Malware Analysis Report

2024-10-10 13:06

Sample ID 240620-r7slkaxdnp
Target anarchyasd (1).exe
SHA256 858eabba1504401f88e7e36d74ae8669cd79e426398237cf650ba5e11eff806a
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

858eabba1504401f88e7e36d74ae8669cd79e426398237cf650ba5e11eff806a

Threat Level: Known bad

The file anarchyasd (1).exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

Dcrat family

DCRat payload

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 14:50

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 14:50

Reported

2024-06-20 14:53

Platform

win7-20240611-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\ebf1f9fa8afd6d C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Mail\es-ES\services.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Mail\es-ES\c5b4cb5e9653cc C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Uninstall Information\services.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Uninstall Information\c5b4cb5e9653cc C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0 C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\56085415360792 C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\wininit.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\69ddcba757bf72 C:\hypermonitorNet\reviewdriversvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\56085415360792 C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\Performance\taskhost.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\Performance\b75386f1303e64 C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\L2Schemas\lsm.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\L2Schemas\101b941d020240 C:\hypermonitorNet\reviewdriversvc.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A
N/A N/A C:\Windows\Performance\taskhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe C:\Windows\SysWOW64\WScript.exe
PID 1176 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe C:\Windows\SysWOW64\WScript.exe
PID 1176 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe C:\Windows\SysWOW64\WScript.exe
PID 1176 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe C:\Windows\SysWOW64\WScript.exe
PID 1904 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2672 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\hypermonitorNet\reviewdriversvc.exe
PID 2672 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\hypermonitorNet\reviewdriversvc.exe
PID 2672 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\hypermonitorNet\reviewdriversvc.exe
PID 2672 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\hypermonitorNet\reviewdriversvc.exe
PID 2568 wrote to memory of 1816 N/A C:\hypermonitorNet\reviewdriversvc.exe C:\Windows\Performance\taskhost.exe
PID 2568 wrote to memory of 1816 N/A C:\hypermonitorNet\reviewdriversvc.exe C:\Windows\Performance\taskhost.exe
PID 2568 wrote to memory of 1816 N/A C:\hypermonitorNet\reviewdriversvc.exe C:\Windows\Performance\taskhost.exe
PID 1816 wrote to memory of 2160 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 1816 wrote to memory of 2160 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 1816 wrote to memory of 2160 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2160 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2160 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2160 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2160 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2160 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2160 wrote to memory of 2852 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2852 wrote to memory of 3040 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2852 wrote to memory of 3040 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2852 wrote to memory of 3040 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 3040 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3040 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3040 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3040 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 3040 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 3040 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2552 wrote to memory of 2348 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2348 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2552 wrote to memory of 2348 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2348 wrote to memory of 2828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2348 wrote to memory of 2828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2348 wrote to memory of 2828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2348 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2348 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2348 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2972 wrote to memory of 2768 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 2768 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 2768 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2768 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2768 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2768 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2768 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 2768 wrote to memory of 1964 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 1964 wrote to memory of 1184 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 1184 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 1184 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 1184 wrote to memory of 524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1184 wrote to memory of 524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1184 wrote to memory of 524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1184 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 1184 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 1184 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\taskhost.exe
PID 1680 wrote to memory of 584 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 1680 wrote to memory of 584 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 1680 wrote to memory of 584 N/A C:\Windows\Performance\taskhost.exe C:\Windows\System32\cmd.exe
PID 584 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe

"C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat" "

C:\hypermonitorNet\reviewdriversvc.exe

"C:\hypermonitorNet\reviewdriversvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\hypermonitorNet\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\hypermonitorNet\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\hypermonitorNet\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Performance\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\hypermonitorNet\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\hypermonitorNet\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\hypermonitorNet\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\hypermonitorNet\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\taskhost.exe

"C:\Windows\Performance\taskhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"

Network

N/A

Files

C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe

MD5 0578c779f37e63418bbb3f0b317ed4ac
SHA1 93317ce3a7cb7714149a1d859429006f5906b25e
SHA256 266bc757f37960293fba64a67c6cf23f7691f5cd946ae5c3a57f4f3f863abb80
SHA512 32747442979b3e1cfce004a68913d40b88a373bfe163b4522f5c94e374b6d382ff29944c734d1d481e92c2fd79c4041cf43deee25c336927a14e04a8ecd44c14

C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat

MD5 48921ba5408bd60c927e4f83521cfabd
SHA1 4807cfab6a82b0d55906bd30b95f6f54af214323
SHA256 cccf7704e494c90c32cd0662237f96d3551d5d30ff773fbc3d98c5f505617144
SHA512 d714293c9a8572e3b19198b06fd8e8ade878e2fbbc956745f3ea04dfbcca834d09d28e7f134ebb055e07315c87f25ca7af2ca5ae4fa7322dfe8e7b6a22543e19

\hypermonitorNet\reviewdriversvc.exe

MD5 bbd0b07fb3a0ec32c8430bb2dfc4946d
SHA1 9610545b2cf3098e317315dc4ad2dd40c11b2ac0
SHA256 4f253419a950bb64292145d6759b95a226147da59ae2bf43641be77abe704bad
SHA512 925e6ee1c5f267ff94b544909ea964375fdf2768cf01d25ade8270d3161e6148331624f2ae7bbbea51a47117688ebad776010a66c482c7bdd35cdbb8bd473d9a

memory/2568-13-0x0000000000250000-0x000000000038E000-memory.dmp

memory/2568-14-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2568-15-0x00000000004B0000-0x00000000004C6000-memory.dmp

memory/2568-16-0x0000000000420000-0x0000000000432000-memory.dmp

memory/1816-53-0x0000000000AB0000-0x0000000000BEE000-memory.dmp

memory/1816-54-0x0000000000480000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat

MD5 024d05ebd5bc378aea3167d9a13a7319
SHA1 414175cfecd8bb8b3f3e9427688ea69684a5234c
SHA256 88aaa11c2d2d7e854d2ea15387182afb2dc036d5df0021fdb6979b1a69608920
SHA512 7a266671201ee4b391567f60383efac2ff5810b75afe5e1453fc6a5b972c29cf2aa0930a4bae5326743f83d20a2194a124225e9fe3103ab380f8b65ed8a1670b

memory/2852-61-0x0000000000E90000-0x0000000000FCE000-memory.dmp

memory/2852-62-0x0000000000240000-0x0000000000252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dnlY2uCtHd.bat

MD5 e63f99954b1ec95c720aa43813c20939
SHA1 c6360ac04e69640102e2c052282bf79532fd5bb3
SHA256 4c542b10de453507e3dda5ba41423937473ce99c734d7106dadcc1b8db0fe1c6
SHA512 6ba5fbd38d2d3a6e73125c710f70bc3e56465874cbfed4aacd9480038eb01e9a008f049ccdaa7f82f9d3ef339d3d1b87f869414594470e31c9077b633c672980

C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

MD5 ebcd4ae8290b3fca857f56bbccff1387
SHA1 2ea29ac988b7fdbdd8f5cb546a70c1d12a86b1cc
SHA256 30cc0dd94acbd53540c06c68a808def37e71de145f1c9438f0691ffe276be1f3
SHA512 59a3a946754bdb4d8ee601dcd6877fb769b1f816410f64cb6dea6fc1acf2e338c66d3a11c411a306aeb1315c2979df8ad8828aad7d703f911c12ff35ef845f4c

memory/2972-75-0x0000000000280000-0x00000000003BE000-memory.dmp

memory/2972-76-0x0000000000270000-0x0000000000282000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

MD5 6946825fb6a801d6aa44d46662044387
SHA1 d16e9f7d82071659254123eb1ae03ac2795d2ca5
SHA256 922c007af54ae4d4fa6b11197fb747e0bfe4940d8f3ee21ee0b0814257e45059
SHA512 b8a217f165137c265c1db074b75132f8fdba525ff663845a77c1974ff8a2cf9e0db9cdc5bdb77811dafcaaae09674ca31762cecb1a2635621a2b7ee3f0cfff50

memory/1964-83-0x0000000000230000-0x000000000036E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

MD5 c502417273dcd5b3289474e17033ecf1
SHA1 7ef1fcab5a26f6c51cd88557454a0286039886d6
SHA256 0086594cd97d45036d69751010e2a1ca1c38384d42b8b607c5b02562b8e32857
SHA512 b2a241a186eb96e49a18d8d5c828e924d1124aeafed491c9d8569bfdeb421f9d551517ef554ab2b91054930237d92e35dfb9a2c80f433748638c0e628a5db5f8

memory/1680-90-0x00000000008D0000-0x0000000000A0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

MD5 a4519d0a850e19bf724cb929d0d76b40
SHA1 039bd0c94b87845481085b49a850929346cf77cb
SHA256 27f8ed1436a8481b2751c1d5fc2d3f9b7fb611e0e0a2e7ec3a565b84d9aeff79
SHA512 e08c77fc004dc85382240c64790f054d4b8b91cba059bb244268dd7301204924bc7c91e897ce8d85d480d784f0000a464f684fdb101cf55ae096277a45afe0e4

memory/2420-97-0x00000000009E0000-0x0000000000B1E000-memory.dmp

memory/2420-98-0x0000000001F70000-0x0000000001F82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

MD5 470931c594f7c037a8eb3b6947e8fd1f
SHA1 5a72b64f67177adb2ba78d2ad8d2149322797723
SHA256 3b648532045c9b3a584356b2f203f59fc84537de4c6ae4c3f3ee1034216a4f9e
SHA512 87629046f6f00c45ca5cff7a617e788263c638d83a4828ac3525ddd523b3aac0ef098ec2a327e7d58051179414945c36a3d0f1868c93b45b7f4449d69bdcc718

memory/2548-105-0x0000000000C20000-0x0000000000D5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

MD5 2713dd88d551c16170b04e5ae2267ed4
SHA1 f580494ccad594b31b1a287c49f7a27d936223b4
SHA256 29680165c7686d294dc780e2ba4063d82af5d86966369b79ab101c2197e0baf9
SHA512 7f99ee270c1037358c4952366af98aaac9e73683aa33d315f89cbb2d23927a3d0a0de25b7ee74bee39d823a0dd50b9389d9899dbe5c74cc01fc5bf461863d53f

C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

MD5 e6460bc2845620c5f4c31d882cb5770c
SHA1 6043a2be93cf93c6c10b37f29a4b61a479a8992c
SHA256 dda0ee3244f1f84852750b766c3fa56201d1279fbec18323b7f0d0aade99e648
SHA512 03689b1e66a8f8b5b201006189630ea28da69b60aaf94f2868acc34cafc7bc755ce5c48c59498d2be2cd97a6643dd719685dea5a98fa2ad5417c183e29f1a485

memory/1508-118-0x0000000000050000-0x000000000018E000-memory.dmp

memory/1508-119-0x0000000000480000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat

MD5 ab01f18577987f9f25e3b1a7d3f4c64a
SHA1 d0173576772d6286bcd83427a9934449dd47f977
SHA256 8a7592df05e87f9a0e2e16c911f692ec42133fa96d19f64361a1a23ef301e1e0
SHA512 3709535fc97016c22cf84cdc94e150c54b5627b63977523ca33886d44f549b1329af3e4b8e860c6a9371daba1513698842aa5d6ee38f5e8bd087acd0c30e7078

memory/2108-126-0x00000000004A0000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

MD5 8a2c73874bab516a0e42dc84713702dd
SHA1 0f56c80c0dc30d2cc11c5c46f7429f915fd5c473
SHA256 fbbc97e3436f89d25996769a7b01e06af7ac74c3ffdfe79a33e174da3c9c4d3e
SHA512 484ba684163f9c5ffc4a7ebeb0fed3bafa44ab6a09c4667993dd4df889ebf34c098a2e413da11362d6aacd4a214b1850371e0f5a607d67a48e30f551d7b0fdaf

memory/1432-133-0x0000000000270000-0x00000000003AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

MD5 db21391bc79e0fe40f02d9753616e754
SHA1 f3cb75437f7eccb0c84a1d30aee712919a0f478d
SHA256 5832eff40de2b994ffa7281993015f2b7c3d0d38d19c8ac5b0aee83bf4b3b4c9
SHA512 cc33c14837aced8245e02ab1eb548aa7c762ba9f7428dacbaf99d21b2166bbd3c3c055fbfd1435473516612d5ae2dbb54cea79090fbfd3f00b47c69134c60e64

memory/2344-140-0x0000000000C30000-0x0000000000D6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

MD5 c9a84b7d9112a5e7827f60bb45dc9695
SHA1 93eb2139640dcd9f6410885afdd475ee5e0a686d
SHA256 45a532504deb52e0322b025f3796e74a7e403a1bdb79068ce6edd46fe6e305c0
SHA512 6e7e8f7693370bb407d29914aa71514d7bf34c9e16ae81ed9047b856439e6ff13b7e62590852b6bc8c54ad77017259a79a7601107ffe6b9a704090ae5e20e76d

memory/2684-147-0x0000000000D80000-0x0000000000EBE000-memory.dmp

memory/2684-148-0x00000000003C0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

MD5 24578317f9ab66cb2e192d817bf0d3a1
SHA1 181fce1086f731f375db13ac7584c441ec7efc28
SHA256 5a6c305f2731696df0026dad395065908ae45417ad135189b1b3972d869d07b1
SHA512 f012627a3961f714265a80931d4eaad0404374cf028fb5a1113e6850256aeb7e378f2fcc4339332a9bd916ec65bf0f9724813f11c2d3242728051a6ad6e2982f

C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat

MD5 c59ded56fc13c0f77ce52d44e095f1bc
SHA1 9e95cb206169625d7dfa2d947d379945df30c50f
SHA256 60f75905eb3dbeb86391e9ac7aa80eff1f742950b200c326d97dcc274b0a6fd1
SHA512 2b33bcc76e1173dcfedb606eaf11791c9f2dd91fb2c91eba39d463f633d1b8e5d84dc806e5311e2818d7281e914e2b146e81d74a487d60de0c578169df92f3be

C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat

MD5 d308753621fa549789c85c1f821e0f2a
SHA1 277cb2c835bc72f38cbd5ef76c04bf73d5f0ddb7
SHA256 c523493172ad38a901c20eb48fb0f0f0bc7ea02d7081369e7b6dcda784ea7da5
SHA512 5f1a0e113199af73cce3a7cd9a0c9de9ded1da9da66f7a64d721ee08e6c19dd4fe7d55ef91239f8ddcb0ee425d3a19df42a6eadd40c057b8dbebe80227d7d2a4

memory/2776-167-0x0000000000F30000-0x000000000106E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

MD5 665b244ea88895b69574b7c54cf969e4
SHA1 8523851295c16180deafa3db1145ef880b8ea4d3
SHA256 c5b6497a8d8030de4981485c478edce5ce2b632b154aa54411fb242b87afd9d9
SHA512 40be2877cea61d4c167865c9875bb27d35daed7a1991c80e590b3735eb967de177f66a4941942804ee7535e327d2caa17a3453a342d39504d54af452a661e3f9

memory/2876-174-0x0000000000380000-0x00000000004BE000-memory.dmp

memory/2876-175-0x0000000000370000-0x0000000000382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

MD5 fea5b1ef531ea26ab1071e19bce1fa30
SHA1 195ec0d02e911292d8164d6f5f6f1e15d2c0184c
SHA256 26342f8c9b8f6b3af58d5a1ed03b2be17b53ba211d6a9e585eefc120d0ecf72c
SHA512 48589a0286788a8386d83e8b685fb1321efde237de3237f566cddd4aa7052c8582cad4d5e9c8e4c0870c302946ce33f07ceb526d12cc4526d53e905a9cd45768

memory/2008-182-0x00000000009B0000-0x0000000000AEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

MD5 0d784d1182bb69202f5e417f679ebf39
SHA1 5b0dd34d3ef44c9d16029056b57f53661adc2db7
SHA256 8a021aab2809d61718cd6c9fdafb923bd3ad3a04f447d96f0c436bfddf20e5ef
SHA512 49764b45ea4957475bc38c7c5031154a83b9452c7ea5a5ddcb17608023f44e4de018ec02697e0fa5a125f3516c5acf65072e223d0967cc4484e7c35d422bbf0f

memory/896-189-0x0000000000E00000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

MD5 79e3b91d2422a619333505a009199d22
SHA1 a5b7b932982da95042c537e24a190fb7cf4fbb52
SHA256 c52878246824e77ccc1d122c00d35509ed37c24ede77ea0c435d8d0a8552366c
SHA512 c12bb4c57ae77e4047c02f913bb3d2ae0e7779e25443183a4e3095cc7b58688597b18f8b5497b567cfe1887fe4f531f6caa2aa917658fe4e95b7d8ec4a23a7d6

memory/2188-196-0x0000000001310000-0x000000000144E000-memory.dmp

memory/2188-197-0x0000000000300000-0x0000000000312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

MD5 499ff4917a10f7ea560651d3920e09aa
SHA1 fa931a0c768361eeda15caa3cbae194ecd0b8950
SHA256 fffdc903181dc05ae0f1be00720d51b074b9a706c509b304f5fde88104f7236c
SHA512 552005c463b5e419f3a12e7d649075acd37ac56a2004308b200eec39e4f0be30ce8a7da283343edd36f6c1d78a65ae35faf0430b563c45657695c6d9b72e621d

C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

MD5 b9a3dd513e50f5e6d6bceedeef85c768
SHA1 4442e1b77b65989d8b53f6ec06222b0233a7bb9f
SHA256 4d36ceea7f34b2fff2f1d33ce8aafcd3eca4a339fa0bc3103aa469fd6699cc42
SHA512 b7f385967448147f5f76c8cd1c68a52e5fae36ee32a0b45cc5b5ea1d95a2b9073de2529a5d75ce85477e9e7a03d31a26c4952a43a1d94bbcd76a8a6ecf1de22d

memory/2944-210-0x0000000000300000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 14:50

Reported

2024-06-20 14:53

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\hypermonitorNet\reviewdriversvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\winlogon.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Java\cc11b995f2a76d C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\24dbde2999530e C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files\Windows Defender\de-DE\1f93f77a7f4778 C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\088424020bedd6 C:\hypermonitorNet\reviewdriversvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\addins\smss.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\addins\69ddcba757bf72 C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\Panther\actionqueue\fontdrvhost.exe C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\Panther\actionqueue\5b884080fd4f94 C:\hypermonitorNet\reviewdriversvc.exe N/A
File created C:\Windows\addins\smss.exe C:\hypermonitorNet\reviewdriversvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\hypermonitorNet\reviewdriversvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe C:\Windows\SysWOW64\WScript.exe
PID 3672 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe C:\Windows\SysWOW64\WScript.exe
PID 3672 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe C:\Windows\SysWOW64\WScript.exe
PID 2740 wrote to memory of 3128 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3128 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3128 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\hypermonitorNet\reviewdriversvc.exe
PID 3128 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\hypermonitorNet\reviewdriversvc.exe
PID 3660 wrote to memory of 4928 N/A C:\hypermonitorNet\reviewdriversvc.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 3660 wrote to memory of 4928 N/A C:\hypermonitorNet\reviewdriversvc.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 4928 wrote to memory of 2816 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 4928 wrote to memory of 2816 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 2816 wrote to memory of 4468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2816 wrote to memory of 4468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2816 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 2816 wrote to memory of 4952 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 4952 wrote to memory of 3632 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 4952 wrote to memory of 3632 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 3632 wrote to memory of 1208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3632 wrote to memory of 1208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3632 wrote to memory of 4716 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 3632 wrote to memory of 4716 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 4716 wrote to memory of 2276 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 4716 wrote to memory of 2276 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 2276 wrote to memory of 3404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2276 wrote to memory of 3404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2276 wrote to memory of 488 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 2276 wrote to memory of 488 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 488 wrote to memory of 848 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 488 wrote to memory of 848 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 848 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 848 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 848 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 848 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe
PID 2408 wrote to memory of 3660 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 3660 N/A C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe C:\Windows\System32\cmd.exe
PID 3660 wrote to memory of 3748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3660 wrote to memory of 3748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe

"C:\Users\Admin\AppData\Local\Temp\anarchyasd (1).exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat" "

C:\hypermonitorNet\reviewdriversvc.exe

"C:\hypermonitorNet\reviewdriversvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\hypermonitorNet\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\hypermonitorNet\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\hypermonitorNet\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\hypermonitorNet\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\odt\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\odt\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\hypermonitorNet\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 6 /tr "'C:\odt\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\odt\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe

"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe

"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe

"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe

"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe

"C:\Users\All Users\regid.1991-06.com.microsoft\MoUsoCoreWorker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp

Files

C:\hypermonitorNet\U3FGPYCsduGsNBux.vbe

MD5 0578c779f37e63418bbb3f0b317ed4ac
SHA1 93317ce3a7cb7714149a1d859429006f5906b25e
SHA256 266bc757f37960293fba64a67c6cf23f7691f5cd946ae5c3a57f4f3f863abb80
SHA512 32747442979b3e1cfce004a68913d40b88a373bfe163b4522f5c94e374b6d382ff29944c734d1d481e92c2fd79c4041cf43deee25c336927a14e04a8ecd44c14

C:\hypermonitorNet\G9dRPBrMVK2Mc4FXz8bkgLxwR6gjGl.bat

MD5 48921ba5408bd60c927e4f83521cfabd
SHA1 4807cfab6a82b0d55906bd30b95f6f54af214323
SHA256 cccf7704e494c90c32cd0662237f96d3551d5d30ff773fbc3d98c5f505617144
SHA512 d714293c9a8572e3b19198b06fd8e8ade878e2fbbc956745f3ea04dfbcca834d09d28e7f134ebb055e07315c87f25ca7af2ca5ae4fa7322dfe8e7b6a22543e19

C:\hypermonitorNet\reviewdriversvc.exe

MD5 bbd0b07fb3a0ec32c8430bb2dfc4946d
SHA1 9610545b2cf3098e317315dc4ad2dd40c11b2ac0
SHA256 4f253419a950bb64292145d6759b95a226147da59ae2bf43641be77abe704bad
SHA512 925e6ee1c5f267ff94b544909ea964375fdf2768cf01d25ade8270d3161e6148331624f2ae7bbbea51a47117688ebad776010a66c482c7bdd35cdbb8bd473d9a

memory/3660-12-0x00007FFC3C613000-0x00007FFC3C615000-memory.dmp

memory/3660-13-0x0000000000330000-0x000000000046E000-memory.dmp

memory/3660-14-0x0000000000D40000-0x0000000000D5C000-memory.dmp

memory/3660-15-0x000000001AFD0000-0x000000001B020000-memory.dmp

memory/3660-16-0x0000000002580000-0x0000000002596000-memory.dmp

memory/3660-17-0x0000000000D70000-0x0000000000D82000-memory.dmp

memory/3660-18-0x000000001BF50000-0x000000001C478000-memory.dmp

memory/3660-21-0x00007FFC3C613000-0x00007FFC3C615000-memory.dmp

memory/4928-57-0x00000000030A0000-0x00000000030B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

MD5 df9eec07516547cec83966bd2a37fe0f
SHA1 5afab3b64a536d494bae96fd6a5311f449ecf491
SHA256 153a2b08c96b8d8bdbb34384292b30bc226d7e63c62de2d5a39529ff5ad2dbe0
SHA512 b7ccf38f80c7c68ad30629842b406f3b71f0f13d7867e4e18a9a1c1a394dc79226e4919946b98a35b1620d02d26a13820b15e8f5daede149db933e0782ac9557

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MoUsoCoreWorker.exe.log

MD5 9699cf9bb24ebbc9b1035710e92b7bd2
SHA1 73f0f26db57ea306970a76f42c647bbce02a3f23
SHA256 fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5
SHA512 3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

memory/4952-66-0x0000000002F50000-0x0000000002F62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

MD5 c102243734e4ce59c5228bb890e6327c
SHA1 f88dde00086c25635e2ed49f4a22ee18d0961439
SHA256 84f8c494316a2d8de3ae3141d0ff81ec140266854942dfaa0154dece6ce5dc69
SHA512 dc22f32977ad31889359b5001eff6699ed40e64c922d85b5eb35679732b1ef4297ec2e89b80b4f0b5b8235951d9ff01a67668e0175f8c9ab1a599c51db677657

memory/4716-73-0x000000001B4C0000-0x000000001B4D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

MD5 87bc9cbe940b7168ce187bf0e74926ee
SHA1 2867fa46a53e58b4e44ecc49e0fc549b91b5ab53
SHA256 dc6821cc243b63c42529897cbabfdc942657213a343d0c57e7d2d0e57f52bf27
SHA512 d7b15fac7d31940d1d43bfead2ee597dbfd5483a0db96b1879bf3cb7bf90fa045151007146d1f751178dfc599ad3898f3851228d666e400e77f046ea26c2f8b1

memory/488-80-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

MD5 b4d3293c2062b282593a5e7c5942d587
SHA1 7c8625bdd067b5158897729c37fb8bacffd9ea85
SHA256 b636c38c8f7b17a3031731d21e99512624cfd26a54d47274314b27f774cec5ea
SHA512 dd9e759b5b237a0af65efec1866eb3a0ca4c9e8cec20e4ea1e1973b7da8b8f869343a812214c82df9a72cdb917cfc45b1649cd4af56f7c47087c3f677a0ad03a

memory/2408-87-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

MD5 fd85152cb523f335b4174ac40297890e
SHA1 42076b96cb6fa213eb2c23bb29341f0f17a1a6b1
SHA256 f989e4987b315664afc2369f41e7a1039261be3d3035342500b96cf886af4783
SHA512 302eef2e8498bfd5d9a619e31b8e2587e356cf8c6c607aae201c4859130ce6c088202e239c8a368a345bdaab8a82c95b5e4bb97e3ac7b6909c6f56f4ddda8eb5