Analysis

  • max time kernel
    155s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 14:50

General

  • Target

    anarchyasd (1).exe

  • Size

    1.5MB

  • MD5

    6951e63de2ec697bc1a261d829a6156d

  • SHA1

    e7b5bacbd9d33b5dca493ee6bb79321d5b5421be

  • SHA256

    858eabba1504401f88e7e36d74ae8669cd79e426398237cf650ba5e11eff806a

  • SHA512

    7167473877255a5728b2f3060aef8d144c86c3bbd51d3645b315ed8a62dd3728027fe0c75be820db6a7f06b9600621e123fd3f8936282622d36c38cf11b120a2

  • SSDEEP

    24576:U2G/nvxW3Ww0t5JwVU27zeOS9TTnkUIn+wtI2haxuMoDq8YmS5nl7J+K:UbA305JW4uPhZMomMM75

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe
    "C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3128
        • C:\hypermonitorNet\reviewdriversvc.exe
          "C:\hypermonitorNet\reviewdriversvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3660
          • C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
            "C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4928
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2816
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:4468
                • C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
                  "C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4952
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3632
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1208
                      • C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
                        "C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:4716
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2276
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:3404
                            • C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
                              "C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"
                              11⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:488
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:848
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:2700
                                  • C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
                                    "C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:2408
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
                                      14⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3660
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:3748
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:2856
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\smss.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1556
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4236
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2296
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\winlogon.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2816
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3628
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4476
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1444
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3672
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4952
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3088
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4948
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1872
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\lsass.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:788
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4920
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4936
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\Registry.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:260
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\hypermonitorNet\Registry.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3280
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\hypermonitorNet\Registry.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3140
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1324
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4724
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3988
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\msedge.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1320
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\hypermonitorNet\msedge.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1296
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\hypermonitorNet\msedge.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4956
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4460
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2276
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1540
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\odt\TrustedInstaller.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3404
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1176
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4568
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:496
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2092
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1692
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2288
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:5088
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1028
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\odt\MoUsoCoreWorker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1596
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3408
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:112

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoUsoCoreWorker.exe.log
                Filesize

                1KB

                MD5

                9699cf9bb24ebbc9b1035710e92b7bd2

                SHA1

                73f0f26db57ea306970a76f42c647bbce02a3f23

                SHA256

                fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

                SHA512

                3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

              • C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat
                Filesize

                231B

                MD5

                fd85152cb523f335b4174ac40297890e

                SHA1

                42076b96cb6fa213eb2c23bb29341f0f17a1a6b1

                SHA256

                f989e4987b315664afc2369f41e7a1039261be3d3035342500b96cf886af4783

                SHA512

                302eef2e8498bfd5d9a619e31b8e2587e356cf8c6c607aae201c4859130ce6c088202e239c8a368a345bdaab8a82c95b5e4bb97e3ac7b6909c6f56f4ddda8eb5

              • C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat
                Filesize

                231B

                MD5

                b4d3293c2062b282593a5e7c5942d587

                SHA1

                7c8625bdd067b5158897729c37fb8bacffd9ea85

                SHA256

                b636c38c8f7b17a3031731d21e99512624cfd26a54d47274314b27f774cec5ea

                SHA512

                dd9e759b5b237a0af65efec1866eb3a0ca4c9e8cec20e4ea1e1973b7da8b8f869343a812214c82df9a72cdb917cfc45b1649cd4af56f7c47087c3f677a0ad03a

              • C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat
                Filesize

                231B

                MD5

                c102243734e4ce59c5228bb890e6327c

                SHA1

                f88dde00086c25635e2ed49f4a22ee18d0961439

                SHA256

                84f8c494316a2d8de3ae3141d0ff81ec140266854942dfaa0154dece6ce5dc69

                SHA512

                dc22f32977ad31889359b5001eff6699ed40e64c922d85b5eb35679732b1ef4297ec2e89b80b4f0b5b8235951d9ff01a67668e0175f8c9ab1a599c51db677657

              • C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat
                Filesize

                231B

                MD5

                df9eec07516547cec83966bd2a37fe0f

                SHA1

                5afab3b64a536d494bae96fd6a5311f449ecf491

                SHA256

                153a2b08c96b8d8bdbb34384292b30bc226d7e63c62de2d5a39529ff5ad2dbe0

                SHA512

                b7ccf38f80c7c68ad30629842b406f3b71f0f13d7867e4e18a9a1c1a394dc79226e4919946b98a35b1620d02d26a13820b15e8f5daede149db933e0782ac9557

              • C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat
                Filesize

                231B

                MD5

                87bc9cbe940b7168ce187bf0e74926ee

                SHA1

                2867fa46a53e58b4e44ecc49e0fc549b91b5ab53

                SHA256

                dc6821cc243b63c42529897cbabfdc942657213a343d0c57e7d2d0e57f52bf27

                SHA512

                d7b15fac7d31940d1d43bfead2ee597dbfd5483a0db96b1879bf3cb7bf90fa045151007146d1f751178dfc599ad3898f3851228d666e400e77f046ea26c2f8b1

              • C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat
                Filesize

                40B

                MD5

                48921ba5408bd60c927e4f83521cfabd

                SHA1

                4807cfab6a82b0d55906bd30b95f6f54af214323

                SHA256

                cccf7704e494c90c32cd0662237f96d3551d5d30ff773fbc3d98c5f505617144

                SHA512

                d714293c9a8572e3b19198b06fd8e8ade878e2fbbc956745f3ea04dfbcca834d09d28e7f134ebb055e07315c87f25ca7af2ca5ae4fa7322dfe8e7b6a22543e19

              • C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe
                Filesize

                223B

                MD5

                0578c779f37e63418bbb3f0b317ed4ac

                SHA1

                93317ce3a7cb7714149a1d859429006f5906b25e

                SHA256

                266bc757f37960293fba64a67c6cf23f7691f5cd946ae5c3a57f4f3f863abb80

                SHA512

                32747442979b3e1cfce004a68913d40b88a373bfe163b4522f5c94e374b6d382ff29944c734d1d481e92c2fd79c4041cf43deee25c336927a14e04a8ecd44c14

              • C:\hypermonitorNet\reviewdriversvc.exe
                Filesize

                1.2MB

                MD5

                bbd0b07fb3a0ec32c8430bb2dfc4946d

                SHA1

                9610545b2cf3098e317315dc4ad2dd40c11b2ac0

                SHA256

                4f253419a950bb64292145d6759b95a226147da59ae2bf43641be77abe704bad

                SHA512

                925e6ee1c5f267ff94b544909ea964375fdf2768cf01d25ade8270d3161e6148331624f2ae7bbbea51a47117688ebad776010a66c482c7bdd35cdbb8bd473d9a

              • memory/488-80-0x0000000000EB0000-0x0000000000EC2000-memory.dmp
                Filesize

                72KB

              • memory/2408-87-0x0000000000EC0000-0x0000000000ED2000-memory.dmp
                Filesize

                72KB

              • memory/3660-14-0x0000000000D40000-0x0000000000D5C000-memory.dmp
                Filesize

                112KB

              • memory/3660-21-0x00007FFC3C613000-0x00007FFC3C615000-memory.dmp
                Filesize

                8KB

              • memory/3660-18-0x000000001BF50000-0x000000001C478000-memory.dmp
                Filesize

                5.2MB

              • memory/3660-17-0x0000000000D70000-0x0000000000D82000-memory.dmp
                Filesize

                72KB

              • memory/3660-16-0x0000000002580000-0x0000000002596000-memory.dmp
                Filesize

                88KB

              • memory/3660-15-0x000000001AFD0000-0x000000001B020000-memory.dmp
                Filesize

                320KB

              • memory/3660-13-0x0000000000330000-0x000000000046E000-memory.dmp
                Filesize

                1.2MB

              • memory/3660-12-0x00007FFC3C613000-0x00007FFC3C615000-memory.dmp
                Filesize

                8KB

              • memory/4716-73-0x000000001B4C0000-0x000000001B4D2000-memory.dmp
                Filesize

                72KB

              • memory/4928-57-0x00000000030A0000-0x00000000030B2000-memory.dmp
                Filesize

                72KB

              • memory/4952-66-0x0000000002F50000-0x0000000002F62000-memory.dmp
                Filesize

                72KB