Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 14:50
Behavioral task
behavioral1
Sample
anarchyasd (1).exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
anarchyasd (1).exe
Resource
win10v2004-20240226-en
General
-
Target
anarchyasd (1).exe
-
Size
1.5MB
-
MD5
6951e63de2ec697bc1a261d829a6156d
-
SHA1
e7b5bacbd9d33b5dca493ee6bb79321d5b5421be
-
SHA256
858eabba1504401f88e7e36d74ae8669cd79e426398237cf650ba5e11eff806a
-
SHA512
7167473877255a5728b2f3060aef8d144c86c3bbd51d3645b315ed8a62dd3728027fe0c75be820db6a7f06b9600621e123fd3f8936282622d36c38cf11b120a2
-
SSDEEP
24576:U2G/nvxW3Ww0t5JwVU27zeOS9TTnkUIn+wtI2haxuMoDq8YmS5nl7J+K:UbA305JW4uPhZMomMM75
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4236 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 260 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1324 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 496 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 3080 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 112 3080 schtasks.exe -
Processes:
resource yara_rule C:\hypermonitorNet\reviewdriversvc.exe dcrat behavioral2/memory/3660-13-0x0000000000330000-0x000000000046E000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
reviewdriversvc.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeanarchyasd (1).exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation reviewdriversvc.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation MoUsoCoreWorker.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation anarchyasd (1).exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 6 IoCs
Processes:
reviewdriversvc.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exepid process 3660 reviewdriversvc.exe 4928 MoUsoCoreWorker.exe 4952 MoUsoCoreWorker.exe 4716 MoUsoCoreWorker.exe 488 MoUsoCoreWorker.exe 2408 MoUsoCoreWorker.exe -
Drops file in Program Files directory 8 IoCs
Processes:
reviewdriversvc.exedescription ioc process File created C:\Program Files\Java\winlogon.exe reviewdriversvc.exe File created C:\Program Files\Java\cc11b995f2a76d reviewdriversvc.exe File created C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe reviewdriversvc.exe File created C:\Program Files\Windows Multimedia Platform\24dbde2999530e reviewdriversvc.exe File created C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe reviewdriversvc.exe File created C:\Program Files\Windows Defender\de-DE\1f93f77a7f4778 reviewdriversvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe reviewdriversvc.exe File created C:\Program Files (x86)\MSBuild\Microsoft\088424020bedd6 reviewdriversvc.exe -
Drops file in Windows directory 5 IoCs
Processes:
reviewdriversvc.exedescription ioc process File opened for modification C:\Windows\addins\smss.exe reviewdriversvc.exe File created C:\Windows\addins\69ddcba757bf72 reviewdriversvc.exe File created C:\Windows\Panther\actionqueue\fontdrvhost.exe reviewdriversvc.exe File created C:\Windows\Panther\actionqueue\5b884080fd4f94 reviewdriversvc.exe File created C:\Windows\addins\smss.exe reviewdriversvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
Processes:
anarchyasd (1).exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings anarchyasd (1).exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings MoUsoCoreWorker.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings MoUsoCoreWorker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1324 schtasks.exe 1320 schtasks.exe 1556 schtasks.exe 4236 schtasks.exe 4936 schtasks.exe 3988 schtasks.exe 3404 schtasks.exe 4476 schtasks.exe 3672 schtasks.exe 2092 schtasks.exe 4952 schtasks.exe 4724 schtasks.exe 4920 schtasks.exe 3280 schtasks.exe 3408 schtasks.exe 3088 schtasks.exe 1872 schtasks.exe 4948 schtasks.exe 2288 schtasks.exe 112 schtasks.exe 2296 schtasks.exe 2816 schtasks.exe 788 schtasks.exe 3140 schtasks.exe 2276 schtasks.exe 1692 schtasks.exe 3628 schtasks.exe 1444 schtasks.exe 4568 schtasks.exe 496 schtasks.exe 5088 schtasks.exe 1028 schtasks.exe 4460 schtasks.exe 1176 schtasks.exe 4956 schtasks.exe 1540 schtasks.exe 1596 schtasks.exe 260 schtasks.exe 1296 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
reviewdriversvc.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exepid process 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 3660 reviewdriversvc.exe 4928 MoUsoCoreWorker.exe 4928 MoUsoCoreWorker.exe 4952 MoUsoCoreWorker.exe 4952 MoUsoCoreWorker.exe 4716 MoUsoCoreWorker.exe 4716 MoUsoCoreWorker.exe 488 MoUsoCoreWorker.exe 488 MoUsoCoreWorker.exe 2408 MoUsoCoreWorker.exe 2408 MoUsoCoreWorker.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
reviewdriversvc.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exeMoUsoCoreWorker.exedescription pid process Token: SeDebugPrivilege 3660 reviewdriversvc.exe Token: SeDebugPrivilege 4928 MoUsoCoreWorker.exe Token: SeDebugPrivilege 4952 MoUsoCoreWorker.exe Token: SeDebugPrivilege 4716 MoUsoCoreWorker.exe Token: SeDebugPrivilege 488 MoUsoCoreWorker.exe Token: SeDebugPrivilege 2408 MoUsoCoreWorker.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
anarchyasd (1).exeWScript.execmd.exereviewdriversvc.exeMoUsoCoreWorker.execmd.exeMoUsoCoreWorker.execmd.exeMoUsoCoreWorker.execmd.exeMoUsoCoreWorker.execmd.exeMoUsoCoreWorker.execmd.exedescription pid process target process PID 3672 wrote to memory of 2740 3672 anarchyasd (1).exe WScript.exe PID 3672 wrote to memory of 2740 3672 anarchyasd (1).exe WScript.exe PID 3672 wrote to memory of 2740 3672 anarchyasd (1).exe WScript.exe PID 2740 wrote to memory of 3128 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 3128 2740 WScript.exe cmd.exe PID 2740 wrote to memory of 3128 2740 WScript.exe cmd.exe PID 3128 wrote to memory of 3660 3128 cmd.exe reviewdriversvc.exe PID 3128 wrote to memory of 3660 3128 cmd.exe reviewdriversvc.exe PID 3660 wrote to memory of 4928 3660 reviewdriversvc.exe MoUsoCoreWorker.exe PID 3660 wrote to memory of 4928 3660 reviewdriversvc.exe MoUsoCoreWorker.exe PID 4928 wrote to memory of 2816 4928 MoUsoCoreWorker.exe cmd.exe PID 4928 wrote to memory of 2816 4928 MoUsoCoreWorker.exe cmd.exe PID 2816 wrote to memory of 4468 2816 cmd.exe w32tm.exe PID 2816 wrote to memory of 4468 2816 cmd.exe w32tm.exe PID 2816 wrote to memory of 4952 2816 cmd.exe MoUsoCoreWorker.exe PID 2816 wrote to memory of 4952 2816 cmd.exe MoUsoCoreWorker.exe PID 4952 wrote to memory of 3632 4952 MoUsoCoreWorker.exe cmd.exe PID 4952 wrote to memory of 3632 4952 MoUsoCoreWorker.exe cmd.exe PID 3632 wrote to memory of 1208 3632 cmd.exe w32tm.exe PID 3632 wrote to memory of 1208 3632 cmd.exe w32tm.exe PID 3632 wrote to memory of 4716 3632 cmd.exe MoUsoCoreWorker.exe PID 3632 wrote to memory of 4716 3632 cmd.exe MoUsoCoreWorker.exe PID 4716 wrote to memory of 2276 4716 MoUsoCoreWorker.exe cmd.exe PID 4716 wrote to memory of 2276 4716 MoUsoCoreWorker.exe cmd.exe PID 2276 wrote to memory of 3404 2276 cmd.exe w32tm.exe PID 2276 wrote to memory of 3404 2276 cmd.exe w32tm.exe PID 2276 wrote to memory of 488 2276 cmd.exe MoUsoCoreWorker.exe PID 2276 wrote to memory of 488 2276 cmd.exe MoUsoCoreWorker.exe PID 488 wrote to memory of 848 488 MoUsoCoreWorker.exe cmd.exe PID 488 wrote to memory of 848 488 MoUsoCoreWorker.exe cmd.exe PID 848 wrote to memory of 2700 848 cmd.exe w32tm.exe PID 848 wrote to memory of 2700 848 cmd.exe w32tm.exe PID 848 wrote to memory of 2408 848 cmd.exe MoUsoCoreWorker.exe PID 848 wrote to memory of 2408 848 cmd.exe MoUsoCoreWorker.exe PID 2408 wrote to memory of 3660 2408 MoUsoCoreWorker.exe cmd.exe PID 2408 wrote to memory of 3660 2408 MoUsoCoreWorker.exe cmd.exe PID 3660 wrote to memory of 3748 3660 cmd.exe w32tm.exe PID 3660 wrote to memory of 3748 3660 cmd.exe w32tm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\hypermonitorNet\reviewdriversvc.exe"C:\hypermonitorNet\reviewdriversvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4468
-
C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1208
-
C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3404
-
C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2700
-
C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\hypermonitorNet\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\hypermonitorNet\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\hypermonitorNet\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\hypermonitorNet\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\odt\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\odt\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoUsoCoreWorker.exe.logFilesize
1KB
MD59699cf9bb24ebbc9b1035710e92b7bd2
SHA173f0f26db57ea306970a76f42c647bbce02a3f23
SHA256fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5
SHA5123a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb
-
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.batFilesize
231B
MD5fd85152cb523f335b4174ac40297890e
SHA142076b96cb6fa213eb2c23bb29341f0f17a1a6b1
SHA256f989e4987b315664afc2369f41e7a1039261be3d3035342500b96cf886af4783
SHA512302eef2e8498bfd5d9a619e31b8e2587e356cf8c6c607aae201c4859130ce6c088202e239c8a368a345bdaab8a82c95b5e4bb97e3ac7b6909c6f56f4ddda8eb5
-
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.batFilesize
231B
MD5b4d3293c2062b282593a5e7c5942d587
SHA17c8625bdd067b5158897729c37fb8bacffd9ea85
SHA256b636c38c8f7b17a3031731d21e99512624cfd26a54d47274314b27f774cec5ea
SHA512dd9e759b5b237a0af65efec1866eb3a0ca4c9e8cec20e4ea1e1973b7da8b8f869343a812214c82df9a72cdb917cfc45b1649cd4af56f7c47087c3f677a0ad03a
-
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.batFilesize
231B
MD5c102243734e4ce59c5228bb890e6327c
SHA1f88dde00086c25635e2ed49f4a22ee18d0961439
SHA25684f8c494316a2d8de3ae3141d0ff81ec140266854942dfaa0154dece6ce5dc69
SHA512dc22f32977ad31889359b5001eff6699ed40e64c922d85b5eb35679732b1ef4297ec2e89b80b4f0b5b8235951d9ff01a67668e0175f8c9ab1a599c51db677657
-
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.batFilesize
231B
MD5df9eec07516547cec83966bd2a37fe0f
SHA15afab3b64a536d494bae96fd6a5311f449ecf491
SHA256153a2b08c96b8d8bdbb34384292b30bc226d7e63c62de2d5a39529ff5ad2dbe0
SHA512b7ccf38f80c7c68ad30629842b406f3b71f0f13d7867e4e18a9a1c1a394dc79226e4919946b98a35b1620d02d26a13820b15e8f5daede149db933e0782ac9557
-
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.batFilesize
231B
MD587bc9cbe940b7168ce187bf0e74926ee
SHA12867fa46a53e58b4e44ecc49e0fc549b91b5ab53
SHA256dc6821cc243b63c42529897cbabfdc942657213a343d0c57e7d2d0e57f52bf27
SHA512d7b15fac7d31940d1d43bfead2ee597dbfd5483a0db96b1879bf3cb7bf90fa045151007146d1f751178dfc599ad3898f3851228d666e400e77f046ea26c2f8b1
-
C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.batFilesize
40B
MD548921ba5408bd60c927e4f83521cfabd
SHA14807cfab6a82b0d55906bd30b95f6f54af214323
SHA256cccf7704e494c90c32cd0662237f96d3551d5d30ff773fbc3d98c5f505617144
SHA512d714293c9a8572e3b19198b06fd8e8ade878e2fbbc956745f3ea04dfbcca834d09d28e7f134ebb055e07315c87f25ca7af2ca5ae4fa7322dfe8e7b6a22543e19
-
C:\hypermonitorNet\U3FGPYCsduGsNBux.vbeFilesize
223B
MD50578c779f37e63418bbb3f0b317ed4ac
SHA193317ce3a7cb7714149a1d859429006f5906b25e
SHA256266bc757f37960293fba64a67c6cf23f7691f5cd946ae5c3a57f4f3f863abb80
SHA51232747442979b3e1cfce004a68913d40b88a373bfe163b4522f5c94e374b6d382ff29944c734d1d481e92c2fd79c4041cf43deee25c336927a14e04a8ecd44c14
-
C:\hypermonitorNet\reviewdriversvc.exeFilesize
1.2MB
MD5bbd0b07fb3a0ec32c8430bb2dfc4946d
SHA19610545b2cf3098e317315dc4ad2dd40c11b2ac0
SHA2564f253419a950bb64292145d6759b95a226147da59ae2bf43641be77abe704bad
SHA512925e6ee1c5f267ff94b544909ea964375fdf2768cf01d25ade8270d3161e6148331624f2ae7bbbea51a47117688ebad776010a66c482c7bdd35cdbb8bd473d9a
-
memory/488-80-0x0000000000EB0000-0x0000000000EC2000-memory.dmpFilesize
72KB
-
memory/2408-87-0x0000000000EC0000-0x0000000000ED2000-memory.dmpFilesize
72KB
-
memory/3660-14-0x0000000000D40000-0x0000000000D5C000-memory.dmpFilesize
112KB
-
memory/3660-21-0x00007FFC3C613000-0x00007FFC3C615000-memory.dmpFilesize
8KB
-
memory/3660-18-0x000000001BF50000-0x000000001C478000-memory.dmpFilesize
5.2MB
-
memory/3660-17-0x0000000000D70000-0x0000000000D82000-memory.dmpFilesize
72KB
-
memory/3660-16-0x0000000002580000-0x0000000002596000-memory.dmpFilesize
88KB
-
memory/3660-15-0x000000001AFD0000-0x000000001B020000-memory.dmpFilesize
320KB
-
memory/3660-13-0x0000000000330000-0x000000000046E000-memory.dmpFilesize
1.2MB
-
memory/3660-12-0x00007FFC3C613000-0x00007FFC3C615000-memory.dmpFilesize
8KB
-
memory/4716-73-0x000000001B4C0000-0x000000001B4D2000-memory.dmpFilesize
72KB
-
memory/4928-57-0x00000000030A0000-0x00000000030B2000-memory.dmpFilesize
72KB
-
memory/4952-66-0x0000000002F50000-0x0000000002F62000-memory.dmpFilesize
72KB