Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 14:50

General

  • Target

    anarchyasd (1).exe

  • Size

    1.5MB

  • MD5

    6951e63de2ec697bc1a261d829a6156d

  • SHA1

    e7b5bacbd9d33b5dca493ee6bb79321d5b5421be

  • SHA256

    858eabba1504401f88e7e36d74ae8669cd79e426398237cf650ba5e11eff806a

  • SHA512

    7167473877255a5728b2f3060aef8d144c86c3bbd51d3645b315ed8a62dd3728027fe0c75be820db6a7f06b9600621e123fd3f8936282622d36c38cf11b120a2

  • SSDEEP

    24576:U2G/nvxW3Ww0t5JwVU27zeOS9TTnkUIn+wtI2haxuMoDq8YmS5nl7J+K:UbA305JW4uPhZMomMM75

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 19 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe
    "C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\hypermonitorNet\reviewdriversvc.exe
          "C:\hypermonitorNet\reviewdriversvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\Performance\taskhost.exe
            "C:\Windows\Performance\taskhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1816
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2160
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1604
                • C:\Windows\Performance\taskhost.exe
                  "C:\Windows\Performance\taskhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2852
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3040
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1904
                      • C:\Windows\Performance\taskhost.exe
                        "C:\Windows\Performance\taskhost.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2552
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2348
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:2828
                            • C:\Windows\Performance\taskhost.exe
                              "C:\Windows\Performance\taskhost.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2972
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2768
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:2804
                                  • C:\Windows\Performance\taskhost.exe
                                    "C:\Windows\Performance\taskhost.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1964
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1184
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:524
                                        • C:\Windows\Performance\taskhost.exe
                                          "C:\Windows\Performance\taskhost.exe"
                                          15⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:1680
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
                                            16⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:584
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              17⤵
                                                PID:568
                                              • C:\Windows\Performance\taskhost.exe
                                                "C:\Windows\Performance\taskhost.exe"
                                                17⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2420
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
                                                  18⤵
                                                    PID:1068
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      19⤵
                                                        PID:236
                                                      • C:\Windows\Performance\taskhost.exe
                                                        "C:\Windows\Performance\taskhost.exe"
                                                        19⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2548
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
                                                          20⤵
                                                            PID:1404
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              21⤵
                                                                PID:1072
                                                              • C:\Windows\Performance\taskhost.exe
                                                                "C:\Windows\Performance\taskhost.exe"
                                                                21⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1952
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
                                                                  22⤵
                                                                    PID:288
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      23⤵
                                                                        PID:1504
                                                                      • C:\Windows\Performance\taskhost.exe
                                                                        "C:\Windows\Performance\taskhost.exe"
                                                                        23⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1508
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
                                                                          24⤵
                                                                            PID:296
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              25⤵
                                                                                PID:1768
                                                                              • C:\Windows\Performance\taskhost.exe
                                                                                "C:\Windows\Performance\taskhost.exe"
                                                                                25⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2108
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
                                                                                  26⤵
                                                                                    PID:1972
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      27⤵
                                                                                        PID:1644
                                                                                      • C:\Windows\Performance\taskhost.exe
                                                                                        "C:\Windows\Performance\taskhost.exe"
                                                                                        27⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1432
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
                                                                                          28⤵
                                                                                            PID:2660
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              29⤵
                                                                                                PID:2772
                                                                                              • C:\Windows\Performance\taskhost.exe
                                                                                                "C:\Windows\Performance\taskhost.exe"
                                                                                                29⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2344
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
                                                                                                  30⤵
                                                                                                    PID:332
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      31⤵
                                                                                                        PID:940
                                                                                                      • C:\Windows\Performance\taskhost.exe
                                                                                                        "C:\Windows\Performance\taskhost.exe"
                                                                                                        31⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:2684
                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
                                                                                                          32⤵
                                                                                                            PID:1484
                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                              33⤵
                                                                                                                PID:2056
                                                                                                              • C:\Windows\Performance\taskhost.exe
                                                                                                                "C:\Windows\Performance\taskhost.exe"
                                                                                                                33⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:3048
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"
                                                                                                                  34⤵
                                                                                                                    PID:524
                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                      35⤵
                                                                                                                        PID:2824
                                                                                                                      • C:\Windows\Performance\taskhost.exe
                                                                                                                        "C:\Windows\Performance\taskhost.exe"
                                                                                                                        35⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:748
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
                                                                                                                          36⤵
                                                                                                                            PID:1624
                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                              37⤵
                                                                                                                                PID:560
                                                                                                                              • C:\Windows\Performance\taskhost.exe
                                                                                                                                "C:\Windows\Performance\taskhost.exe"
                                                                                                                                37⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:2776
                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
                                                                                                                                  38⤵
                                                                                                                                    PID:1740
                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                      39⤵
                                                                                                                                        PID:3032
                                                                                                                                      • C:\Windows\Performance\taskhost.exe
                                                                                                                                        "C:\Windows\Performance\taskhost.exe"
                                                                                                                                        39⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:2876
                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
                                                                                                                                          40⤵
                                                                                                                                            PID:1404
                                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                              41⤵
                                                                                                                                                PID:1564
                                                                                                                                              • C:\Windows\Performance\taskhost.exe
                                                                                                                                                "C:\Windows\Performance\taskhost.exe"
                                                                                                                                                41⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:2008
                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
                                                                                                                                                  42⤵
                                                                                                                                                    PID:2404
                                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                      43⤵
                                                                                                                                                        PID:2020
                                                                                                                                                      • C:\Windows\Performance\taskhost.exe
                                                                                                                                                        "C:\Windows\Performance\taskhost.exe"
                                                                                                                                                        43⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                        PID:896
                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
                                                                                                                                                          44⤵
                                                                                                                                                            PID:2044
                                                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                              45⤵
                                                                                                                                                                PID:296
                                                                                                                                                              • C:\Windows\Performance\taskhost.exe
                                                                                                                                                                "C:\Windows\Performance\taskhost.exe"
                                                                                                                                                                45⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                PID:2188
                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
                                                                                                                                                                  46⤵
                                                                                                                                                                    PID:1608
                                                                                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                                      47⤵
                                                                                                                                                                        PID:2280
                                                                                                                                                                      • C:\Windows\Performance\taskhost.exe
                                                                                                                                                                        "C:\Windows\Performance\taskhost.exe"
                                                                                                                                                                        47⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:2120
                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
                                                                                                                                                                          48⤵
                                                                                                                                                                            PID:1968
                                                                                                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                                                                                              49⤵
                                                                                                                                                                                PID:2652
                                                                                                                                                                              • C:\Windows\Performance\taskhost.exe
                                                                                                                                                                                "C:\Windows\Performance\taskhost.exe"
                                                                                                                                                                                49⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:2944
                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
                                                                                                                                                                                  50⤵
                                                                                                                                                                                    PID:2496
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2444
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2460
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2516
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:3048
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1748
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:952
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:788
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2832
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2976
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2204
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2700
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1936
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\hypermonitorNet\smss.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2692
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\hypermonitorNet\smss.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1520
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\hypermonitorNet\smss.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1276
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2776
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1100
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1132
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2796
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2840
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1928
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1376
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2540
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2180
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\taskhost.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1736
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Performance\taskhost.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2064
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\taskhost.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2024
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\hypermonitorNet\sppsvc.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2892
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\hypermonitorNet\sppsvc.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2060
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\hypermonitorNet\sppsvc.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:3032
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsm.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1884
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1040
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2316
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\Idle.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1068
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\hypermonitorNet\Idle.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1800
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\Idle.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1088
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1448
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1976
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1300
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1096
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1116
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:268
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1688
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:2188
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                  PID:1528

                                                                                Network

                                                                                MITRE ATT&CK Enterprise v15

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  e6460bc2845620c5f4c31d882cb5770c

                                                                                  SHA1

                                                                                  6043a2be93cf93c6c10b37f29a4b61a479a8992c

                                                                                  SHA256

                                                                                  dda0ee3244f1f84852750b766c3fa56201d1279fbec18323b7f0d0aade99e648

                                                                                  SHA512

                                                                                  03689b1e66a8f8b5b201006189630ea28da69b60aaf94f2868acc34cafc7bc755ce5c48c59498d2be2cd97a6643dd719685dea5a98fa2ad5417c183e29f1a485

                                                                                • C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  c502417273dcd5b3289474e17033ecf1

                                                                                  SHA1

                                                                                  7ef1fcab5a26f6c51cd88557454a0286039886d6

                                                                                  SHA256

                                                                                  0086594cd97d45036d69751010e2a1ca1c38384d42b8b607c5b02562b8e32857

                                                                                  SHA512

                                                                                  b2a241a186eb96e49a18d8d5c828e924d1124aeafed491c9d8569bfdeb421f9d551517ef554ab2b91054930237d92e35dfb9a2c80f433748638c0e628a5db5f8

                                                                                • C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  0d784d1182bb69202f5e417f679ebf39

                                                                                  SHA1

                                                                                  5b0dd34d3ef44c9d16029056b57f53661adc2db7

                                                                                  SHA256

                                                                                  8a021aab2809d61718cd6c9fdafb923bd3ad3a04f447d96f0c436bfddf20e5ef

                                                                                  SHA512

                                                                                  49764b45ea4957475bc38c7c5031154a83b9452c7ea5a5ddcb17608023f44e4de018ec02697e0fa5a125f3516c5acf65072e223d0967cc4484e7c35d422bbf0f

                                                                                • C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  c59ded56fc13c0f77ce52d44e095f1bc

                                                                                  SHA1

                                                                                  9e95cb206169625d7dfa2d947d379945df30c50f

                                                                                  SHA256

                                                                                  60f75905eb3dbeb86391e9ac7aa80eff1f742950b200c326d97dcc274b0a6fd1

                                                                                  SHA512

                                                                                  2b33bcc76e1173dcfedb606eaf11791c9f2dd91fb2c91eba39d463f633d1b8e5d84dc806e5311e2818d7281e914e2b146e81d74a487d60de0c578169df92f3be

                                                                                • C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  db21391bc79e0fe40f02d9753616e754

                                                                                  SHA1

                                                                                  f3cb75437f7eccb0c84a1d30aee712919a0f478d

                                                                                  SHA256

                                                                                  5832eff40de2b994ffa7281993015f2b7c3d0d38d19c8ac5b0aee83bf4b3b4c9

                                                                                  SHA512

                                                                                  cc33c14837aced8245e02ab1eb548aa7c762ba9f7428dacbaf99d21b2166bbd3c3c055fbfd1435473516612d5ae2dbb54cea79090fbfd3f00b47c69134c60e64

                                                                                • C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  024d05ebd5bc378aea3167d9a13a7319

                                                                                  SHA1

                                                                                  414175cfecd8bb8b3f3e9427688ea69684a5234c

                                                                                  SHA256

                                                                                  88aaa11c2d2d7e854d2ea15387182afb2dc036d5df0021fdb6979b1a69608920

                                                                                  SHA512

                                                                                  7a266671201ee4b391567f60383efac2ff5810b75afe5e1453fc6a5b972c29cf2aa0930a4bae5326743f83d20a2194a124225e9fe3103ab380f8b65ed8a1670b

                                                                                • C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  8a2c73874bab516a0e42dc84713702dd

                                                                                  SHA1

                                                                                  0f56c80c0dc30d2cc11c5c46f7429f915fd5c473

                                                                                  SHA256

                                                                                  fbbc97e3436f89d25996769a7b01e06af7ac74c3ffdfe79a33e174da3c9c4d3e

                                                                                  SHA512

                                                                                  484ba684163f9c5ffc4a7ebeb0fed3bafa44ab6a09c4667993dd4df889ebf34c098a2e413da11362d6aacd4a214b1850371e0f5a607d67a48e30f551d7b0fdaf

                                                                                • C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  470931c594f7c037a8eb3b6947e8fd1f

                                                                                  SHA1

                                                                                  5a72b64f67177adb2ba78d2ad8d2149322797723

                                                                                  SHA256

                                                                                  3b648532045c9b3a584356b2f203f59fc84537de4c6ae4c3f3ee1034216a4f9e

                                                                                  SHA512

                                                                                  87629046f6f00c45ca5cff7a617e788263c638d83a4828ac3525ddd523b3aac0ef098ec2a327e7d58051179414945c36a3d0f1868c93b45b7f4449d69bdcc718

                                                                                • C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  c9a84b7d9112a5e7827f60bb45dc9695

                                                                                  SHA1

                                                                                  93eb2139640dcd9f6410885afdd475ee5e0a686d

                                                                                  SHA256

                                                                                  45a532504deb52e0322b025f3796e74a7e403a1bdb79068ce6edd46fe6e305c0

                                                                                  SHA512

                                                                                  6e7e8f7693370bb407d29914aa71514d7bf34c9e16ae81ed9047b856439e6ff13b7e62590852b6bc8c54ad77017259a79a7601107ffe6b9a704090ae5e20e76d

                                                                                • C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  a4519d0a850e19bf724cb929d0d76b40

                                                                                  SHA1

                                                                                  039bd0c94b87845481085b49a850929346cf77cb

                                                                                  SHA256

                                                                                  27f8ed1436a8481b2751c1d5fc2d3f9b7fb611e0e0a2e7ec3a565b84d9aeff79

                                                                                  SHA512

                                                                                  e08c77fc004dc85382240c64790f054d4b8b91cba059bb244268dd7301204924bc7c91e897ce8d85d480d784f0000a464f684fdb101cf55ae096277a45afe0e4

                                                                                • C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  24578317f9ab66cb2e192d817bf0d3a1

                                                                                  SHA1

                                                                                  181fce1086f731f375db13ac7584c441ec7efc28

                                                                                  SHA256

                                                                                  5a6c305f2731696df0026dad395065908ae45417ad135189b1b3972d869d07b1

                                                                                  SHA512

                                                                                  f012627a3961f714265a80931d4eaad0404374cf028fb5a1113e6850256aeb7e378f2fcc4339332a9bd916ec65bf0f9724813f11c2d3242728051a6ad6e2982f

                                                                                • C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  6946825fb6a801d6aa44d46662044387

                                                                                  SHA1

                                                                                  d16e9f7d82071659254123eb1ae03ac2795d2ca5

                                                                                  SHA256

                                                                                  922c007af54ae4d4fa6b11197fb747e0bfe4940d8f3ee21ee0b0814257e45059

                                                                                  SHA512

                                                                                  b8a217f165137c265c1db074b75132f8fdba525ff663845a77c1974ff8a2cf9e0db9cdc5bdb77811dafcaaae09674ca31762cecb1a2635621a2b7ee3f0cfff50

                                                                                • C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  665b244ea88895b69574b7c54cf969e4

                                                                                  SHA1

                                                                                  8523851295c16180deafa3db1145ef880b8ea4d3

                                                                                  SHA256

                                                                                  c5b6497a8d8030de4981485c478edce5ce2b632b154aa54411fb242b87afd9d9

                                                                                  SHA512

                                                                                  40be2877cea61d4c167865c9875bb27d35daed7a1991c80e590b3735eb967de177f66a4941942804ee7535e327d2caa17a3453a342d39504d54af452a661e3f9

                                                                                • C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  e63f99954b1ec95c720aa43813c20939

                                                                                  SHA1

                                                                                  c6360ac04e69640102e2c052282bf79532fd5bb3

                                                                                  SHA256

                                                                                  4c542b10de453507e3dda5ba41423937473ce99c734d7106dadcc1b8db0fe1c6

                                                                                  SHA512

                                                                                  6ba5fbd38d2d3a6e73125c710f70bc3e56465874cbfed4aacd9480038eb01e9a008f049ccdaa7f82f9d3ef339d3d1b87f869414594470e31c9077b633c672980

                                                                                • C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  ebcd4ae8290b3fca857f56bbccff1387

                                                                                  SHA1

                                                                                  2ea29ac988b7fdbdd8f5cb546a70c1d12a86b1cc

                                                                                  SHA256

                                                                                  30cc0dd94acbd53540c06c68a808def37e71de145f1c9438f0691ffe276be1f3

                                                                                  SHA512

                                                                                  59a3a946754bdb4d8ee601dcd6877fb769b1f816410f64cb6dea6fc1acf2e338c66d3a11c411a306aeb1315c2979df8ad8828aad7d703f911c12ff35ef845f4c

                                                                                • C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  2713dd88d551c16170b04e5ae2267ed4

                                                                                  SHA1

                                                                                  f580494ccad594b31b1a287c49f7a27d936223b4

                                                                                  SHA256

                                                                                  29680165c7686d294dc780e2ba4063d82af5d86966369b79ab101c2197e0baf9

                                                                                  SHA512

                                                                                  7f99ee270c1037358c4952366af98aaac9e73683aa33d315f89cbb2d23927a3d0a0de25b7ee74bee39d823a0dd50b9389d9899dbe5c74cc01fc5bf461863d53f

                                                                                • C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  b9a3dd513e50f5e6d6bceedeef85c768

                                                                                  SHA1

                                                                                  4442e1b77b65989d8b53f6ec06222b0233a7bb9f

                                                                                  SHA256

                                                                                  4d36ceea7f34b2fff2f1d33ce8aafcd3eca4a339fa0bc3103aa469fd6699cc42

                                                                                  SHA512

                                                                                  b7f385967448147f5f76c8cd1c68a52e5fae36ee32a0b45cc5b5ea1d95a2b9073de2529a5d75ce85477e9e7a03d31a26c4952a43a1d94bbcd76a8a6ecf1de22d

                                                                                • C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  499ff4917a10f7ea560651d3920e09aa

                                                                                  SHA1

                                                                                  fa931a0c768361eeda15caa3cbae194ecd0b8950

                                                                                  SHA256

                                                                                  fffdc903181dc05ae0f1be00720d51b074b9a706c509b304f5fde88104f7236c

                                                                                  SHA512

                                                                                  552005c463b5e419f3a12e7d649075acd37ac56a2004308b200eec39e4f0be30ce8a7da283343edd36f6c1d78a65ae35faf0430b563c45657695c6d9b72e621d

                                                                                • C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  d308753621fa549789c85c1f821e0f2a

                                                                                  SHA1

                                                                                  277cb2c835bc72f38cbd5ef76c04bf73d5f0ddb7

                                                                                  SHA256

                                                                                  c523493172ad38a901c20eb48fb0f0f0bc7ea02d7081369e7b6dcda784ea7da5

                                                                                  SHA512

                                                                                  5f1a0e113199af73cce3a7cd9a0c9de9ded1da9da66f7a64d721ee08e6c19dd4fe7d55ef91239f8ddcb0ee425d3a19df42a6eadd40c057b8dbebe80227d7d2a4

                                                                                • C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  ab01f18577987f9f25e3b1a7d3f4c64a

                                                                                  SHA1

                                                                                  d0173576772d6286bcd83427a9934449dd47f977

                                                                                  SHA256

                                                                                  8a7592df05e87f9a0e2e16c911f692ec42133fa96d19f64361a1a23ef301e1e0

                                                                                  SHA512

                                                                                  3709535fc97016c22cf84cdc94e150c54b5627b63977523ca33886d44f549b1329af3e4b8e860c6a9371daba1513698842aa5d6ee38f5e8bd087acd0c30e7078

                                                                                • C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  fea5b1ef531ea26ab1071e19bce1fa30

                                                                                  SHA1

                                                                                  195ec0d02e911292d8164d6f5f6f1e15d2c0184c

                                                                                  SHA256

                                                                                  26342f8c9b8f6b3af58d5a1ed03b2be17b53ba211d6a9e585eefc120d0ecf72c

                                                                                  SHA512

                                                                                  48589a0286788a8386d83e8b685fb1321efde237de3237f566cddd4aa7052c8582cad4d5e9c8e4c0870c302946ce33f07ceb526d12cc4526d53e905a9cd45768

                                                                                • C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat
                                                                                  Filesize

                                                                                  200B

                                                                                  MD5

                                                                                  79e3b91d2422a619333505a009199d22

                                                                                  SHA1

                                                                                  a5b7b932982da95042c537e24a190fb7cf4fbb52

                                                                                  SHA256

                                                                                  c52878246824e77ccc1d122c00d35509ed37c24ede77ea0c435d8d0a8552366c

                                                                                  SHA512

                                                                                  c12bb4c57ae77e4047c02f913bb3d2ae0e7779e25443183a4e3095cc7b58688597b18f8b5497b567cfe1887fe4f531f6caa2aa917658fe4e95b7d8ec4a23a7d6

                                                                                • C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat
                                                                                  Filesize

                                                                                  40B

                                                                                  MD5

                                                                                  48921ba5408bd60c927e4f83521cfabd

                                                                                  SHA1

                                                                                  4807cfab6a82b0d55906bd30b95f6f54af214323

                                                                                  SHA256

                                                                                  cccf7704e494c90c32cd0662237f96d3551d5d30ff773fbc3d98c5f505617144

                                                                                  SHA512

                                                                                  d714293c9a8572e3b19198b06fd8e8ade878e2fbbc956745f3ea04dfbcca834d09d28e7f134ebb055e07315c87f25ca7af2ca5ae4fa7322dfe8e7b6a22543e19

                                                                                • C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe
                                                                                  Filesize

                                                                                  223B

                                                                                  MD5

                                                                                  0578c779f37e63418bbb3f0b317ed4ac

                                                                                  SHA1

                                                                                  93317ce3a7cb7714149a1d859429006f5906b25e

                                                                                  SHA256

                                                                                  266bc757f37960293fba64a67c6cf23f7691f5cd946ae5c3a57f4f3f863abb80

                                                                                  SHA512

                                                                                  32747442979b3e1cfce004a68913d40b88a373bfe163b4522f5c94e374b6d382ff29944c734d1d481e92c2fd79c4041cf43deee25c336927a14e04a8ecd44c14

                                                                                • \hypermonitorNet\reviewdriversvc.exe
                                                                                  Filesize

                                                                                  1.2MB

                                                                                  MD5

                                                                                  bbd0b07fb3a0ec32c8430bb2dfc4946d

                                                                                  SHA1

                                                                                  9610545b2cf3098e317315dc4ad2dd40c11b2ac0

                                                                                  SHA256

                                                                                  4f253419a950bb64292145d6759b95a226147da59ae2bf43641be77abe704bad

                                                                                  SHA512

                                                                                  925e6ee1c5f267ff94b544909ea964375fdf2768cf01d25ade8270d3161e6148331624f2ae7bbbea51a47117688ebad776010a66c482c7bdd35cdbb8bd473d9a

                                                                                • memory/896-189-0x0000000000E00000-0x0000000000F3E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/1432-133-0x0000000000270000-0x00000000003AE000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/1508-118-0x0000000000050000-0x000000000018E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/1508-119-0x0000000000480000-0x0000000000492000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/1680-90-0x00000000008D0000-0x0000000000A0E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/1816-53-0x0000000000AB0000-0x0000000000BEE000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/1816-54-0x0000000000480000-0x0000000000492000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/1964-83-0x0000000000230000-0x000000000036E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2008-182-0x00000000009B0000-0x0000000000AEE000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2108-126-0x00000000004A0000-0x00000000004B2000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2188-197-0x0000000000300000-0x0000000000312000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2188-196-0x0000000001310000-0x000000000144E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2344-140-0x0000000000C30000-0x0000000000D6E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2420-97-0x00000000009E0000-0x0000000000B1E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2420-98-0x0000000001F70000-0x0000000001F82000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2548-105-0x0000000000C20000-0x0000000000D5E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2568-16-0x0000000000420000-0x0000000000432000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2568-13-0x0000000000250000-0x000000000038E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2568-14-0x0000000000400000-0x000000000041C000-memory.dmp
                                                                                  Filesize

                                                                                  112KB

                                                                                • memory/2568-15-0x00000000004B0000-0x00000000004C6000-memory.dmp
                                                                                  Filesize

                                                                                  88KB

                                                                                • memory/2684-148-0x00000000003C0000-0x00000000003D2000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2684-147-0x0000000000D80000-0x0000000000EBE000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2776-167-0x0000000000F30000-0x000000000106E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2852-62-0x0000000000240000-0x0000000000252000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2852-61-0x0000000000E90000-0x0000000000FCE000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2876-175-0x0000000000370000-0x0000000000382000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2876-174-0x0000000000380000-0x00000000004BE000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2944-210-0x0000000000300000-0x000000000043E000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB

                                                                                • memory/2972-76-0x0000000000270000-0x0000000000282000-memory.dmp
                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2972-75-0x0000000000280000-0x00000000003BE000-memory.dmp
                                                                                  Filesize

                                                                                  1.2MB