fdc43e245a4197ffb882216cb9b731082db207f7e231ae191ef39c73d0725b02ddfb2826e1e8c0d9df82fe
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	68	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4752	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac2e-280.dat	dcrat
behavioral1/files/0x000800000001ac2e-281.dat	dcrat
behavioral1/memory/3936-282-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/files/0x000700000001ac6d-375.dat	dcrat
behavioral1/files/0x000700000001ac6d-374.dat	dcrat
behavioral1/files/0x000700000001ac6d-916.dat	dcrat
behavioral1/files/0x000700000001ac6d-923.dat	dcrat
behavioral1/files/0x000700000001ac6d-929.dat	dcrat
behavioral1/files/0x000700000001ac6d-934.dat	dcrat
behavioral1/files/0x000700000001ac6d-939.dat	dcrat
behavioral1/files/0x000700000001ac6d-945.dat	dcrat
behavioral1/files/0x000700000001ac6d-951.dat	dcrat
behavioral1/files/0x000700000001ac6d-957.dat	dcrat
behavioral1/files/0x000700000001ac6d-962.dat	dcrat
behavioral1/files/0x000700000001ac6d-968.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3936	DllCommonsvc.exe
776	winlogon.exe
5152	winlogon.exe
2252	winlogon.exe
5600	winlogon.exe
5936	winlogon.exe
4732	winlogon.exe
6068	winlogon.exe
6084	winlogon.exe
1048	winlogon.exe
4656	winlogon.exe
3652	winlogon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\e6c9b481da804f	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\rescache\_merged\2483382631\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\System.exe	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\INF\PERFLIB\040C\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\INF\PERFLIB\040C\e6c9b481da804f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3032	schtasks.exe
4476	schtasks.exe
4608	schtasks.exe
4380	schtasks.exe
1944	schtasks.exe
924	schtasks.exe
4900	schtasks.exe
4536	schtasks.exe
4496	schtasks.exe
416	schtasks.exe
3760	schtasks.exe
412	schtasks.exe
1284	schtasks.exe
32	schtasks.exe
2928	schtasks.exe
3368	schtasks.exe
4444	schtasks.exe
748	schtasks.exe
3156	schtasks.exe
1048	schtasks.exe
744	schtasks.exe
2220	schtasks.exe
752	schtasks.exe
4568	schtasks.exe
5020	schtasks.exe
3200	schtasks.exe
68	schtasks.exe
1260	schtasks.exe
2312	schtasks.exe
4912	schtasks.exe
3180	schtasks.exe
4584	schtasks.exe
4220	schtasks.exe
1868	schtasks.exe
4264	schtasks.exe
4580	schtasks.exe
4424	schtasks.exe
1012	schtasks.exe
4620	schtasks.exe
1572	schtasks.exe
216	schtasks.exe
4456	schtasks.exe
3136	schtasks.exe
4376	schtasks.exe
3348	schtasks.exe
2484	schtasks.exe
1948	schtasks.exe
4228	schtasks.exe
2208	schtasks.exe
2912	schtasks.exe
2508	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3912	powershell.exe
3912	powershell.exe
2192	powershell.exe
2192	powershell.exe
3912	powershell.exe
2720	powershell.exe
2720	powershell.exe
2192	powershell.exe
2720	powershell.exe
3044	powershell.exe
3044	powershell.exe
1728	powershell.exe
1728	powershell.exe
4684	powershell.exe
4684	powershell.exe
3912	powershell.exe
4484	powershell.exe
4484	powershell.exe
340	powershell.exe
340	powershell.exe
4804	powershell.exe
4804	powershell.exe
4684	powershell.exe
4176	powershell.exe
4176	powershell.exe
352	powershell.exe
352	powershell.exe
4484	powershell.exe
2136	powershell.exe
2136	powershell.exe
2788	powershell.exe
2788	powershell.exe
1204	powershell.exe
1204	powershell.exe
4884	powershell.exe
4884	powershell.exe
2720	powershell.exe
4432	powershell.exe
4432	powershell.exe
2192	powershell.exe
4856	powershell.exe
4856	powershell.exe
1728	powershell.exe
3044	powershell.exe
4684	powershell.exe
4484	powershell.exe
776	winlogon.exe
776	winlogon.exe
340	powershell.exe
4804	powershell.exe
2788	powershell.exe
4176	powershell.exe
1204	powershell.exe
352	powershell.exe
2136	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	DllCommonsvc.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	776	winlogon.exe
Token: SeIncreaseQuotaPrivilege	3912	powershell.exe
Token: SeSecurityPrivilege	3912	powershell.exe
Token: SeTakeOwnershipPrivilege	3912	powershell.exe
Token: SeLoadDriverPrivilege	3912	powershell.exe
Token: SeSystemProfilePrivilege	3912	powershell.exe
Token: SeSystemtimePrivilege	3912	powershell.exe
Token: SeProfSingleProcessPrivilege	3912	powershell.exe
Token: SeIncBasePriorityPrivilege	3912	powershell.exe
Token: SeCreatePagefilePrivilege	3912	powershell.exe
Token: SeBackupPrivilege	3912	powershell.exe
Token: SeRestorePrivilege	3912	powershell.exe
Token: SeShutdownPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeSystemEnvironmentPrivilege	3912	powershell.exe
Token: SeRemoteShutdownPrivilege	3912	powershell.exe
Token: SeUndockPrivilege	3912	powershell.exe
Token: SeManageVolumePrivilege	3912	powershell.exe
Token: 33	3912	powershell.exe
Token: 34	3912	powershell.exe
Token: 35	3912	powershell.exe
Token: 36	3912	powershell.exe
Token: SeIncreaseQuotaPrivilege	2720	powershell.exe
Token: SeSecurityPrivilege	2720	powershell.exe
Token: SeTakeOwnershipPrivilege	2720	powershell.exe
Token: SeLoadDriverPrivilege	2720	powershell.exe
Token: SeSystemProfilePrivilege	2720	powershell.exe
Token: SeSystemtimePrivilege	2720	powershell.exe
Token: SeProfSingleProcessPrivilege	2720	powershell.exe
Token: SeIncBasePriorityPrivilege	2720	powershell.exe
Token: SeCreatePagefilePrivilege	2720	powershell.exe
Token: SeBackupPrivilege	2720	powershell.exe
Token: SeRestorePrivilege	2720	powershell.exe
Token: SeShutdownPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeSystemEnvironmentPrivilege	2720	powershell.exe
Token: SeRemoteShutdownPrivilege	2720	powershell.exe
Token: SeUndockPrivilege	2720	powershell.exe
Token: SeManageVolumePrivilege	2720	powershell.exe
Token: 33	2720	powershell.exe
Token: 34	2720	powershell.exe
Token: 35	2720	powershell.exe
Token: 36	2720	powershell.exe
Token: SeIncreaseQuotaPrivilege	2192	powershell.exe
Token: SeSecurityPrivilege	2192	powershell.exe
Token: SeTakeOwnershipPrivilege	2192	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4768	2668	22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf.exe	66
PID 2668 wrote to memory of 4768	2668	22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf.exe	66
PID 2668 wrote to memory of 4768	2668	22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf.exe	66
PID 4768 wrote to memory of 3680	4768	WScript.exe	67
PID 4768 wrote to memory of 3680	4768	WScript.exe	67
PID 4768 wrote to memory of 3680	4768	WScript.exe	67
PID 3680 wrote to memory of 3936	3680	cmd.exe	69
PID 3680 wrote to memory of 3936	3680	cmd.exe	69
PID 3936 wrote to memory of 2192	3936	DllCommonsvc.exe	122
PID 3936 wrote to memory of 2192	3936	DllCommonsvc.exe	122
PID 3936 wrote to memory of 2068	3936	DllCommonsvc.exe	157
PID 3936 wrote to memory of 2068	3936	DllCommonsvc.exe	157
PID 3936 wrote to memory of 3912	3936	DllCommonsvc.exe	123
PID 3936 wrote to memory of 3912	3936	DllCommonsvc.exe	123
PID 3936 wrote to memory of 2720	3936	DllCommonsvc.exe	124
PID 3936 wrote to memory of 2720	3936	DllCommonsvc.exe	124
PID 3936 wrote to memory of 3044	3936	DllCommonsvc.exe	128
PID 3936 wrote to memory of 3044	3936	DllCommonsvc.exe	128
PID 3936 wrote to memory of 1728	3936	DllCommonsvc.exe	126
PID 3936 wrote to memory of 1728	3936	DllCommonsvc.exe	126
PID 3936 wrote to memory of 4684	3936	DllCommonsvc.exe	129
PID 3936 wrote to memory of 4684	3936	DllCommonsvc.exe	129
PID 3936 wrote to memory of 4484	3936	DllCommonsvc.exe	130
PID 3936 wrote to memory of 4484	3936	DllCommonsvc.exe	130
PID 3936 wrote to memory of 340	3936	DllCommonsvc.exe	131
PID 3936 wrote to memory of 340	3936	DllCommonsvc.exe	131
PID 3936 wrote to memory of 4804	3936	DllCommonsvc.exe	150
PID 3936 wrote to memory of 4804	3936	DllCommonsvc.exe	150
PID 3936 wrote to memory of 2136	3936	DllCommonsvc.exe	132
PID 3936 wrote to memory of 2136	3936	DllCommonsvc.exe	132
PID 3936 wrote to memory of 352	3936	DllCommonsvc.exe	133
PID 3936 wrote to memory of 352	3936	DllCommonsvc.exe	133
PID 3936 wrote to memory of 4176	3936	DllCommonsvc.exe	147
PID 3936 wrote to memory of 4176	3936	DllCommonsvc.exe	147
PID 3936 wrote to memory of 1204	3936	DllCommonsvc.exe	146
PID 3936 wrote to memory of 1204	3936	DllCommonsvc.exe	146
PID 3936 wrote to memory of 2788	3936	DllCommonsvc.exe	136
PID 3936 wrote to memory of 2788	3936	DllCommonsvc.exe	136
PID 3936 wrote to memory of 4884	3936	DllCommonsvc.exe	144
PID 3936 wrote to memory of 4884	3936	DllCommonsvc.exe	144
PID 3936 wrote to memory of 4432	3936	DllCommonsvc.exe	138
PID 3936 wrote to memory of 4432	3936	DllCommonsvc.exe	138
PID 3936 wrote to memory of 4856	3936	DllCommonsvc.exe	139
PID 3936 wrote to memory of 4856	3936	DllCommonsvc.exe	139
PID 3936 wrote to memory of 776	3936	DllCommonsvc.exe	158
PID 3936 wrote to memory of 776	3936	DllCommonsvc.exe	158
PID 776 wrote to memory of 5412	776	winlogon.exe	160
PID 776 wrote to memory of 5412	776	winlogon.exe	160
PID 5412 wrote to memory of 5708	5412	cmd.exe	162
PID 5412 wrote to memory of 5708	5412	cmd.exe	162
PID 5412 wrote to memory of 5152	5412	cmd.exe	163
PID 5412 wrote to memory of 5152	5412	cmd.exe	163
PID 5152 wrote to memory of 5296	5152	winlogon.exe	164
PID 5152 wrote to memory of 5296	5152	winlogon.exe	164
PID 5296 wrote to memory of 5368	5296	cmd.exe	166
PID 5296 wrote to memory of 5368	5296	cmd.exe	166
PID 5296 wrote to memory of 2252	5296	cmd.exe	167
PID 5296 wrote to memory of 2252	5296	cmd.exe	167
PID 2252 wrote to memory of 2036	2252	winlogon.exe	168
PID 2252 wrote to memory of 2036	2252	winlogon.exe	168
PID 2036 wrote to memory of 5544	2036	cmd.exe	170
PID 2036 wrote to memory of 5544	2036	cmd.exe	170
PID 2036 wrote to memory of 5600	2036	cmd.exe	171
PID 2036 wrote to memory of 5600	2036	cmd.exe	171

C:\Users\Admin\AppData\Local\Temp\22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf.exe
"C:\Users\Admin\AppData\Local\Temp\22d82c0ce9e11edaebaa4dbf351e2e9cc144060f0c2b6e42918d6485d96a5ebf.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\PERFLIB\040C\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\Lexicon\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        
        PID:2068
    - - C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5708
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5368
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5544
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        12⤵
        
        PID:5712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5924
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
        14⤵
        
        PID:3348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:5136
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        16⤵
        
        PID:1376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3904
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
        18⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:200
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
        20⤵
        
        PID:4868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4048
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
        22⤵
        
        PID:4412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1948
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        24⤵
        
        PID:5532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4772
        
        C:\Users\Public\Videos\winlogon.exe
        
        "C:\Users\Public\Videos\winlogon.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        26⤵
        
        PID:4776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\PERFLIB\040C\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\INF\PERFLIB\040C\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\PERFLIB\040C\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\reports\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:68

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb81d39d9dc38eaf143b5b24ad566a08

SHA1
13623ba0d7ecaa2e50b0992b5d33ea279c9af2a4

SHA256
aa91fd7bb53d0882091922e017daca166dda7408b757f526a43d6827b28f0b3a

SHA512
07487baa65f4296eebeee3b728dad9d0e967f7ca7e9879a40f3e532b5c9b1998a0979232aabaae99a44354fe7fcf359335caaae1d2f93e84ecce0df12951a117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aaca48406efcba3cba9be3db3347e766

SHA1
d7f0ec59f667dd4feb55a5f3c74283a8d2d1ff21

SHA256
29eab52cdde76e99f36f0139dfd8a36e20b74d6a978a12c97f05cc4e73d67558

SHA512
e023e2199fefaf3d16060a58f89f0f22dee5465141bd81b5d36f630490d17a541a55750fed1586ac374731362573f400e1a3dceba3fd2b41d51c634ac066b93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b4b9787d5b8e91ce33c490c6c70edba

SHA1
1dcbc204a06f4efa72d3f5e960039c6e26e4925f

SHA256
84c9e0105bb2a912747c53ca0f6d48f6705495cfcbe26016773c3ec225fd9585

SHA512
1c4c78a1bf979694d56c9359b21d26a0e6a9b9dc66e97b311b9375b153fdd57895fcac4efc07a5857579d1ee1fdfd2b687bb558360c37c5901e68f46e933ac89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac28e93368b8feb1b35667e4b69d4d93

SHA1
9ab889acae14f29219ce920ec11a7c3e5a36f4ea

SHA256
8be81175976d106f37d18c9b6a6948e77e9d08fdb58246c872453e72cad3c0bb

SHA512
1a8f97b3e71fb74b92070143ad5838ee3a2d8ad444f779d1c976267655cac07fe0b2ca400273e20bcf462037c98dc9f4f57666f5a985f80cbbc4e2d8cdbb46fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac28e93368b8feb1b35667e4b69d4d93

SHA1
9ab889acae14f29219ce920ec11a7c3e5a36f4ea

SHA256
8be81175976d106f37d18c9b6a6948e77e9d08fdb58246c872453e72cad3c0bb

SHA512
1a8f97b3e71fb74b92070143ad5838ee3a2d8ad444f779d1c976267655cac07fe0b2ca400273e20bcf462037c98dc9f4f57666f5a985f80cbbc4e2d8cdbb46fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
459502ba26ef8611c565da0e4d4638c7

SHA1
ce2036824311e09d3a55caac4ecf88f11f2ce8c4

SHA256
dc523a0862ee2ea3022b748b4f27e45a301c9a0b57369ae5823490754f22b77a

SHA512
432d9caab55b2836e6b50b7e2d74cc41ebd94b288ffd01479cf5d40db484ee06ee605cde00bea13641a8bc2068af98abd71f4740232c89268d8d0f5b8a00a0c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f17ea443bca092f2542b5df64d8a682

SHA1
d83152cdd0bd2c1edcbaa1e10881ba43060074a3

SHA256
9f5a0d93ad66f17e6552b5f6ead8255ec5cad5c9b7c8e11d27791e42e727c27d

SHA512
17d11ceb463c70a2ec76ca13f43e880a856c931cd72fd24ba793f880e61e26f27de66b98aad778c0ac67b68431446e2e119d5f7e3c271b2792c3f0afc05398e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1f358132a103dd47b6c71bd66e02a44

SHA1
e8a91b3073399abda2c99928f01f08d9fcbed86c

SHA256
e7ab5e01a36bbc3e9c6168d822484d8982f6726d61a5fe112bd7392807b7c0e9

SHA512
33c4e6442f56d25d889c9cdbbeff2f29191b25508c1c3bb97c8fc702fb90aaab6dc59cfd691d782be04e95b5c25a454435a8164d9953f678b35373af1c357ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb854fd3f5b81ec257986eba2ee95670

SHA1
ae1597d1a6aa19881e95e275601550667ca087db

SHA256
f92e15aebb0e4ac75055bf00e795adf678b97df96f0cb7afee590243a6d159af

SHA512
3824656f59c9275b7a72071da214a18489c40ea3dfc39de6d6d66cc2364bce8dd0a2f040e2cdf3a2a966f66e74956d766d9f277617de10e7efcf066e6fb21876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87d90c83121fc3408a7253eb5841399f

SHA1
8367fd2c75daf1b6dbf4501c2b068d7892962a0c

SHA256
c2dc34a546619ff3b34fcaca5e06bc3485661ce49acd3d219fa42f875bc2beb6

SHA512
7e96bb5f09338a34d9d1e773307979cb28ab10c7a6c1d585efe62d96352a1b7f5c39fc62b6e6d99fc689ffcd4a5af46da137f2730b4c6fd82d7043baeb026477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8fcdd40e83646a1a9c595f3ece91c8be

SHA1
db028f11b95fc9d53f5e172c287ed34871cabbac

SHA256
9b5649445726e5807c066914230de42ed479c8f13ab0e58511896b2392db7c55

SHA512
5ccd0bfa6069adcde3a68b5ce3c2f6d7205df894e2c3fc1431021ae883c9ec79e1bc601d69c2c69692ed66d255985eab1623d230231e6e495a87e4a6b9c3635b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25bf17744ff507b2e4601d72e185b73a

SHA1
e565f1fa7642cc10b0add24ca2902fd3ba17800f

SHA256
bdc2c2b5fc85cc59ca5a485dc1dbbfbd99a0cf258ecc00599f16129c8657b14e

SHA512
a861add82df796fde6041c790634fdc7edc9febe8928cd50ce840d4dc638ee9343eebbaa23bf46d6b86ee17e4fc9cc1d3677719d6581e8758b309dc8353e92ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
011d63ba5ef6dc4b2692041a2e2a707b

SHA1
2f2e13586bef8b626ac3033cdb601a1d0f8c5762

SHA256
68ac9571cec06c1e236a94bed823dc80260e80b5cc9d629a0aaf6248c4eef95c

SHA512
56791c10598a4f94db3ca4a5e9b3c5989c4fcda9024c7441dcb0e8393d26ad474b7db7afc1a76ecc649217aab33dc12308c7a6685332c8484a0ef51f4a28ebd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38e0ba7444f76bdde54f83e32ee5c97b

SHA1
9574cd823b3c6c7ff38faf0e8dd5836b0e7ccb7a

SHA256
f0a4f7eba7058d83e082a4c594dc805f98eed05a2a4475fd7b4c371bd3614bfe

SHA512
cb49fe2fc505afde59ee23cd695e1dfea2a6b5b831571fd5ba5b0999bad6132f8934432ad0300e73a5f0d326a4b26c0208a48086902bb76f01421971e8560136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

Filesize
200B

MD5
aa2f888927b62c3c583cf462b558739c

SHA1
85b4fe6a72dbbd0b63effc9aea3d69bfb7804fb3

SHA256
a123dc17e52ace1cf060edc45fa358abec714a03d45c663e2c238575f6ba1a77

SHA512
077daaab55a410a3c930d86f0bbce605ebd72c44843e4f2e935794402377813a7d3c2f3abbdb386c5b458ef72b59178bb87d998cf00c75397b6937a2ff5e3fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
200B

MD5
842292b11014948b7cfa8d960c0120b8

SHA1
724557ab464812b5b0a8bc454f0e944a39a420df

SHA256
f4565e9a8f8fb7520bf659697ef4822c0fc1ff055e269fc1d015efd852ba0d4c

SHA512
2fd1f115d01ac171f6c2c794c23cc55868384dfdad00214a28c35d86f402b7a3a725376de92974dcd27f8b97cd7bcf825981a39b986cd6ac59b0001194e6a1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iu2jWrKESR.bat

Filesize
200B

MD5
5e038c84e48b89ea9595c061a554dfff

SHA1
edd9074361c554eceb31f88508220964d549da4c

SHA256
59af05b68b1e8250832b59b2629072f63783ee5fcbe1977e91da90caf3eb3076

SHA512
3c09b58b9b0fc8395eaa14a93cbaadfa68f89315acf0f5cb5491432dc6cae67d67f8f8147daa5f044f6d917c3386a4c93513da458ff978624527ab54e1c96f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
200B

MD5
a50c38e3d51822e98b83ca3c2954176b

SHA1
831c32deb3930c6f73d5eea165ba64a8666d4681

SHA256
1d2f4fcd1720348058070629008656855afefe7364b11630cb1bde109c97af10

SHA512
f2881b174db2f4949f38daa7d562fbfd53244c4eaf0e7f3c9fec98023cb3c9369b4c288890b954fad82d90ccaf5f6c1af6f0999fdb5c87f36d0ee5a52e0a11a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

Filesize
200B

MD5
24fd4900805c92c9fc8e5d260dd32ca4

SHA1
6ff0ff129d5258a8b860c8694160c5b7cbd94696

SHA256
3dda32dd2ce09807884c26c92952466a133e55fe0e011ec05536afd93c08b0f6

SHA512
2fa30bd106bdf62f3ba419d70b50e179ccd0ea84fdc3f8d12d9d650228b46bf1b6c942c41e8699e9fd774369bf8e6105dbb45172f3a90951ab472670f1b5568c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
200B

MD5
72f0eae6184303d8c0eb1d33e1649683

SHA1
b415c9e9c2bf88c2fe71ada0ebf7f1afe9e40501

SHA256
d69e435e5b777370f9af25fe35a3c66cbeb9dd67abcc019179bf33fc0eddf3c9

SHA512
14d316920fbfe9930a6b3b48a1bb9d18774e6ca5d2f919ca552ccb951ad93a15bab8824e6586b845db7341c7787425343ae66293c629c953463e572e1d06af62

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

Filesize
200B

MD5
1de5a17ba4cc474d80c83f0d98a6ed74

SHA1
d5851b56c5497c63361d99119f118155ce49d4f7

SHA256
b8afad174c999a5dc8994065f41865122a3f0571405e82a74cff3fb276ba0aca

SHA512
dbe4b7ca2a01e57d62b53eaaa695699a83c4a349b1cc668845936513d691babaf8207f08c918efdb2e34af73f2f69569ba6153b55aa8ecf73ff24aa0cd1420fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

Filesize
200B

MD5
c04e4ec15d03746294adce38e91ee206

SHA1
fcabad82a18fae0e7d783c34b849abf3276550a6

SHA256
dfdc99b968263a84abb4967d9bf91a8c8db2e7ca3f2c19b6afc1bafb8d09ac3b

SHA512
23fb2bd613fe4bb90d8fdd0d97c438e129ebacafabe457ec3cfc2a296fc2939fd04ee653fdd9388f7c2f84a69ea2b1e6680d757db07649b5205409b45afd5337

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat

Filesize
200B

MD5
2ed08fa38a8588450f95785368c59f35

SHA1
9e9a67324135bf3e6ed4684649052246d7625fb6

SHA256
3caed2163f05c3c5796d1c18b2fa7cc8c718a386b6bacdd29c1be96a9e02bb6e

SHA512
f77048960397c135a2e7438b9399818d5fe7700de4b353d6ce1e4072ff6785d1c89520fbc3641b7378b05f1221a42527adc67b5ff00d1d364ab068f828fb9308

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
200B

MD5
ebd99d5b75fde985278622d449474b06

SHA1
2b2cf751a4c348482cc8347a3dcc90bc626388eb

SHA256
7bfad7ede86241bfb78b86b019a2d7c8105662ec71b4672c0f785014ec8c1849

SHA512
d0e37ffb7cb73bea760f2dbf9d7e4751389a5b2195ee97a93c780ce9d107753f8cdafec3730f4fed027cc3e6390ef90f647122855089f35e1150ca7f0269267c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

Filesize
200B

MD5
200f298576525aa9d6b421ed6d3eb6ab

SHA1
df5f3c0ce0e8265953104773d440576466c32dc1

SHA256
44e51d8059f5edb00c222db1ddec2ef5bd733df5573f65ca644d7cdf5edb10ec

SHA512
e8480ffa610f1950296328de018872e9ea81da87ff0816e5cc3282f79895c5cb747cd318dec2aacff4040178ab6e265a3f3405748c2b14dbbbafa992bc6c0dd2

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Public\Videos\winlogon.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/200-949-0x0000000000000000-mapping.dmp

Download
memory/340-297-0x0000000000000000-mapping.dmp

Download
memory/352-304-0x0000000000000000-mapping.dmp

Download
memory/776-373-0x0000000000000000-mapping.dmp

Download
memory/776-418-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download
memory/1048-956-0x0000000000000000-mapping.dmp

Download
memory/1204-310-0x0000000000000000-mapping.dmp

Download
memory/1376-941-0x0000000000000000-mapping.dmp

Download
memory/1728-292-0x0000000000000000-mapping.dmp

Download
memory/1948-960-0x0000000000000000-mapping.dmp

Download
memory/2036-925-0x0000000000000000-mapping.dmp

Download
memory/2068-288-0x0000000000000000-mapping.dmp

Download
memory/2136-301-0x0000000000000000-mapping.dmp

Download
memory/2192-287-0x0000000000000000-mapping.dmp

Download
memory/2252-924-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/2252-922-0x0000000000000000-mapping.dmp

Download
memory/2668-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-116-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-947-0x0000000000000000-mapping.dmp

Download
memory/2720-290-0x0000000000000000-mapping.dmp

Download
memory/2788-314-0x0000000000000000-mapping.dmp

Download
memory/3044-291-0x0000000000000000-mapping.dmp

Download
memory/3348-935-0x0000000000000000-mapping.dmp

Download
memory/3652-969-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/3652-967-0x0000000000000000-mapping.dmp

Download
memory/3680-256-0x0000000000000000-mapping.dmp

Download
memory/3904-943-0x0000000000000000-mapping.dmp

Download
memory/3912-376-0x00000259EEF90000-0x00000259EEFB2000-memory.dmp

Filesize
136KB

Download
memory/3912-289-0x0000000000000000-mapping.dmp

Download
memory/3912-384-0x00000259EFBF0000-0x00000259EFC66000-memory.dmp

Filesize
472KB

Download
memory/3936-286-0x0000000001620000-0x000000000162C000-memory.dmp

Filesize
48KB

Download
memory/3936-284-0x0000000001600000-0x000000000160C000-memory.dmp

Filesize
48KB

Download
memory/3936-279-0x0000000000000000-mapping.dmp

Download
memory/3936-283-0x00000000015E0000-0x00000000015F2000-memory.dmp

Filesize
72KB

Download
memory/3936-282-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/3936-285-0x0000000001610000-0x000000000161C000-memory.dmp

Filesize
48KB

Download
memory/4048-955-0x0000000000000000-mapping.dmp

Download
memory/4176-307-0x0000000000000000-mapping.dmp

Download
memory/4336-972-0x0000000000000000-mapping.dmp

Download
memory/4412-958-0x0000000000000000-mapping.dmp

Download
memory/4432-323-0x0000000000000000-mapping.dmp

Download
memory/4484-296-0x0000000000000000-mapping.dmp

Download
memory/4656-963-0x0000000001740000-0x0000000001752000-memory.dmp

Filesize
72KB

Download
memory/4656-961-0x0000000000000000-mapping.dmp

Download
memory/4684-293-0x0000000000000000-mapping.dmp

Download
memory/4732-938-0x0000000000000000-mapping.dmp

Download
memory/4732-940-0x0000000002F30000-0x0000000002F42000-memory.dmp

Filesize
72KB

Download
memory/4768-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-180-0x0000000000000000-mapping.dmp

Download
memory/4772-966-0x0000000000000000-mapping.dmp

Download
memory/4776-970-0x0000000000000000-mapping.dmp

Download
memory/4804-299-0x0000000000000000-mapping.dmp

Download
memory/4856-329-0x0000000000000000-mapping.dmp

Download
memory/4868-953-0x0000000000000000-mapping.dmp

Download
memory/4884-318-0x0000000000000000-mapping.dmp

Download
memory/5136-937-0x0000000000000000-mapping.dmp

Download
memory/5152-918-0x00000000011E0000-0x00000000011F2000-memory.dmp

Filesize
72KB

Download
memory/5152-915-0x0000000000000000-mapping.dmp

Download
memory/5296-919-0x0000000000000000-mapping.dmp

Download
memory/5368-921-0x0000000000000000-mapping.dmp

Download
memory/5412-816-0x0000000000000000-mapping.dmp

Download
memory/5532-964-0x0000000000000000-mapping.dmp

Download
memory/5544-927-0x0000000000000000-mapping.dmp

Download
memory/5600-928-0x0000000000000000-mapping.dmp

Download
memory/5708-860-0x0000000000000000-mapping.dmp

Download
memory/5712-930-0x0000000000000000-mapping.dmp

Download
memory/5924-932-0x0000000000000000-mapping.dmp

Download
memory/5936-933-0x0000000000000000-mapping.dmp

Download
memory/6068-946-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/6068-944-0x0000000000000000-mapping.dmp

Download
memory/6084-952-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/6084-950-0x0000000000000000-mapping.dmp

Download