dcrat | fa60135b9eab2ca2329846ee092ad3a7b9476f3b9f3064397cc293bd87088987

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe
Size

2.9MB
MD5

334556209bb6211756fb1c31c1f2bfb3
SHA1

6152d05238af661cf65eeef7dbcc4624a649a868
SHA256

df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e
SHA512

d2d3bcc148f047fb691aed780b3facb0699300c0828592ea1ad9f302ab9707220a46b71b5dc36a5ba52e4f1718f34f6664dd5264e86c646f0149403920807ae1
SSDEEP

49152:3IA3qVqlpaOO9vgqlIx6Xd8HTWHkJuwi+DOWBfY2LN3bm2ErJgzRqr5OV:4ADPOBCU1ko+C67d1Er+zor5OV

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2004	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2004	schtasks.exe	36

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HypersessionMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HypersessionMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	HypersessionMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001b0000000155fd-66.dat	dcrat
behavioral1/files/0x001b0000000155fd-69.dat	dcrat
behavioral1/files/0x001b0000000155fd-71.dat	dcrat
behavioral1/memory/2684-70-0x0000000000400000-0x0000000002593000-memory.dmp	dcrat
behavioral1/files/0x0007000000018adc-83.dat	dcrat
behavioral1/files/0x0007000000018adc-85.dat	dcrat
behavioral1/files/0x0007000000018adc-86.dat	dcrat
behavioral1/files/0x0007000000018adc-84.dat	dcrat
behavioral1/memory/2988-87-0x0000000001380000-0x000000000151A000-memory.dmp	dcrat
behavioral1/memory/2988-89-0x000000001B100000-0x000000001B180000-memory.dmp	dcrat
behavioral1/files/0x000500000001944f-103.dat	dcrat
behavioral1/files/0x000500000001948f-133.dat	dcrat
behavioral1/memory/2492-135-0x0000000000F60000-0x00000000010FA000-memory.dmp	dcrat
behavioral1/files/0x000500000001948f-134.dat	dcrat

Executes dropped EXE 4 IoCs

pid	Process
2136	ms_update.exe
1280	ms_updater.exe
2988	HypersessionMonitor.exe
2492	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe
2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe
884	cmd.exe
884	cmd.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe	HypersessionMonitor.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\42af1c969fbb7b	HypersessionMonitor.exe
File created	C:\Program Files\Windows Defender\it-IT\cmd.exe	HypersessionMonitor.exe
File created	C:\Program Files\Windows Defender\it-IT\ebf1f9fa8afd6d	HypersessionMonitor.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe	HypersessionMonitor.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\Idle.exe	HypersessionMonitor.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe	HypersessionMonitor.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\6ccacd8608530f	HypersessionMonitor.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\f3b6ecef712a24	HypersessionMonitor.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\56085415360792	HypersessionMonitor.exe
File created	C:\Windows\winsxs\x86_netfx-wminet_utils_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_478e55843710fde4\conhost.exe	HypersessionMonitor.exe
File created	C:\Windows\security\templates\wininit.exe	HypersessionMonitor.exe
File created	C:\Windows\security\templates\56085415360792	HypersessionMonitor.exe
File created	C:\Windows\Migration\WTR\wininit.exe	HypersessionMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2260	schtasks.exe
1808	schtasks.exe
564	schtasks.exe
288	schtasks.exe
1448	schtasks.exe
2364	schtasks.exe
2376	schtasks.exe
1972	schtasks.exe
472	schtasks.exe
1604	schtasks.exe
2476	schtasks.exe
2596	schtasks.exe
3024	schtasks.exe
3056	schtasks.exe
1032	schtasks.exe
2576	schtasks.exe
1096	schtasks.exe
1948	schtasks.exe
344	schtasks.exe
2340	schtasks.exe
872	schtasks.exe
1596	schtasks.exe
2896	schtasks.exe
560	schtasks.exe
2436	schtasks.exe
1220	schtasks.exe
2360	schtasks.exe
2000	schtasks.exe
2556	schtasks.exe
756	schtasks.exe
1832	schtasks.exe
436	schtasks.exe
1548	schtasks.exe
1920	schtasks.exe
900	schtasks.exe
2696	schtasks.exe
2112	schtasks.exe
268	schtasks.exe
1612	schtasks.exe
1864	schtasks.exe
2636	schtasks.exe
1532	schtasks.exe
1796	schtasks.exe
1044	schtasks.exe
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2988	HypersessionMonitor.exe
2988	HypersessionMonitor.exe
2988	HypersessionMonitor.exe
2988	HypersessionMonitor.exe
2988	HypersessionMonitor.exe
2988	HypersessionMonitor.exe
2988	HypersessionMonitor.exe
2668	powershell.exe
2316	powershell.exe
2856	powershell.exe
3004	powershell.exe
2284	powershell.exe
2492	cmd.exe
1576	powershell.exe
2936	powershell.exe
2240	powershell.exe
2524	powershell.exe
2580	powershell.exe
1580	powershell.exe
2348	powershell.exe
2488	powershell.exe
2500	powershell.exe
2224	powershell.exe
2480	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	HypersessionMonitor.exe
Token: SeDebugPrivilege	2492	cmd.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2136	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	28
PID 2684 wrote to memory of 2136	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	28
PID 2684 wrote to memory of 2136	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	28
PID 2684 wrote to memory of 2136	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	28
PID 2684 wrote to memory of 2136	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	28
PID 2684 wrote to memory of 2136	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	28
PID 2684 wrote to memory of 2136	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	28
PID 2684 wrote to memory of 1280	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	29
PID 2684 wrote to memory of 1280	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	29
PID 2684 wrote to memory of 1280	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	29
PID 2684 wrote to memory of 1280	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	29
PID 2684 wrote to memory of 1280	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	29
PID 2684 wrote to memory of 1280	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	29
PID 2684 wrote to memory of 1280	2684	df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe	29
PID 1280 wrote to memory of 2908	1280	ms_updater.exe	30
PID 1280 wrote to memory of 2908	1280	ms_updater.exe	30
PID 1280 wrote to memory of 2908	1280	ms_updater.exe	30
PID 1280 wrote to memory of 2908	1280	ms_updater.exe	30
PID 2908 wrote to memory of 884	2908	WScript.exe	33
PID 2908 wrote to memory of 884	2908	WScript.exe	33
PID 2908 wrote to memory of 884	2908	WScript.exe	33
PID 2908 wrote to memory of 884	2908	WScript.exe	33
PID 884 wrote to memory of 2988	884	cmd.exe	35
PID 884 wrote to memory of 2988	884	cmd.exe	35
PID 884 wrote to memory of 2988	884	cmd.exe	35
PID 884 wrote to memory of 2988	884	cmd.exe	35
PID 2988 wrote to memory of 2524	2988	HypersessionMonitor.exe	114
PID 2988 wrote to memory of 2524	2988	HypersessionMonitor.exe	114
PID 2988 wrote to memory of 2524	2988	HypersessionMonitor.exe	114
PID 2988 wrote to memory of 2348	2988	HypersessionMonitor.exe	113
PID 2988 wrote to memory of 2348	2988	HypersessionMonitor.exe	113
PID 2988 wrote to memory of 2348	2988	HypersessionMonitor.exe	113
PID 2988 wrote to memory of 2480	2988	HypersessionMonitor.exe	110
PID 2988 wrote to memory of 2480	2988	HypersessionMonitor.exe	110
PID 2988 wrote to memory of 2480	2988	HypersessionMonitor.exe	110
PID 2988 wrote to memory of 3004	2988	HypersessionMonitor.exe	109
PID 2988 wrote to memory of 3004	2988	HypersessionMonitor.exe	109
PID 2988 wrote to memory of 3004	2988	HypersessionMonitor.exe	109
PID 2988 wrote to memory of 2488	2988	HypersessionMonitor.exe	94
PID 2988 wrote to memory of 2488	2988	HypersessionMonitor.exe	94
PID 2988 wrote to memory of 2488	2988	HypersessionMonitor.exe	94
PID 2988 wrote to memory of 2668	2988	HypersessionMonitor.exe	93
PID 2988 wrote to memory of 2668	2988	HypersessionMonitor.exe	93
PID 2988 wrote to memory of 2668	2988	HypersessionMonitor.exe	93
PID 2988 wrote to memory of 1580	2988	HypersessionMonitor.exe	92
PID 2988 wrote to memory of 1580	2988	HypersessionMonitor.exe	92
PID 2988 wrote to memory of 1580	2988	HypersessionMonitor.exe	92
PID 2988 wrote to memory of 2580	2988	HypersessionMonitor.exe	91
PID 2988 wrote to memory of 2580	2988	HypersessionMonitor.exe	91
PID 2988 wrote to memory of 2580	2988	HypersessionMonitor.exe	91
PID 2988 wrote to memory of 2224	2988	HypersessionMonitor.exe	90
PID 2988 wrote to memory of 2224	2988	HypersessionMonitor.exe	90
PID 2988 wrote to memory of 2224	2988	HypersessionMonitor.exe	90
PID 2988 wrote to memory of 2240	2988	HypersessionMonitor.exe	89
PID 2988 wrote to memory of 2240	2988	HypersessionMonitor.exe	89
PID 2988 wrote to memory of 2240	2988	HypersessionMonitor.exe	89
PID 2988 wrote to memory of 2500	2988	HypersessionMonitor.exe	88
PID 2988 wrote to memory of 2500	2988	HypersessionMonitor.exe	88
PID 2988 wrote to memory of 2500	2988	HypersessionMonitor.exe	88
PID 2988 wrote to memory of 2316	2988	HypersessionMonitor.exe	86
PID 2988 wrote to memory of 2316	2988	HypersessionMonitor.exe	86
PID 2988 wrote to memory of 2316	2988	HypersessionMonitor.exe	86
PID 2988 wrote to memory of 2284	2988	HypersessionMonitor.exe	85
PID 2988 wrote to memory of 2284	2988	HypersessionMonitor.exe	85

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HypersessionMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HypersessionMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	HypersessionMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe
"C:\Users\Admin\AppData\Local\Temp\df6156a04af4a695997f7374cd92518c4d27978cc2896ed071fba96fda7a918e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Roaming\ms_update.exe
  "C:\Users\Admin\AppData\Roaming\ms_update.exe"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Users\Admin\AppData\Roaming\ms_updater.exe
  "C:\Users\Admin\AppData\Roaming\ms_updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcom\f8fLZ2AFNda7cUgQRNrE8PbXWFp.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcom\NEBDV0xFpRNtK.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\blockcom\HypersessionMonitor.exe
        
        "C:\blockcom\HypersessionMonitor.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2988
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcom\WmiPrvSE.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\wininit.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8ef2e3a2-20ee-11ee-b143-d66763f08456\winlogon.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\winlogon.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\HypersessionMonitor.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\Idle.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\spoolsv.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcom\explorer.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\templates\wininit.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WmiPrvSE.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\cmd.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
      - C:\Program Files\Windows Defender\it-IT\cmd.exe
        
        "C:\Program Files\Windows Defender\it-IT\cmd.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcom\HypersessionMonitor.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\it-IT\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\security\templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\security\templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\blockcom\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\blockcom\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\blockcom\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HypersessionMonitorH" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\HypersessionMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HypersessionMonitor" /sc ONLOGON /tr "'C:\Users\Default\Downloads\HypersessionMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HypersessionMonitorH" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\HypersessionMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8ef2e3a2-20ee-11ee-b143-d66763f08456\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8ef2e3a2-20ee-11ee-b143-d66763f08456\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8ef2e3a2-20ee-11ee-b143-d66763f08456\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\blockcom\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\blockcom\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\blockcom\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\cmd.exe

Filesize
1.6MB

MD5
96d4864a5e462516dea1fa72f7ffcd7f

SHA1
d47003d2b159f08282b8edee18245574ddb2ac72

SHA256
8f83ad620e758019ca70cb98014c7e4ef905d0a298c1e8831d746bd081a2a49c

SHA512
15fe4529a9eb6c1d3d6a3b394d4c152579080353e09cf1e871f5e52e65ad2ef1ebdf08e59efb14477db0ba0a40996928fb2144370df3050f01c05b0013e9263b

Download Submit
C:\Program Files\Windows Defender\it-IT\cmd.exe

Filesize
1.6MB

MD5
96d4864a5e462516dea1fa72f7ffcd7f

SHA1
d47003d2b159f08282b8edee18245574ddb2ac72

SHA256
8f83ad620e758019ca70cb98014c7e4ef905d0a298c1e8831d746bd081a2a49c

SHA512
15fe4529a9eb6c1d3d6a3b394d4c152579080353e09cf1e871f5e52e65ad2ef1ebdf08e59efb14477db0ba0a40996928fb2144370df3050f01c05b0013e9263b

Download Submit
C:\Program Files\Windows Defender\it-IT\cmd.exe

Filesize
1.6MB

MD5
96d4864a5e462516dea1fa72f7ffcd7f

SHA1
d47003d2b159f08282b8edee18245574ddb2ac72

SHA256
8f83ad620e758019ca70cb98014c7e4ef905d0a298c1e8831d746bd081a2a49c

SHA512
15fe4529a9eb6c1d3d6a3b394d4c152579080353e09cf1e871f5e52e65ad2ef1ebdf08e59efb14477db0ba0a40996928fb2144370df3050f01c05b0013e9263b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PMJFW7MRV8GU9BZOJTR0.temp

Filesize
7KB

MD5
fa85a4e9834f7754dc445f295860bccd

SHA1
1ceef13dee2e3413ddd7f90d6bef0adfa29827f5

SHA256
c344cd834c1ed09b6d66c728470efd9ec0114125ef700b59712075ca192615c3

SHA512
cb89923f8c15bc1602e5862a92a53d43c362797ab5dbd0a16a12d25eb461734918aec0e82f02777b97deb61da5c773e54f9ae08895c18f87e805e235a6569bc6

Download Submit
C:\Users\Admin\AppData\Roaming\ms_update.exe

Filesize
758KB

MD5
60b7c0fead45f2066e5b805a91f4f0fc

SHA1
9018a7d6cdbe859a430e8794e73381f77c840be0

SHA256
80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22

SHA512
68b9f9c00fc64df946684ce81a72a2624f0fc07e07c0c8b3db2fae8c9c0415bd1b4a03ad7ffa96985af0cc5e0410f6c5e29a30200efff21ab4b01369a3c59b58

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
1.9MB

MD5
a04a6fefe18f66c8d8ee8ab5d15fecb1

SHA1
2cf8ed1fed23b656db8208c7caf323cbe88da05b

SHA256
69557277422725e3c242b0e59a543f4133979d113866f5e50e70b036355db890

SHA512
44cf755be1de1352f99d28c61109339056098b74acf1936e3aa1bdd2f6d9503434972c58bc6a9015013a65ad3f7f1d61f2d88e6574914a9cf5a33bb4f4342c62

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
1.9MB

MD5
a04a6fefe18f66c8d8ee8ab5d15fecb1

SHA1
2cf8ed1fed23b656db8208c7caf323cbe88da05b

SHA256
69557277422725e3c242b0e59a543f4133979d113866f5e50e70b036355db890

SHA512
44cf755be1de1352f99d28c61109339056098b74acf1936e3aa1bdd2f6d9503434972c58bc6a9015013a65ad3f7f1d61f2d88e6574914a9cf5a33bb4f4342c62

Download Submit
C:\blockcom\HypersessionMonitor.exe

Filesize
1.6MB

MD5
96d4864a5e462516dea1fa72f7ffcd7f

SHA1
d47003d2b159f08282b8edee18245574ddb2ac72

SHA256
8f83ad620e758019ca70cb98014c7e4ef905d0a298c1e8831d746bd081a2a49c

SHA512
15fe4529a9eb6c1d3d6a3b394d4c152579080353e09cf1e871f5e52e65ad2ef1ebdf08e59efb14477db0ba0a40996928fb2144370df3050f01c05b0013e9263b

Download Submit
C:\blockcom\HypersessionMonitor.exe

Filesize
1.6MB

MD5
96d4864a5e462516dea1fa72f7ffcd7f

SHA1
d47003d2b159f08282b8edee18245574ddb2ac72

SHA256
8f83ad620e758019ca70cb98014c7e4ef905d0a298c1e8831d746bd081a2a49c

SHA512
15fe4529a9eb6c1d3d6a3b394d4c152579080353e09cf1e871f5e52e65ad2ef1ebdf08e59efb14477db0ba0a40996928fb2144370df3050f01c05b0013e9263b

Download Submit
C:\blockcom\NEBDV0xFpRNtK.bat

Filesize
37B

MD5
f038f2fe2a3940d3219a0d592a06628b

SHA1
31031435ec0a4a8446396aff36f3be70bf23b6cf

SHA256
3e00c2fe7f386c0f3ee3777085f2e68dc98b54a18f24a56972d45c834a04a99b

SHA512
14e39eff476e6b8e3eda9f682e039cdf72ed8b7ee4e149d1680576f0736c8ad2573ce46985d97c5cb1853d6fd139197bc05ab85c70eef6f4b478770d363ff8a5

Download Submit
C:\blockcom\f8fLZ2AFNda7cUgQRNrE8PbXWFp.vbe

Filesize
198B

MD5
721a1abd49fc27d8e716633f736a2f0c

SHA1
d9347cb540885ad3cd0d53cb9833abf8149ce78e

SHA256
47c6219078655b024e378b72f2d968edf52a117513efd192088dbebb4abb790c

SHA512
f63dc720a06edea8514290623173330deae7cdd4096635aab335233f35bee1a7f57486e063a253d4bffa1905f753d1d4079961c18af4f0f4f8329cc435161332

Download Submit
\Users\Admin\AppData\Roaming\ms_update.exe

Filesize
758KB

MD5
60b7c0fead45f2066e5b805a91f4f0fc

SHA1
9018a7d6cdbe859a430e8794e73381f77c840be0

SHA256
80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22

SHA512
68b9f9c00fc64df946684ce81a72a2624f0fc07e07c0c8b3db2fae8c9c0415bd1b4a03ad7ffa96985af0cc5e0410f6c5e29a30200efff21ab4b01369a3c59b58

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
1.9MB

MD5
a04a6fefe18f66c8d8ee8ab5d15fecb1

SHA1
2cf8ed1fed23b656db8208c7caf323cbe88da05b

SHA256
69557277422725e3c242b0e59a543f4133979d113866f5e50e70b036355db890

SHA512
44cf755be1de1352f99d28c61109339056098b74acf1936e3aa1bdd2f6d9503434972c58bc6a9015013a65ad3f7f1d61f2d88e6574914a9cf5a33bb4f4342c62

Download Submit
\blockcom\HypersessionMonitor.exe

Filesize
1.6MB

MD5
96d4864a5e462516dea1fa72f7ffcd7f

SHA1
d47003d2b159f08282b8edee18245574ddb2ac72

SHA256
8f83ad620e758019ca70cb98014c7e4ef905d0a298c1e8831d746bd081a2a49c

SHA512
15fe4529a9eb6c1d3d6a3b394d4c152579080353e09cf1e871f5e52e65ad2ef1ebdf08e59efb14477db0ba0a40996928fb2144370df3050f01c05b0013e9263b

Download Submit
\blockcom\HypersessionMonitor.exe

Filesize
1.6MB

MD5
96d4864a5e462516dea1fa72f7ffcd7f

SHA1
d47003d2b159f08282b8edee18245574ddb2ac72

SHA256
8f83ad620e758019ca70cb98014c7e4ef905d0a298c1e8831d746bd081a2a49c

SHA512
15fe4529a9eb6c1d3d6a3b394d4c152579080353e09cf1e871f5e52e65ad2ef1ebdf08e59efb14477db0ba0a40996928fb2144370df3050f01c05b0013e9263b

Download Submit
memory/1576-231-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/1576-232-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1576-236-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1576-235-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/1576-241-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2240-249-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2240-251-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2240-248-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2284-216-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2284-239-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2284-209-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2284-234-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2284-215-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-220-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2316-222-0x00000000024BB000-0x0000000002522000-memory.dmp

Filesize
412KB

Download
memory/2316-219-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/2316-214-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-217-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2316-213-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2316-212-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2492-211-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2492-135-0x0000000000F60000-0x00000000010FA000-memory.dmp

Filesize
1.6MB

Download
memory/2492-208-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2492-137-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-240-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2668-230-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2668-238-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2668-228-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-229-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2668-227-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2668-210-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2684-70-0x0000000000400000-0x0000000002593000-memory.dmp

Filesize
33.6MB

Download
memory/2684-72-0x00000000040B0000-0x000000000437B000-memory.dmp

Filesize
2.8MB

Download
memory/2684-77-0x0000000003DF0000-0x00000000040AC000-memory.dmp

Filesize
2.7MB

Download
memory/2684-59-0x0000000000400000-0x0000000002593000-memory.dmp

Filesize
33.6MB

Download
memory/2684-56-0x00000000040B0000-0x000000000437B000-memory.dmp

Filesize
2.8MB

Download
memory/2684-54-0x0000000003DF0000-0x00000000040AC000-memory.dmp

Filesize
2.7MB

Download
memory/2684-55-0x0000000003DF0000-0x00000000040AC000-memory.dmp

Filesize
2.7MB

Download
memory/2856-233-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2856-225-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2856-224-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-237-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2856-226-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/2936-242-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-243-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2936-250-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-247-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2936-246-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-245-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2936-244-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2988-89-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2988-92-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2988-87-0x0000000001380000-0x000000000151A000-memory.dmp

Filesize
1.6MB

Download
memory/2988-136-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-88-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-95-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2988-96-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2988-98-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2988-93-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2988-94-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2988-90-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2988-91-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2988-97-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/3004-218-0x000007FEECDE0000-0x000007FEED77D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-223-0x000000000288B000-0x00000000028F2000-memory.dmp

Filesize
412KB

Download
memory/3004-221-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download