Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 14:50
Behavioral task
behavioral1
Sample
anarchyasd (1).exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
anarchyasd (1).exe
Resource
win10v2004-20240226-en
General
-
Target
anarchyasd (1).exe
-
Size
1.5MB
-
MD5
6951e63de2ec697bc1a261d829a6156d
-
SHA1
e7b5bacbd9d33b5dca493ee6bb79321d5b5421be
-
SHA256
858eabba1504401f88e7e36d74ae8669cd79e426398237cf650ba5e11eff806a
-
SHA512
7167473877255a5728b2f3060aef8d144c86c3bbd51d3645b315ed8a62dd3728027fe0c75be820db6a7f06b9600621e123fd3f8936282622d36c38cf11b120a2
-
SSDEEP
24576:U2G/nvxW3Ww0t5JwVU27zeOS9TTnkUIn+wtI2haxuMoDq8YmS5nl7J+K:UbA305JW4uPhZMomMM75
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1068 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 268 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 948 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 948 schtasks.exe -
Processes:
resource yara_rule \hypermonitorNet\reviewdriversvc.exe dcrat behavioral1/memory/2568-13-0x0000000000250000-0x000000000038E000-memory.dmp dcrat behavioral1/memory/1816-53-0x0000000000AB0000-0x0000000000BEE000-memory.dmp dcrat behavioral1/memory/2852-61-0x0000000000E90000-0x0000000000FCE000-memory.dmp dcrat behavioral1/memory/2972-75-0x0000000000280000-0x00000000003BE000-memory.dmp dcrat behavioral1/memory/1964-83-0x0000000000230000-0x000000000036E000-memory.dmp dcrat behavioral1/memory/1680-90-0x00000000008D0000-0x0000000000A0E000-memory.dmp dcrat behavioral1/memory/2420-97-0x00000000009E0000-0x0000000000B1E000-memory.dmp dcrat behavioral1/memory/2548-105-0x0000000000C20000-0x0000000000D5E000-memory.dmp dcrat behavioral1/memory/1508-118-0x0000000000050000-0x000000000018E000-memory.dmp dcrat behavioral1/memory/1432-133-0x0000000000270000-0x00000000003AE000-memory.dmp dcrat behavioral1/memory/2344-140-0x0000000000C30000-0x0000000000D6E000-memory.dmp dcrat behavioral1/memory/2684-147-0x0000000000D80000-0x0000000000EBE000-memory.dmp dcrat behavioral1/memory/2776-167-0x0000000000F30000-0x000000000106E000-memory.dmp dcrat behavioral1/memory/2876-174-0x0000000000380000-0x00000000004BE000-memory.dmp dcrat behavioral1/memory/2008-182-0x00000000009B0000-0x0000000000AEE000-memory.dmp dcrat behavioral1/memory/896-189-0x0000000000E00000-0x0000000000F3E000-memory.dmp dcrat behavioral1/memory/2188-196-0x0000000001310000-0x000000000144E000-memory.dmp dcrat behavioral1/memory/2944-210-0x0000000000300000-0x000000000043E000-memory.dmp dcrat -
Executes dropped EXE 24 IoCs
Processes:
reviewdriversvc.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exepid process 2568 reviewdriversvc.exe 1816 taskhost.exe 2852 taskhost.exe 2552 taskhost.exe 2972 taskhost.exe 1964 taskhost.exe 1680 taskhost.exe 2420 taskhost.exe 2548 taskhost.exe 1952 taskhost.exe 1508 taskhost.exe 2108 taskhost.exe 1432 taskhost.exe 2344 taskhost.exe 2684 taskhost.exe 3048 taskhost.exe 748 taskhost.exe 2776 taskhost.exe 2876 taskhost.exe 2008 taskhost.exe 896 taskhost.exe 2188 taskhost.exe 2120 taskhost.exe 2944 taskhost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2672 cmd.exe 2672 cmd.exe -
Drops file in Program Files directory 12 IoCs
Processes:
reviewdriversvc.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\ebf1f9fa8afd6d reviewdriversvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe reviewdriversvc.exe File created C:\Program Files\Windows Mail\es-ES\services.exe reviewdriversvc.exe File created C:\Program Files\Windows Mail\es-ES\c5b4cb5e9653cc reviewdriversvc.exe File created C:\Program Files\Uninstall Information\services.exe reviewdriversvc.exe File created C:\Program Files\Uninstall Information\c5b4cb5e9653cc reviewdriversvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe reviewdriversvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0 reviewdriversvc.exe File created C:\Program Files\Windows Sidebar\ja-JP\56085415360792 reviewdriversvc.exe File created C:\Program Files\Windows Sidebar\ja-JP\wininit.exe reviewdriversvc.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe reviewdriversvc.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\69ddcba757bf72 reviewdriversvc.exe -
Drops file in Windows directory 7 IoCs
Processes:
reviewdriversvc.exedescription ioc process File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe reviewdriversvc.exe File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe reviewdriversvc.exe File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\56085415360792 reviewdriversvc.exe File created C:\Windows\Performance\taskhost.exe reviewdriversvc.exe File created C:\Windows\Performance\b75386f1303e64 reviewdriversvc.exe File created C:\Windows\L2Schemas\lsm.exe reviewdriversvc.exe File created C:\Windows\L2Schemas\101b941d020240 reviewdriversvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2796 schtasks.exe 1376 schtasks.exe 2180 schtasks.exe 1736 schtasks.exe 3032 schtasks.exe 2516 schtasks.exe 952 schtasks.exe 1520 schtasks.exe 1068 schtasks.exe 1116 schtasks.exe 1688 schtasks.exe 1936 schtasks.exe 1100 schtasks.exe 1132 schtasks.exe 2692 schtasks.exe 2064 schtasks.exe 1040 schtasks.exe 2060 schtasks.exe 1528 schtasks.exe 1276 schtasks.exe 1928 schtasks.exe 2892 schtasks.exe 1800 schtasks.exe 1088 schtasks.exe 3048 schtasks.exe 2976 schtasks.exe 2204 schtasks.exe 1448 schtasks.exe 1976 schtasks.exe 1096 schtasks.exe 2776 schtasks.exe 2540 schtasks.exe 2024 schtasks.exe 2460 schtasks.exe 1748 schtasks.exe 2700 schtasks.exe 2832 schtasks.exe 2840 schtasks.exe 2188 schtasks.exe 2316 schtasks.exe 1300 schtasks.exe 268 schtasks.exe 2444 schtasks.exe 788 schtasks.exe 1884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
reviewdriversvc.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exepid process 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 2568 reviewdriversvc.exe 1816 taskhost.exe 2852 taskhost.exe 2552 taskhost.exe 2972 taskhost.exe 1964 taskhost.exe 1680 taskhost.exe 2420 taskhost.exe 2548 taskhost.exe 1952 taskhost.exe 1508 taskhost.exe 2108 taskhost.exe 1432 taskhost.exe 2344 taskhost.exe 2684 taskhost.exe 3048 taskhost.exe 748 taskhost.exe 2776 taskhost.exe 2876 taskhost.exe 2008 taskhost.exe 896 taskhost.exe 2188 taskhost.exe 2120 taskhost.exe 2944 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
reviewdriversvc.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exetaskhost.exedescription pid process Token: SeDebugPrivilege 2568 reviewdriversvc.exe Token: SeDebugPrivilege 1816 taskhost.exe Token: SeDebugPrivilege 2852 taskhost.exe Token: SeDebugPrivilege 2552 taskhost.exe Token: SeDebugPrivilege 2972 taskhost.exe Token: SeDebugPrivilege 1964 taskhost.exe Token: SeDebugPrivilege 1680 taskhost.exe Token: SeDebugPrivilege 2420 taskhost.exe Token: SeDebugPrivilege 2548 taskhost.exe Token: SeDebugPrivilege 1952 taskhost.exe Token: SeDebugPrivilege 1508 taskhost.exe Token: SeDebugPrivilege 2108 taskhost.exe Token: SeDebugPrivilege 1432 taskhost.exe Token: SeDebugPrivilege 2344 taskhost.exe Token: SeDebugPrivilege 2684 taskhost.exe Token: SeDebugPrivilege 3048 taskhost.exe Token: SeDebugPrivilege 748 taskhost.exe Token: SeDebugPrivilege 2776 taskhost.exe Token: SeDebugPrivilege 2876 taskhost.exe Token: SeDebugPrivilege 2008 taskhost.exe Token: SeDebugPrivilege 896 taskhost.exe Token: SeDebugPrivilege 2188 taskhost.exe Token: SeDebugPrivilege 2120 taskhost.exe Token: SeDebugPrivilege 2944 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
anarchyasd (1).exeWScript.execmd.exereviewdriversvc.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exetaskhost.execmd.exedescription pid process target process PID 1176 wrote to memory of 1904 1176 anarchyasd (1).exe WScript.exe PID 1176 wrote to memory of 1904 1176 anarchyasd (1).exe WScript.exe PID 1176 wrote to memory of 1904 1176 anarchyasd (1).exe WScript.exe PID 1176 wrote to memory of 1904 1176 anarchyasd (1).exe WScript.exe PID 1904 wrote to memory of 2672 1904 WScript.exe cmd.exe PID 1904 wrote to memory of 2672 1904 WScript.exe cmd.exe PID 1904 wrote to memory of 2672 1904 WScript.exe cmd.exe PID 1904 wrote to memory of 2672 1904 WScript.exe cmd.exe PID 2672 wrote to memory of 2568 2672 cmd.exe reviewdriversvc.exe PID 2672 wrote to memory of 2568 2672 cmd.exe reviewdriversvc.exe PID 2672 wrote to memory of 2568 2672 cmd.exe reviewdriversvc.exe PID 2672 wrote to memory of 2568 2672 cmd.exe reviewdriversvc.exe PID 2568 wrote to memory of 1816 2568 reviewdriversvc.exe taskhost.exe PID 2568 wrote to memory of 1816 2568 reviewdriversvc.exe taskhost.exe PID 2568 wrote to memory of 1816 2568 reviewdriversvc.exe taskhost.exe PID 1816 wrote to memory of 2160 1816 taskhost.exe cmd.exe PID 1816 wrote to memory of 2160 1816 taskhost.exe cmd.exe PID 1816 wrote to memory of 2160 1816 taskhost.exe cmd.exe PID 2160 wrote to memory of 1604 2160 cmd.exe w32tm.exe PID 2160 wrote to memory of 1604 2160 cmd.exe w32tm.exe PID 2160 wrote to memory of 1604 2160 cmd.exe w32tm.exe PID 2160 wrote to memory of 2852 2160 cmd.exe taskhost.exe PID 2160 wrote to memory of 2852 2160 cmd.exe taskhost.exe PID 2160 wrote to memory of 2852 2160 cmd.exe taskhost.exe PID 2852 wrote to memory of 3040 2852 taskhost.exe cmd.exe PID 2852 wrote to memory of 3040 2852 taskhost.exe cmd.exe PID 2852 wrote to memory of 3040 2852 taskhost.exe cmd.exe PID 3040 wrote to memory of 1904 3040 cmd.exe w32tm.exe PID 3040 wrote to memory of 1904 3040 cmd.exe w32tm.exe PID 3040 wrote to memory of 1904 3040 cmd.exe w32tm.exe PID 3040 wrote to memory of 2552 3040 cmd.exe taskhost.exe PID 3040 wrote to memory of 2552 3040 cmd.exe taskhost.exe PID 3040 wrote to memory of 2552 3040 cmd.exe taskhost.exe PID 2552 wrote to memory of 2348 2552 taskhost.exe cmd.exe PID 2552 wrote to memory of 2348 2552 taskhost.exe cmd.exe PID 2552 wrote to memory of 2348 2552 taskhost.exe cmd.exe PID 2348 wrote to memory of 2828 2348 cmd.exe w32tm.exe PID 2348 wrote to memory of 2828 2348 cmd.exe w32tm.exe PID 2348 wrote to memory of 2828 2348 cmd.exe w32tm.exe PID 2348 wrote to memory of 2972 2348 cmd.exe taskhost.exe PID 2348 wrote to memory of 2972 2348 cmd.exe taskhost.exe PID 2348 wrote to memory of 2972 2348 cmd.exe taskhost.exe PID 2972 wrote to memory of 2768 2972 taskhost.exe cmd.exe PID 2972 wrote to memory of 2768 2972 taskhost.exe cmd.exe PID 2972 wrote to memory of 2768 2972 taskhost.exe cmd.exe PID 2768 wrote to memory of 2804 2768 cmd.exe w32tm.exe PID 2768 wrote to memory of 2804 2768 cmd.exe w32tm.exe PID 2768 wrote to memory of 2804 2768 cmd.exe w32tm.exe PID 2768 wrote to memory of 1964 2768 cmd.exe taskhost.exe PID 2768 wrote to memory of 1964 2768 cmd.exe taskhost.exe PID 2768 wrote to memory of 1964 2768 cmd.exe taskhost.exe PID 1964 wrote to memory of 1184 1964 taskhost.exe cmd.exe PID 1964 wrote to memory of 1184 1964 taskhost.exe cmd.exe PID 1964 wrote to memory of 1184 1964 taskhost.exe cmd.exe PID 1184 wrote to memory of 524 1184 cmd.exe w32tm.exe PID 1184 wrote to memory of 524 1184 cmd.exe w32tm.exe PID 1184 wrote to memory of 524 1184 cmd.exe w32tm.exe PID 1184 wrote to memory of 1680 1184 cmd.exe taskhost.exe PID 1184 wrote to memory of 1680 1184 cmd.exe taskhost.exe PID 1184 wrote to memory of 1680 1184 cmd.exe taskhost.exe PID 1680 wrote to memory of 584 1680 taskhost.exe cmd.exe PID 1680 wrote to memory of 584 1680 taskhost.exe cmd.exe PID 1680 wrote to memory of 584 1680 taskhost.exe cmd.exe PID 584 wrote to memory of 568 584 cmd.exe w32tm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\hypermonitorNet\reviewdriversvc.exe"C:\hypermonitorNet\reviewdriversvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1604
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1904
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2828
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2804
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:524
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:568
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"18⤵PID:1068
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:236
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"20⤵PID:1404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1072
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"22⤵PID:288
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1504
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"24⤵PID:296
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1768
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"26⤵PID:1972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1644
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"28⤵PID:2660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2772
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"30⤵PID:332
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:940
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"32⤵PID:1484
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:2056
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"34⤵PID:524
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:2824
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"36⤵PID:1624
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:560
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"38⤵PID:1740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:3032
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"40⤵PID:1404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:1564
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"42⤵PID:2404
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:2020
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"44⤵PID:2044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:245⤵PID:296
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"46⤵PID:1608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:247⤵PID:2280
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"48⤵PID:1968
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:249⤵PID:2652
-
C:\Windows\Performance\taskhost.exe"C:\Windows\Performance\taskhost.exe"49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"50⤵PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\hypermonitorNet\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\hypermonitorNet\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\hypermonitorNet\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Performance\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\hypermonitorNet\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\hypermonitorNet\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\hypermonitorNet\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\hypermonitorNet\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.batFilesize
200B
MD5e6460bc2845620c5f4c31d882cb5770c
SHA16043a2be93cf93c6c10b37f29a4b61a479a8992c
SHA256dda0ee3244f1f84852750b766c3fa56201d1279fbec18323b7f0d0aade99e648
SHA51203689b1e66a8f8b5b201006189630ea28da69b60aaf94f2868acc34cafc7bc755ce5c48c59498d2be2cd97a6643dd719685dea5a98fa2ad5417c183e29f1a485
-
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.batFilesize
200B
MD5c502417273dcd5b3289474e17033ecf1
SHA17ef1fcab5a26f6c51cd88557454a0286039886d6
SHA2560086594cd97d45036d69751010e2a1ca1c38384d42b8b607c5b02562b8e32857
SHA512b2a241a186eb96e49a18d8d5c828e924d1124aeafed491c9d8569bfdeb421f9d551517ef554ab2b91054930237d92e35dfb9a2c80f433748638c0e628a5db5f8
-
C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.batFilesize
200B
MD50d784d1182bb69202f5e417f679ebf39
SHA15b0dd34d3ef44c9d16029056b57f53661adc2db7
SHA2568a021aab2809d61718cd6c9fdafb923bd3ad3a04f447d96f0c436bfddf20e5ef
SHA51249764b45ea4957475bc38c7c5031154a83b9452c7ea5a5ddcb17608023f44e4de018ec02697e0fa5a125f3516c5acf65072e223d0967cc4484e7c35d422bbf0f
-
C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.batFilesize
200B
MD5c59ded56fc13c0f77ce52d44e095f1bc
SHA19e95cb206169625d7dfa2d947d379945df30c50f
SHA25660f75905eb3dbeb86391e9ac7aa80eff1f742950b200c326d97dcc274b0a6fd1
SHA5122b33bcc76e1173dcfedb606eaf11791c9f2dd91fb2c91eba39d463f633d1b8e5d84dc806e5311e2818d7281e914e2b146e81d74a487d60de0c578169df92f3be
-
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.batFilesize
200B
MD5db21391bc79e0fe40f02d9753616e754
SHA1f3cb75437f7eccb0c84a1d30aee712919a0f478d
SHA2565832eff40de2b994ffa7281993015f2b7c3d0d38d19c8ac5b0aee83bf4b3b4c9
SHA512cc33c14837aced8245e02ab1eb548aa7c762ba9f7428dacbaf99d21b2166bbd3c3c055fbfd1435473516612d5ae2dbb54cea79090fbfd3f00b47c69134c60e64
-
C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.batFilesize
200B
MD5024d05ebd5bc378aea3167d9a13a7319
SHA1414175cfecd8bb8b3f3e9427688ea69684a5234c
SHA25688aaa11c2d2d7e854d2ea15387182afb2dc036d5df0021fdb6979b1a69608920
SHA5127a266671201ee4b391567f60383efac2ff5810b75afe5e1453fc6a5b972c29cf2aa0930a4bae5326743f83d20a2194a124225e9fe3103ab380f8b65ed8a1670b
-
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.batFilesize
200B
MD58a2c73874bab516a0e42dc84713702dd
SHA10f56c80c0dc30d2cc11c5c46f7429f915fd5c473
SHA256fbbc97e3436f89d25996769a7b01e06af7ac74c3ffdfe79a33e174da3c9c4d3e
SHA512484ba684163f9c5ffc4a7ebeb0fed3bafa44ab6a09c4667993dd4df889ebf34c098a2e413da11362d6aacd4a214b1850371e0f5a607d67a48e30f551d7b0fdaf
-
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.batFilesize
200B
MD5470931c594f7c037a8eb3b6947e8fd1f
SHA15a72b64f67177adb2ba78d2ad8d2149322797723
SHA2563b648532045c9b3a584356b2f203f59fc84537de4c6ae4c3f3ee1034216a4f9e
SHA51287629046f6f00c45ca5cff7a617e788263c638d83a4828ac3525ddd523b3aac0ef098ec2a327e7d58051179414945c36a3d0f1868c93b45b7f4449d69bdcc718
-
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.batFilesize
200B
MD5c9a84b7d9112a5e7827f60bb45dc9695
SHA193eb2139640dcd9f6410885afdd475ee5e0a686d
SHA25645a532504deb52e0322b025f3796e74a7e403a1bdb79068ce6edd46fe6e305c0
SHA5126e7e8f7693370bb407d29914aa71514d7bf34c9e16ae81ed9047b856439e6ff13b7e62590852b6bc8c54ad77017259a79a7601107ffe6b9a704090ae5e20e76d
-
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.batFilesize
200B
MD5a4519d0a850e19bf724cb929d0d76b40
SHA1039bd0c94b87845481085b49a850929346cf77cb
SHA25627f8ed1436a8481b2751c1d5fc2d3f9b7fb611e0e0a2e7ec3a565b84d9aeff79
SHA512e08c77fc004dc85382240c64790f054d4b8b91cba059bb244268dd7301204924bc7c91e897ce8d85d480d784f0000a464f684fdb101cf55ae096277a45afe0e4
-
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.batFilesize
200B
MD524578317f9ab66cb2e192d817bf0d3a1
SHA1181fce1086f731f375db13ac7584c441ec7efc28
SHA2565a6c305f2731696df0026dad395065908ae45417ad135189b1b3972d869d07b1
SHA512f012627a3961f714265a80931d4eaad0404374cf028fb5a1113e6850256aeb7e378f2fcc4339332a9bd916ec65bf0f9724813f11c2d3242728051a6ad6e2982f
-
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.batFilesize
200B
MD56946825fb6a801d6aa44d46662044387
SHA1d16e9f7d82071659254123eb1ae03ac2795d2ca5
SHA256922c007af54ae4d4fa6b11197fb747e0bfe4940d8f3ee21ee0b0814257e45059
SHA512b8a217f165137c265c1db074b75132f8fdba525ff663845a77c1974ff8a2cf9e0db9cdc5bdb77811dafcaaae09674ca31762cecb1a2635621a2b7ee3f0cfff50
-
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.batFilesize
200B
MD5665b244ea88895b69574b7c54cf969e4
SHA18523851295c16180deafa3db1145ef880b8ea4d3
SHA256c5b6497a8d8030de4981485c478edce5ce2b632b154aa54411fb242b87afd9d9
SHA51240be2877cea61d4c167865c9875bb27d35daed7a1991c80e590b3735eb967de177f66a4941942804ee7535e327d2caa17a3453a342d39504d54af452a661e3f9
-
C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.batFilesize
200B
MD5e63f99954b1ec95c720aa43813c20939
SHA1c6360ac04e69640102e2c052282bf79532fd5bb3
SHA2564c542b10de453507e3dda5ba41423937473ce99c734d7106dadcc1b8db0fe1c6
SHA5126ba5fbd38d2d3a6e73125c710f70bc3e56465874cbfed4aacd9480038eb01e9a008f049ccdaa7f82f9d3ef339d3d1b87f869414594470e31c9077b633c672980
-
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.batFilesize
200B
MD5ebcd4ae8290b3fca857f56bbccff1387
SHA12ea29ac988b7fdbdd8f5cb546a70c1d12a86b1cc
SHA25630cc0dd94acbd53540c06c68a808def37e71de145f1c9438f0691ffe276be1f3
SHA51259a3a946754bdb4d8ee601dcd6877fb769b1f816410f64cb6dea6fc1acf2e338c66d3a11c411a306aeb1315c2979df8ad8828aad7d703f911c12ff35ef845f4c
-
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.batFilesize
200B
MD52713dd88d551c16170b04e5ae2267ed4
SHA1f580494ccad594b31b1a287c49f7a27d936223b4
SHA25629680165c7686d294dc780e2ba4063d82af5d86966369b79ab101c2197e0baf9
SHA5127f99ee270c1037358c4952366af98aaac9e73683aa33d315f89cbb2d23927a3d0a0de25b7ee74bee39d823a0dd50b9389d9899dbe5c74cc01fc5bf461863d53f
-
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.batFilesize
200B
MD5b9a3dd513e50f5e6d6bceedeef85c768
SHA14442e1b77b65989d8b53f6ec06222b0233a7bb9f
SHA2564d36ceea7f34b2fff2f1d33ce8aafcd3eca4a339fa0bc3103aa469fd6699cc42
SHA512b7f385967448147f5f76c8cd1c68a52e5fae36ee32a0b45cc5b5ea1d95a2b9073de2529a5d75ce85477e9e7a03d31a26c4952a43a1d94bbcd76a8a6ecf1de22d
-
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.batFilesize
200B
MD5499ff4917a10f7ea560651d3920e09aa
SHA1fa931a0c768361eeda15caa3cbae194ecd0b8950
SHA256fffdc903181dc05ae0f1be00720d51b074b9a706c509b304f5fde88104f7236c
SHA512552005c463b5e419f3a12e7d649075acd37ac56a2004308b200eec39e4f0be30ce8a7da283343edd36f6c1d78a65ae35faf0430b563c45657695c6d9b72e621d
-
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.batFilesize
200B
MD5d308753621fa549789c85c1f821e0f2a
SHA1277cb2c835bc72f38cbd5ef76c04bf73d5f0ddb7
SHA256c523493172ad38a901c20eb48fb0f0f0bc7ea02d7081369e7b6dcda784ea7da5
SHA5125f1a0e113199af73cce3a7cd9a0c9de9ded1da9da66f7a64d721ee08e6c19dd4fe7d55ef91239f8ddcb0ee425d3a19df42a6eadd40c057b8dbebe80227d7d2a4
-
C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.batFilesize
200B
MD5ab01f18577987f9f25e3b1a7d3f4c64a
SHA1d0173576772d6286bcd83427a9934449dd47f977
SHA2568a7592df05e87f9a0e2e16c911f692ec42133fa96d19f64361a1a23ef301e1e0
SHA5123709535fc97016c22cf84cdc94e150c54b5627b63977523ca33886d44f549b1329af3e4b8e860c6a9371daba1513698842aa5d6ee38f5e8bd087acd0c30e7078
-
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.batFilesize
200B
MD5fea5b1ef531ea26ab1071e19bce1fa30
SHA1195ec0d02e911292d8164d6f5f6f1e15d2c0184c
SHA25626342f8c9b8f6b3af58d5a1ed03b2be17b53ba211d6a9e585eefc120d0ecf72c
SHA51248589a0286788a8386d83e8b685fb1321efde237de3237f566cddd4aa7052c8582cad4d5e9c8e4c0870c302946ce33f07ceb526d12cc4526d53e905a9cd45768
-
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.batFilesize
200B
MD579e3b91d2422a619333505a009199d22
SHA1a5b7b932982da95042c537e24a190fb7cf4fbb52
SHA256c52878246824e77ccc1d122c00d35509ed37c24ede77ea0c435d8d0a8552366c
SHA512c12bb4c57ae77e4047c02f913bb3d2ae0e7779e25443183a4e3095cc7b58688597b18f8b5497b567cfe1887fe4f531f6caa2aa917658fe4e95b7d8ec4a23a7d6
-
C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.batFilesize
40B
MD548921ba5408bd60c927e4f83521cfabd
SHA14807cfab6a82b0d55906bd30b95f6f54af214323
SHA256cccf7704e494c90c32cd0662237f96d3551d5d30ff773fbc3d98c5f505617144
SHA512d714293c9a8572e3b19198b06fd8e8ade878e2fbbc956745f3ea04dfbcca834d09d28e7f134ebb055e07315c87f25ca7af2ca5ae4fa7322dfe8e7b6a22543e19
-
C:\hypermonitorNet\U3FGPYCsduGsNBux.vbeFilesize
223B
MD50578c779f37e63418bbb3f0b317ed4ac
SHA193317ce3a7cb7714149a1d859429006f5906b25e
SHA256266bc757f37960293fba64a67c6cf23f7691f5cd946ae5c3a57f4f3f863abb80
SHA51232747442979b3e1cfce004a68913d40b88a373bfe163b4522f5c94e374b6d382ff29944c734d1d481e92c2fd79c4041cf43deee25c336927a14e04a8ecd44c14
-
\hypermonitorNet\reviewdriversvc.exeFilesize
1.2MB
MD5bbd0b07fb3a0ec32c8430bb2dfc4946d
SHA19610545b2cf3098e317315dc4ad2dd40c11b2ac0
SHA2564f253419a950bb64292145d6759b95a226147da59ae2bf43641be77abe704bad
SHA512925e6ee1c5f267ff94b544909ea964375fdf2768cf01d25ade8270d3161e6148331624f2ae7bbbea51a47117688ebad776010a66c482c7bdd35cdbb8bd473d9a
-
memory/896-189-0x0000000000E00000-0x0000000000F3E000-memory.dmpFilesize
1.2MB
-
memory/1432-133-0x0000000000270000-0x00000000003AE000-memory.dmpFilesize
1.2MB
-
memory/1508-118-0x0000000000050000-0x000000000018E000-memory.dmpFilesize
1.2MB
-
memory/1508-119-0x0000000000480000-0x0000000000492000-memory.dmpFilesize
72KB
-
memory/1680-90-0x00000000008D0000-0x0000000000A0E000-memory.dmpFilesize
1.2MB
-
memory/1816-53-0x0000000000AB0000-0x0000000000BEE000-memory.dmpFilesize
1.2MB
-
memory/1816-54-0x0000000000480000-0x0000000000492000-memory.dmpFilesize
72KB
-
memory/1964-83-0x0000000000230000-0x000000000036E000-memory.dmpFilesize
1.2MB
-
memory/2008-182-0x00000000009B0000-0x0000000000AEE000-memory.dmpFilesize
1.2MB
-
memory/2108-126-0x00000000004A0000-0x00000000004B2000-memory.dmpFilesize
72KB
-
memory/2188-197-0x0000000000300000-0x0000000000312000-memory.dmpFilesize
72KB
-
memory/2188-196-0x0000000001310000-0x000000000144E000-memory.dmpFilesize
1.2MB
-
memory/2344-140-0x0000000000C30000-0x0000000000D6E000-memory.dmpFilesize
1.2MB
-
memory/2420-97-0x00000000009E0000-0x0000000000B1E000-memory.dmpFilesize
1.2MB
-
memory/2420-98-0x0000000001F70000-0x0000000001F82000-memory.dmpFilesize
72KB
-
memory/2548-105-0x0000000000C20000-0x0000000000D5E000-memory.dmpFilesize
1.2MB
-
memory/2568-16-0x0000000000420000-0x0000000000432000-memory.dmpFilesize
72KB
-
memory/2568-13-0x0000000000250000-0x000000000038E000-memory.dmpFilesize
1.2MB
-
memory/2568-14-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2568-15-0x00000000004B0000-0x00000000004C6000-memory.dmpFilesize
88KB
-
memory/2684-148-0x00000000003C0000-0x00000000003D2000-memory.dmpFilesize
72KB
-
memory/2684-147-0x0000000000D80000-0x0000000000EBE000-memory.dmpFilesize
1.2MB
-
memory/2776-167-0x0000000000F30000-0x000000000106E000-memory.dmpFilesize
1.2MB
-
memory/2852-62-0x0000000000240000-0x0000000000252000-memory.dmpFilesize
72KB
-
memory/2852-61-0x0000000000E90000-0x0000000000FCE000-memory.dmpFilesize
1.2MB
-
memory/2876-175-0x0000000000370000-0x0000000000382000-memory.dmpFilesize
72KB
-
memory/2876-174-0x0000000000380000-0x00000000004BE000-memory.dmpFilesize
1.2MB
-
memory/2944-210-0x0000000000300000-0x000000000043E000-memory.dmpFilesize
1.2MB
-
memory/2972-76-0x0000000000270000-0x0000000000282000-memory.dmpFilesize
72KB
-
memory/2972-75-0x0000000000280000-0x00000000003BE000-memory.dmpFilesize
1.2MB