Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

XBinderOutput(1).exe

windows7-x64

10

XBinderOutput(1).exe

windows10-2004-x64

10

XBinderOutput(1).exe

windows10-ltsc 2021-x64

10

XBinderOutput(1).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1369s
  • max time network
    1433s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/10/2024, 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput(1).exe

  • Size

    607KB

  • MD5

    19d31479381cfda2c9878b427f51a0c2

  • SHA1

    5b8774c60b71dd32e7325d0fbceb3434975ca7cc

  • SHA256

    e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

  • SHA512

    14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2

  • SSDEEP

    12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score
10/10
dcratcredential_accessdefense_evasiondiscoveryinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 4 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    persistence
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Executes dropped EXE 17 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
      "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\blocksavesperfMonitorDll\reviewDll.exe
            "C:\blocksavesperfMonitorDll\reviewDll.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3492
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cDr8AOJqph.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3764
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:4780
                • C:\blocksavesperfMonitorDll\reviewDll.exe
                  "C:\blocksavesperfMonitorDll\reviewDll.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1752
                  • C:\blocksavesperfMonitorDll\fontdrvhost.exe
                    "C:\blocksavesperfMonitorDll\fontdrvhost.exe"
                    8⤵
                    • Modifies WinLogon for persistence
                    • Drops file in Drivers directory
                    • Manipulates Digital Signatures
                    • Boot or Logon Autostart Execution: Print Processors
                    • Checks computer location settings
                    • Deletes itself
                    • Executes dropped EXE
                    • Indicator Removal: Clear Windows Event Logs
                    • Drops desktop.ini file(s)
                    • Drops autorun.inf file
                    • Drops file in System32 directory
                    • Modifies termsrv.dll
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3572
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat" "
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4492
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        10⤵
                          PID:4568
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:3884
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2520
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1348
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1860
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\it-IT\sihost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2068
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\it-IT\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System\it-IT\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\blocksavesperfMonitorDll\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:2308
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2228
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\blocksavesperfMonitorDll\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3692
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2716
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\production\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2836
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\production\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2948
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:3608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2100
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4120
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2332
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1600
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:956
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4436
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2872
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2736
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\DESIGNER\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:3852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:3976
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4608
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4576
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:1464
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2376
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:4880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1104
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:2272
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2372
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:1012
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1316
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\spoolsv.exe'" /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5108
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\winlogon.exe'" /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:232
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\winlogon.exe'" /rl HIGHEST /f
        1⤵
          PID:744
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
          1⤵
            PID:4596
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\images\services.exe'" /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1152
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\services.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:116
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\images\services.exe'" /rl HIGHEST /f
            1⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3016
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Packages\SearchApp.exe'" /f
            1⤵
              PID:1472
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:100
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Packages\SearchApp.exe'" /rl HIGHEST /f
              1⤵
              • Scheduled Task/Job: Scheduled Task
              PID:112
            • C:\Program Files (x86)\Reference Assemblies\Microsoft\spoolsv.exe
              "C:\Program Files (x86)\Reference Assemblies\Microsoft\spoolsv.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:772
            • C:\Recovery\WindowsRE\unsecapp.exe
              "C:\Recovery\WindowsRE\unsecapp.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2996
            • C:\Program Files\MSBuild\Microsoft\TextInputHost.exe
              "C:\Program Files\MSBuild\Microsoft\TextInputHost.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:808
            • C:\blocksavesperfMonitorDll\fontdrvhost.exe
              "C:\blocksavesperfMonitorDll\fontdrvhost.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4272
            • C:\Recovery\WindowsRE\RuntimeBroker.exe
              "C:\Recovery\WindowsRE\RuntimeBroker.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3608
            • C:\Program Files\Common Files\System\it-IT\sihost.exe
              "C:\Program Files\Common Files\System\it-IT\sihost.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3612
            • C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe
              "C:\Program Files\Windows Portable Devices\backgroundTaskHost.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1420
            • C:\Windows\Provisioning\Packages\SearchApp.exe
              "C:\Windows\Provisioning\Packages\SearchApp.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:464
            • C:\Users\Public\dllhost.exe
              "C:\Users\Public\dllhost.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2124
            • C:\Recovery\WindowsRE\cmd.exe
              "C:\Recovery\WindowsRE\cmd.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2560
            • C:\Program Files\Windows Photo Viewer\upfc.exe
              "C:\Program Files\Windows Photo Viewer\upfc.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1352
            • C:\blocksavesperfMonitorDll\fontdrvhost.exe
              "C:\blocksavesperfMonitorDll\fontdrvhost.exe"
              1⤵
              • Executes dropped EXE
              PID:4792
            • C:\blocksavesperfMonitorDll\fontdrvhost.exe
              "C:\blocksavesperfMonitorDll\fontdrvhost.exe"
              1⤵
              • Executes dropped EXE
              PID:3224
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /delete /tn "fontdrvhost" /f
              1⤵
                PID:4520
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /delete /tn "fontdrvhostf" /f
                1⤵
                  PID:3620
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /delete /tn "fontdrvhost" /f
                  1⤵
                    PID:3156
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /delete /tn "fontdrvhostf" /f
                    1⤵
                      PID:3764

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Replication Through Removable Media

                    1
                    T1091

                    Execution

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Persistence

                    Boot or Logon Autostart Execution

                    2
                    T1547

                    Print Processors

                    1
                    T1547.012

                    Winlogon Helper DLL

                    1
                    T1547.004

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    2
                    T1547

                    Print Processors

                    1
                    T1547.012

                    Winlogon Helper DLL

                    1
                    T1547.004

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Defense Evasion

                    Indicator Removal

                    1
                    T1070

                    Clear Windows Event Logs

                    1
                    T1070.001

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Credentials from Password Stores

                    2
                    T1555

                    Credentials from Web Browsers

                    1
                    T1555.003

                    Windows Credential Manager

                    1
                    T1555.004

                    Unsecured Credentials

                    1
                    T1552

                    Credentials In Files

                    1
                    T1552.001

                    Discovery

                    Browser Information Discovery

                    1
                    T1217

                    Query Registry

                    2
                    T1012

                    System Information Discovery

                    2
                    T1082

                    System Location Discovery

                    1
                    T1614

                    System Language Discovery

                    1
                    T1614.001

                    Lateral Movement

                    Remote Services

                    1
                    T1021

                    Remote Desktop Protocol

                    1
                    T1021.001

                    Replication Through Removable Media

                    1
                    T1091

                    Collection

                    Data from Local System

                    1
                    T1005

                    Command and Control

                    Exfiltration

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files (x86)\Internet Explorer\images\c5b4cb5e9653cc
                      Filesize

                      702B

                      MD5

                      71802d0332197f1e455b1e1df6383c41

                      SHA1

                      83c2ddacc12ab6cf1d10f83f8b73e957050c8ac6

                      SHA256

                      94466d60c7706a8735b5350a5bba8c9b395b2dd5f3a3e8922a0e8814aafb1154

                      SHA512

                      6f3a279992cfad69c50c402fe6c6f7508d6d2c5f6be5ad4abdfc89a6d1837f120f1434d8ad8d4a657937a3fdb21828ae8105347b4eea28648af21ed99587f5d3

                      Download Submit

                    • C:\Program Files (x86)\Microsoft.NET\088424020bedd6
                      Filesize

                      374B

                      MD5

                      233181f59c77a3473d967b9023c04d39

                      SHA1

                      7e8663dc8c2a0babb7cab6878aecc2c58bce0e88

                      SHA256

                      837020c4a93596467d5ea979512d48822cf9a7857e9e0e4b5dac2f7f59656981

                      SHA512

                      8d186e9d82ff03a0e60ebd9776e9024bb4b4720bc2a8b400662769292ab4fef1a3316ff79347acaf59a3eef609a186f07e227c0255b527893369d8152422a744

                      Download Submit

                    • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\9e8d7a4ca61bd9
                      Filesize

                      857B

                      MD5

                      b80da80aa5695e06d2a6049fe4ff89ab

                      SHA1

                      74f2c03a0503eb4278ccf3381b2fcecb5ee0e19c

                      SHA256

                      c10446d5c7b6ee91f93decf20441af6c18b32230096cb3ddde4a29277acd41d6

                      SHA512

                      dce4a2e34b1bb89dbea11a0f6cc703fef14174766c81fbd27e373ff11ba03ebbf9dd68b6f93c13f84fcd0c34d58d4ecd0c54af23de0c593a8973a1fd9da5ce81

                      Download Submit

                    • C:\Program Files (x86)\Reference Assemblies\Microsoft\f3b6ecef712a24
                      Filesize

                      26B

                      MD5

                      3d5b3700647665cf0b7ade236c7ec703

                      SHA1

                      a14dbed1d4cf9b05e7672990dda56b3512d2915e

                      SHA256

                      26ad58cec083751b7310e9442569b02530d3db63f20427205701144b68d756fc

                      SHA512

                      e516b7797a1205a8556ae99ebbfeda775ea3bdbeee7c905c74f61acedd42d374eb091726bc97fe44d76fff8aded49cf541bf711f8d68e630e13c4997165e7665

                      Download Submit

                    • C:\Program Files\Common Files\DESIGNER\f3b6ecef712a24
                      Filesize

                      708B

                      MD5

                      95fed55f88e3366a08af635bca1d734f

                      SHA1

                      c888a3913f9db3eb94464f8559c356fd57fd2e6c

                      SHA256

                      dd0390b41b0b6503ead177ffaa0e98fa6de402bdd240372b59e8208a6291e08c

                      SHA512

                      b8065146aa0af30d7c1c84a83ae7f06c4e25a84829d2c63502473508ffa41d0dbdc7abd457808ed6c49a3b36464bd27bd65a5b212054cc437d5261675ead9771

                      Download Submit

                    • C:\Program Files\Common Files\System\it-IT\66fc9ff0ee96c2
                      Filesize

                      632B

                      MD5

                      32da6b84ebf2e1b29e0b4794cb8f7630

                      SHA1

                      7b14d2c2525f2e5333bb0a960c56a7b2be434840

                      SHA256

                      dfa1e787ca39266aa46dc282d3a492622bb6426173a5aa3d14be77d161a957d0

                      SHA512

                      1a48218ffdf1d3ad4983d06c50751195c1f2dc0dd174227acb6d5ffb2d0d30abf0c31ac4999caecf14c14983144e2e609b54c53a4911b3c447d5461008a21c05

                      Download Submit

                    • C:\Program Files\MSBuild\Microsoft\22eafd247d37c3
                      Filesize

                      186B

                      MD5

                      45017b06caad822704ac9cc80183142f

                      SHA1

                      65d6f0328a4695dd23208ef7654d4f7652a18c0c

                      SHA256

                      3e66b8a36aa91c0ae16723e351c303e7b23d8da79d4acd0e2e8809c271b99fa3

                      SHA512

                      00b8f23ff168a7ec45d05e27f2549cf8225bae598d5d5b84435c1a7979738326b8b1ac4f8b05dd810381b8b0abe331170ba21cefddf5be26fdb85be6ee58b90c

                      Download Submit

                    • C:\Program Files\Windows Multimedia Platform\29c1c3cc0f7685
                      Filesize

                      436B

                      MD5

                      e32a210b7ba6ec0ab19753aaabad646e

                      SHA1

                      7b8ab9c5ea6cf75c5b4763c8407dc3e85cf4084f

                      SHA256

                      9fac5e94d7edfedb9cc70f93741ab50179f0865e3e4ecf46492c2d9fbe3d4ae4

                      SHA512

                      300463a909d6bf3853b94b0299cb6210bae2fa165ac66f49915f32e476d78e0403d24ec85317224151427e93eccf78e396e65f276a5010b4a8bbe165a3cab86e

                      Download Submit

                    • C:\Program Files\Windows Photo Viewer\ea1d8f6d871115
                      Filesize

                      900B

                      MD5

                      3caa2457e8f5f8ed505daa69e539ccdf

                      SHA1

                      1a4d06105f7fe8411d6dc0c07e5104d05ee9e5ea

                      SHA256

                      19710ffcee267b766d1692bcac9eb9b088cb88079ea1882219451dbe8fced038

                      SHA512

                      b13a21001ab923e41c6e85ba120eb015b77a3ec8ff0b60c8e6d87ce220a7b10809520544b2b04e6791f169dcb6698b4ebdb9d0295872cb17fdcb885ea056f85e

                      Download Submit

                    • C:\Program Files\Windows Portable Devices\eddb19405b7ce1
                      Filesize

                      312B

                      MD5

                      f9508edec64a96398d2fc7d8c2fdaf16

                      SHA1

                      8ef35a7ab349c0b6657fcca9c05eb176ae2c33f3

                      SHA256

                      60a269423c94931e7414891b8a87dc6a37fe77da04398863d4d44e2728b35405

                      SHA512

                      b3d527d755798dfd05b6af40af4b3660abb19538238151a22f68212e86b9a472b5f3978ba5c9c2a267420450afb1b16c718c362b4f8e4c2b30461ee655d9ac14

                      Download Submit

                    • C:\Recovery\WindowsRE\29c1c3cc0f7685
                      Filesize

                      546B

                      MD5

                      89f35704527e2fff091af2e295773050

                      SHA1

                      fc1d12d9e02adc29b663a26faece48e619cfba03

                      SHA256

                      865db2946edcbbdca2883d2652b9a904cedb436648e77742afdbc1517da457b7

                      SHA512

                      82fa5b4c77bc12f873640a5e2a9b7b6a4a0f1b76ad3391b41ea7f0380d82380db4be74c7b9181457e0c5d981f6c5c936fc4370575840cf43e07158f56ded4e03

                      Download Submit

                    • C:\Recovery\WindowsRE\38384e6a620884
                      Filesize

                      288B

                      MD5

                      56969b83a667bb601beeb188021312d6

                      SHA1

                      791c0f36117d14e314eb13087f15177219abfa75

                      SHA256

                      9da242d768a7d3bbc066e03eeb17cf6c21d4f16a50f90db05563e207373d8762

                      SHA512

                      36661ba1d3a81710b361bceb9d249df8393d290fa86b15c4b9ff5415bfb688498448bc89cedc912e2878ffca1227ee4e7de4b8ca241d530cf70dd23e9ca26a45

                      Download Submit

                    • C:\Recovery\WindowsRE\9e8d7a4ca61bd9
                      Filesize

                      258B

                      MD5

                      dc8d846e69b440ca08ddae0e8c6fdad6

                      SHA1

                      78ff14a8b3dc3bb08f38ed7e9e9bcc85bf3d37a1

                      SHA256

                      d8906a0876edd3b1eede0aa3321f006bd40c2b43ff7635180b19e1731a0994e7

                      SHA512

                      9775404d63e48a47891a0b6b1efb0a63999eebf8d0ae4f97f3bde550bfc9fec4565227e7d2bc22367a8179b315cc9252896f57f5402bd2d59ce03878c6b55e8e

                      Download Submit

                    • C:\Recovery\WindowsRE\9e8d7a4ca61bd9
                      Filesize

                      462B

                      MD5

                      266ca62a79ba272fb0c14900d2504694

                      SHA1

                      1d1875ee39c1fe4f61c672d6cfceebecf2410a53

                      SHA256

                      79fd50864f24d3f02dbb589f656b81cfb553b72aeddfc12ef70056dfd94a81ea

                      SHA512

                      3ab848b6499b788da6267d020fb969b020298a47b763b7bbedd3395fc4e7924d9ab9989f4b35008a73be6db8cfc34e27b76f0e307edf13050af52fb853fe6e70

                      Download Submit

                    • C:\Recovery\WindowsRE\ebf1f9fa8afd6d
                      Filesize

                      499B

                      MD5

                      4f28b6462a538870477fe64b2579927b

                      SHA1

                      8a22a6f04cce55bb5171eb7cfb8af1435e21ac15

                      SHA256

                      f49e282841b83ef02ef54a5d4556afa6e93d194c760e3b53cb7f956f3c626d5d

                      SHA512

                      74023279307bb3a17f9a3f2a5ebb19201cc094a84be1f17a7eb71a70aae633736fff82ed06dff6af2575a2f406cf6232035d5b6d2eb63cd642c2b2eb4385955c

                      Download Submit

                    • C:\Recovery\WindowsRE\f3b6ecef712a24
                      Filesize

                      172B

                      MD5

                      ce8c3db0d87718bce7f2759a524661a6

                      SHA1

                      dab8d9367cdef277887112c60a590319d433fb52

                      SHA256

                      2fbf78dbfa211c776a7396e932eda919bcd5c9a43263db5a93472d11dbcfea2a

                      SHA512

                      760d44418acd7d31cc4f0db9a9baaa042afd266884ce02f6da73c63ab21bc50245b30a279c526a5fa699ad32622ccbb05b98189273b7f4714cb0084d65772e2c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
                      Filesize

                      1KB

                      MD5

                      b08c36ce99a5ed11891ef6fc6d8647e9

                      SHA1

                      db95af417857221948eb1882e60f98ab2914bf1d

                      SHA256

                      cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

                      SHA512

                      07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XBinderOutput(1).exe.log
                      Filesize

                      654B

                      MD5

                      11c6e74f0561678d2cf7fc075a6cc00c

                      SHA1

                      535ee79ba978554abcb98c566235805e7ea18490

                      SHA256

                      d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

                      SHA512

                      32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewDll.exe.log
                      Filesize

                      1KB

                      MD5

                      fcbbff8eeb93ad014bf73143a67cbdce

                      SHA1

                      79cd0f544ba90184d14911c68dc2314f2225a020

                      SHA256

                      4f3945ae2db9e60f191a1dc16b1e156710f81037869b5515e0c8ed0b31070d01

                      SHA512

                      f5c8342c814d31d561642a0218011b86adcac40a068acdfe1870fd26c0b63927a4bcb53fedacb1bfd8f3ae6fde75ddd66ff5ed49dced4a39bfce575f51603ef5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat
                      Filesize

                      271B

                      MD5

                      ee25f58a17257fbacf855480709434d2

                      SHA1

                      31c582cf8dbf2fdddf4ad83755952b37b0988e79

                      SHA256

                      252dd37625f473ba72f9b6aa39c64c2da204ff5575401c026ea11396f5d60a4e

                      SHA512

                      a01eac998a695af86741910e359e8a3996c8e91e58f6466f67ec3790409b68f51c8ff3105673a6c38cf2df4f06df475b4ecdf1007a3cd7cb363a18147d6fc039

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\cDr8AOJqph.bat
                      Filesize

                      206B

                      MD5

                      b7a51ab8ad2d0f4e123affe6fda21eff

                      SHA1

                      bdf6365345cf97bf75d462e5c8eb8e551333adc9

                      SHA256

                      225fd82bf4d37cee1db509174fab7b4a40f40fc332c80f99a76ee0b153b859cb

                      SHA512

                      b0bb41e9f09664eb56b836ed6b706bb52e3cc852661fe08e884eba05f5a2fd3e1210bca7df836d0fa7c76b4639ffb0120f8c5020f4a52a3a496a3bab8c720ff4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
                      Filesize

                      1.1MB

                      MD5

                      0d015cc111d53a019e680b0bed11fcad

                      SHA1

                      3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

                      SHA256

                      2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

                      SHA512

                      c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\eddb19405b7ce1
                      Filesize

                      178B

                      MD5

                      fcb4f6e970dd35dfdc46c949ea75035d

                      SHA1

                      18b6b7c03786d00ac827f9c1f606acf7b38fa629

                      SHA256

                      9808ca3b5e73bbedb4811a21bbf051cdb31d60c1d7626d55a4911efac8dd2d7a

                      SHA512

                      ec40d8f6900cee92ed39bdb988e847025a24c6fd24f2e43c3e1008daa143e920e1fb79fc462ac316c2565ab994ac1738b8f5839b2351660b7fb7dee97a551650

                      Download Submit

                    • C:\Users\Default\38384e6a620884
                      Filesize

                      158B

                      MD5

                      64dd1b68556077b74c300219329bd668

                      SHA1

                      b0c2cff1e15bc9f61bd5dfb741241abf56061fc4

                      SHA256

                      193a159cd42cd388865dabcd2c7673f961fed83cf2baae5a7c28d1ea340c3782

                      SHA512

                      c20df2a9a101df363bbbd269e31a77b41ad4db7789a9f298f4ef083b0bc5a378d47c5871a919ca144fafdf834245f16a912844bd6e0c2a5d78f5148e726f6ae1

                      Download Submit

                    • C:\Users\Public\5940a34987c991
                      Filesize

                      638B

                      MD5

                      81f004429941ef9a70eaa5800f048e82

                      SHA1

                      a6be1c48bdfe6e066d5237f5ae2e18f7dd03baa3

                      SHA256

                      f6bcd46262662834d599ca01a827d3e55a1231814c91f2ad93348e08292c51cd

                      SHA512

                      f4e99a637eddadcbd08d91122f096698da9a0857e084eb37261c64e7383a7009a6922fdf322c6482ec01ceb45e702c23ede58c61f7e2e2b2ede26999db291773

                      Download Submit

                    • C:\Windows\IdentityCRL\production\088424020bedd6
                      Filesize

                      486B

                      MD5

                      bc08bc7021a2a62ecb11acc33175a111

                      SHA1

                      a2152b1b7d50c35703dbd797aab3f5215bc87ff0

                      SHA256

                      bfe3aa1c4f362ce166117a01670bfa78b9af1ad188150babac8d7c28024c9501

                      SHA512

                      27fbcf6abad1e673c056038166a578d116e5ca1c3dd29ef00cc641ba889e11171372ecdc9541cd64c40de742a4ae8a26fe31cf275dbd6e45e1de73c0aadcfb66

                      Download Submit

                    • C:\Windows\Provisioning\Packages\38384e6a620884
                      Filesize

                      959B

                      MD5

                      826b18cb5b8cc201d1476db197c209b0

                      SHA1

                      617362d880beb90f889134eec7afed170ce11a8f

                      SHA256

                      cb413855ebe0557c85f445b12a77140180daa778fdc286f31a286254f86f3a8d

                      SHA512

                      472042170c406caad8e158cc4571cab9cea1994ae0751c2f37e329fc2a104c1630df002dd0869804e4ac1ddb43973f5520f7bff9620cf9b5a137592161748004

                      Download Submit

                    • C:\Windows\ShellExperiences\eddb19405b7ce1
                      Filesize

                      708B

                      MD5

                      97a49e22c74628a2182bab3b93f8ea4c

                      SHA1

                      f591c7154d1b32f4da3cb65e2dea449f48eabf8b

                      SHA256

                      9ffcf5fba79f9869f9d0ef53cf6f194627a4d6ad73155b7ff8dd100d90df2134

                      SHA512

                      4be2e4dd25dc6e5be635f776ce7ac0349ef3e8dfe0c23b6306d5da7a858adf9b4d5ad9849474bf1f17577b7a5a78f0ea349393a7ca3633c1bec31906fedda2d4

                      Download Submit

                    • C:\Windows\schemas\CodeIntegrity\ExamplePolicies\cc11b995f2a76d
                      Filesize

                      272B

                      MD5

                      583877f57251c2718b70357a84788fb7

                      SHA1

                      fd9721191b8d8e15fd3f0f29c0cc004690a903fc

                      SHA256

                      1bb8e248c6f64c3ea611bf2575874a5bf9ccec412997a14e191f270107df0096

                      SHA512

                      45b836e6a0547003fd2051cd98b52ad7c69f4a26e619a1f4feb0f04db2ec0932772c9a6532eae7540a96b81f9baa10c409f22ed5955df448da0dc34c38927116

                      Download Submit

                    • C:\blocksavesperfMonitorDll\5b884080fd4f94
                      Filesize

                      297B

                      MD5

                      310d527c19c52b2f7159fecacf7d5a6b

                      SHA1

                      4e996816584b1b10c0613500714bada95f8b1adf

                      SHA256

                      7810dce170f8d7dc922f8f1c7e46ac2009ee4da845a7cb74d61e76a6b793c46a

                      SHA512

                      74413dcc5e27968f24449f86935f4dabafb69bfac23ce9238942c996dfcc64a33fad85abf1163f79b654bd3bcd67856227ae9cb7887dec0605d2fd8cdce11e73

                      Download Submit

                    • C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe
                      Filesize

                      222B

                      MD5

                      a6f295a2e58c722b5935cc905e81fd8b

                      SHA1

                      a2a30408197320a639e3e2f18a57fc8578c97b58

                      SHA256

                      8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

                      SHA512

                      839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

                      Download Submit

                    • C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat
                      Filesize

                      43B

                      MD5

                      7c582abd8874b9cc60df72d62bd86440

                      SHA1

                      564e7b01338d08f657f2c02fa8fc5b8dadb92331

                      SHA256

                      c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

                      SHA512

                      444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

                      Download Submit

                    • C:\blocksavesperfMonitorDll\eddb19405b7ce1
                      Filesize

                      815B

                      MD5

                      68d93b48ed2e14bc85bce5998fbdd32e

                      SHA1

                      02818543af677e567d77c1bbecfebdb8e9c78f11

                      SHA256

                      e7cee5f8f9537eb54dfb2a82d4e1c0da424a87e6f2496b2aca229235985d12dd

                      SHA512

                      9eb481346b726d309b3dae485c6ffd09188d9857d879da5de5f91eba200d76e784d00e9aff5c048bab6051a37e9d1c85a6338741eaadd4f97f7ef4f9e766d501

                      Download Submit

                    • C:\blocksavesperfMonitorDll\f3b6ecef712a24
                      Filesize

                      597B

                      MD5

                      ca9f3629de630e88d05aeb4cc6c3e0a4

                      SHA1

                      d46cc0bd216dfeab08e049de63f78949e85cfc5b

                      SHA256

                      b21468aba099b92cd9d7af93088928b08fa33291a31b14c58227edd6b1388ddd

                      SHA512

                      5a1c3cd257e78cad4b765cd99aa58e8204cc1192f388f02ce924e87b096607f9799ba79ee09140229b43a3067d8612748d3589207d8bce9d5c3a1b01bd7f16d6

                      Download Submit

                    • C:\blocksavesperfMonitorDll\reviewDll.exe
                      Filesize

                      828KB

                      MD5

                      d9dac9e1d95e84e6aec084cf2ddb3f3a

                      SHA1

                      a231a41c7ad994879b15116dcea41fdc09bb5879

                      SHA256

                      0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

                      SHA512

                      c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

                      Download Submit

                    • memory/3492-31-0x0000000000AD0000-0x0000000000BA6000-memory.dmp

                      Filesize

                      856KB

                      Download

                    • memory/4668-14-0x00007FFBFA3C0000-0x00007FFBFAE82000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4668-1-0x0000000000EB0000-0x0000000000F4E000-memory.dmp

                      Filesize

                      632KB

                      Download

                    • memory/4668-0-0x00007FFBFA3C3000-0x00007FFBFA3C5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4668-10-0x00007FFBFA3C0000-0x00007FFBFAE82000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4792-131-0x000000001BA10000-0x000000001BF40000-memory.dmp

                      Filesize

                      5.2MB

                      Download