Malware Analysis Report

2025-08-05 11:00

Sample ID 241031-d8gc2aygmd
Target 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe
SHA256 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
Tags
dcrat discovery infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942

Threat Level: Known bad

The file 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe was found to be: Known bad.

Malicious Activity Summary

dcrat discovery infostealer rat

Dcrat family

Process spawned unexpected child process

DcRat

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:40

Reported

2024-10-31 03:43

Platform

win7-20241010-en

Max time kernel

136s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\wininit.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\56085415360792 C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files (x86)\Windows Mail\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files (x86)\Windows Mail\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe C:\Windows\System32\cmd.exe
PID 2936 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe C:\Windows\System32\cmd.exe
PID 2936 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe C:\Windows\System32\cmd.exe
PID 612 wrote to memory of 2260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 612 wrote to memory of 2260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 612 wrote to memory of 2260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 612 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 612 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 612 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 612 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Mail\sppsvc.exe
PID 612 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Mail\sppsvc.exe
PID 612 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Mail\sppsvc.exe
PID 612 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Mail\sppsvc.exe
PID 612 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Mail\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

"C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Recent\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ru2guYCOAm.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Windows Mail\sppsvc.exe

"C:\Program Files (x86)\Windows Mail\sppsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 977255cm.nyashkoon.in udp
US 172.67.160.44:80 977255cm.nyashkoon.in tcp
US 172.67.160.44:80 977255cm.nyashkoon.in tcp

Files

memory/2936-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

memory/2936-1-0x0000000000210000-0x00000000003B2000-memory.dmp

memory/2936-2-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/2936-3-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/2936-4-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/2936-6-0x0000000000420000-0x000000000042E000-memory.dmp

memory/2936-7-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/2936-11-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\dllhost.exe

MD5 844679e76d8254bedd67c98610f7d7ac
SHA1 4222ebbb055830096b829f072783423dbe255932
SHA256 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
SHA512 fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05

C:\Users\Admin\AppData\Local\Temp\ru2guYCOAm.bat

MD5 bb4c4546d7f2ff5268287b8f82f0e6df
SHA1 af32bdf45fc3083d55fada00a2bc40b7e584a082
SHA256 17729fca65cfb77dcd792ed64bb7f14e8e96a91b1d0f996aa3616e5c267d31f1
SHA512 4e664a10f45644e1178229b9e3301a7fa0c6b7c737a6ddbc828a46f7b962b98f2dac994d0531f5602995ae40631f467eb2ca3c3bfdc7d029847ccb6935043e1a

memory/2936-25-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

memory/2300-28-0x0000000000950000-0x0000000000AF2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:40

Reported

2024-10-31 03:43

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Registry.exe C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe

"C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a219429" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PNkK84xdf9.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 977255cm.nyashkoon.in udp
US 104.21.9.137:80 977255cm.nyashkoon.in tcp
US 104.21.9.137:80 977255cm.nyashkoon.in tcp
US 8.8.8.8:53 137.9.21.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/2980-0-0x00007FFDF7453000-0x00007FFDF7455000-memory.dmp

memory/2980-1-0x0000000000E20000-0x0000000000FC2000-memory.dmp

memory/2980-2-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

memory/2980-3-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

memory/2980-4-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

memory/2980-7-0x00000000030A0000-0x00000000030AE000-memory.dmp

memory/2980-5-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

memory/2980-8-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

memory/2980-11-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe

MD5 844679e76d8254bedd67c98610f7d7ac
SHA1 4222ebbb055830096b829f072783423dbe255932
SHA256 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
SHA512 fddb80736936d7c0d46ec3958885237681cbbd416455d7a48d075092d38a0c5e435112c25b595b8cc99b0a8ed2143ac2f28e893373a7b6e9772ee722706a3c05

memory/2980-21-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

memory/2980-27-0x000000001C9D0000-0x000000001CA1E000-memory.dmp

memory/2980-28-0x00007FFDF7450000-0x00007FFDF7F11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PNkK84xdf9.bat

MD5 e560d37bc071a5949ebf851033b8b3a1
SHA1 833ee1f51f4c4b8afda80b99cd7e75893c1c3c1c
SHA256 0d351c0d57aee2c9fba137e09c78c7dad5bae9f8f7bafd7e3c8f3b48b812c661
SHA512 ced97cc6107985f09ff30084803632fcf4e005922e8ac2167ab692b335ae28081d4211561bd0080ab05a768116894d74e6b1329752b30755571f63b2d5be0334

memory/4944-34-0x000000001D0B0000-0x000000001D0FE000-memory.dmp