Malware Analysis Report

2025-08-05 11:00

Sample ID 241031-d8kqfsygmf
Target 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
SHA256 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
Tags
dcrat discovery infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

Threat Level: Known bad

The file 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe was found to be: Known bad.

Malicious Activity Summary

dcrat discovery infostealer rat

DcRat

Dcrat family

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:40

Reported

2024-10-31 03:43

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1908 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1908 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2952 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2952 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2952 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2952 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2952 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2952 wrote to memory of 2776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2952 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2952 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2952 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2188 wrote to memory of 1368 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 1368 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 1368 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 1368 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1368 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1368 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1368 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1368 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1368 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1368 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 1368 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 1368 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2420 wrote to memory of 616 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2420 wrote to memory of 616 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2420 wrote to memory of 616 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 616 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 616 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 616 wrote to memory of 1880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 616 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 616 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 616 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 616 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 616 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 616 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 752 wrote to memory of 2216 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 2216 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 752 wrote to memory of 2216 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2216 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2216 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2216 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2216 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2216 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2216 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2216 wrote to memory of 2148 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2216 wrote to memory of 2148 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2216 wrote to memory of 2148 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2148 wrote to memory of 2100 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2148 wrote to memory of 2100 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2148 wrote to memory of 2100 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2100 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2100 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2100 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2100 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2100 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2100 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2100 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2100 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2100 wrote to memory of 2700 N/A C:\Windows\System32\cmd.exe C:\Users\Default\lsm.exe
PID 2700 wrote to memory of 1772 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 1772 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 1772 N/A C:\Users\Default\lsm.exe C:\Windows\System32\cmd.exe
PID 1772 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fXNYKeC8BB.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzP9pAsQzT.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T0Gv0Jp6QP.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EHU1Lrqt50.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eGpHjHqZig.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\lsm.exe

"C:\Users\Default\lsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 114936cm.nyashcrack.top udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp

Files

memory/1908-0-0x000007FEF4FD3000-0x000007FEF4FD4000-memory.dmp

memory/1908-1-0x0000000000160000-0x00000000004E6000-memory.dmp

memory/1908-2-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-3-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-4-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-6-0x00000000008C0000-0x00000000008E6000-memory.dmp

memory/1908-7-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-8-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-13-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-12-0x0000000000AB0000-0x0000000000ACC000-memory.dmp

memory/1908-10-0x00000000008A0000-0x00000000008AE000-memory.dmp

memory/1908-15-0x00000000008B0000-0x00000000008C0000-memory.dmp

memory/1908-17-0x0000000000AD0000-0x0000000000AE8000-memory.dmp

memory/1908-19-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/1908-20-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-22-0x0000000000900000-0x0000000000910000-memory.dmp

memory/1908-24-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

memory/1908-25-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-27-0x0000000002230000-0x0000000002242000-memory.dmp

memory/1908-29-0x0000000002210000-0x0000000002220000-memory.dmp

memory/1908-31-0x0000000002270000-0x0000000002286000-memory.dmp

memory/1908-33-0x0000000002290000-0x00000000022A2000-memory.dmp

memory/1908-34-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-35-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

memory/1908-37-0x0000000002220000-0x000000000222E000-memory.dmp

memory/1908-39-0x0000000002250000-0x0000000002260000-memory.dmp

memory/1908-41-0x0000000002260000-0x0000000002270000-memory.dmp

memory/1908-43-0x000000001AA00000-0x000000001AA5A000-memory.dmp

memory/1908-45-0x0000000002330000-0x000000000233E000-memory.dmp

memory/1908-47-0x0000000002340000-0x0000000002350000-memory.dmp

memory/1908-49-0x0000000002350000-0x000000000235E000-memory.dmp

memory/1908-51-0x0000000002510000-0x0000000002528000-memory.dmp

memory/1908-53-0x000000001AE30000-0x000000001AE7E000-memory.dmp

C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe

MD5 6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1 0eba0dd22b3f5053798eba26e027ef7383602774
SHA256 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512 f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

memory/1908-69-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fXNYKeC8BB.bat

MD5 6194b93eec49bcf79d52fc1c9d1e227f
SHA1 feea11bf6bc0c6d7ee3c933ff51fc000a5333686
SHA256 e01c3f124f4dda9089ec77340c191001775da4766066c8150f85a1e21f866b45
SHA512 3f6af4cd3095ff07c44b5c5d6d03c4751a75763aafaa2b5f649afffd04b6ce302a8844ca601dfa9158aa8d253e1c674095549794a1f4279748d9774f05ae1a6f

memory/2188-73-0x0000000000340000-0x00000000006C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\r03uRlrkNn.bat

MD5 1265bc77b29dcb74d1605c7219bb324d
SHA1 0e43dee5cdbde357f47c9d5d5d5d089c4a9955ee
SHA256 3e44164ffefeae6edb62dd455453be4fda18d6ccabc3e6bca6c3ed5424e6feb6
SHA512 a9a182967884fcfb5810d760d2937a4388a414595611a74dd354a7b6c2b146a4ff7c4dcfa037c87a886c4631fbfc087c099a88f4380b9658b64e7edaf7f1d262

memory/2420-101-0x00000000009A0000-0x0000000000D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GzP9pAsQzT.bat

MD5 0e9610bd31d793432a9fea17f1912b51
SHA1 0b1667914f7b228ddcdc438aaa58e06005d74037
SHA256 f197056d5230e035246a780ee1720a3cfedf0d19b696f675e6c184d3a5e3709d
SHA512 05d4366ec4fa669e4dca037c27ea1af5e0d080af2deec3f94193131707d899a58c7257b42951d4602e83c36cbd45952a83aa37b12158ea41fb287830b466fe08

memory/752-129-0x0000000000E60000-0x00000000011E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat

MD5 8b7391d80ba4bcea2bc09fd16dab7cd1
SHA1 e688627f326ec9b619ff72be49467e7af358b656
SHA256 4b1df729bbd115c6d59d2f64c1265a1bf82e379c6b7b420fada9a60b6bf88153
SHA512 6838a55e97826f849f4ae6708b9dba1158f9b652ff46a29af2c6abd71e86e51243297bbcbd4c7e2efb219416981e41c489d265ab6a5affc7617fea8e5486ba5b

memory/2148-157-0x0000000001060000-0x00000000013E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ge8uHQboyx.bat

MD5 7693c8e0f120e12b3b1c2265bac94eea
SHA1 dd2cdade3f994f1d5f48115fb15a60409095d5ca
SHA256 d0b33ac56980916ea7ca7e902c090fc21a07de106c848158d08a4c06a3476449
SHA512 24a7b9d55020a2685db400fd9882ddadbc570b730f1b062011771ebd8ccf83c8e7957306b18653f536233a4e557f2bd8de6fc1f2ea5bbca1e61fea4b6e322ca0

memory/2700-185-0x0000000001220000-0x00000000015A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\T0Gv0Jp6QP.bat

MD5 cc269feddc7252a222bd9c41d4d5b29a
SHA1 9ea47b81d7eaa69819953377f1433d31426cd416
SHA256 51750dd93ba9338faa2c6f0a2de52f460e47f563cb26cd96b6abc0089ff6f54f
SHA512 b315369245719864b0d35633bb5d7d16f203281adc7cd2738995d770b41aa7f2291d7750f28dae3fdfc2bec3968ea3caf6651650c115ae6cfbf8c9ca21767093

C:\Users\Admin\AppData\Local\Temp\3fMcktfRG2.bat

MD5 267dd78bf29a1b17e6f178e3ef412f23
SHA1 095c8043bbd1225df52217cb7cfdfa61255d9f60
SHA256 f680987325714b7488ac7da6abae7a0c84bbeefc05cf91f9330dd9d10ff2ac3e
SHA512 d5e2125145c1169670874fc706707d4947895795c24fc1c7fd08ccc8ee28794f1532f7e6e68fa05087d64d27cfa74653161af8d58e1d4d34866eddfd5c5b067a

memory/3028-240-0x0000000000060000-0x00000000003E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat

MD5 93c95b82d4ee5fe8a71d9072a4c75663
SHA1 25b91fa9d9873d41ddb323d9d4a097e36179ceca
SHA256 b5074b6e22b93ff0d7a709bcbcaae16225b08c7abd0363fb67700bdb82052746
SHA512 ff563b36af2f8e8f4e292d2f32a6c7dfcbbc7fa4b7db19794f1361b2f95d62dc332fc586eb1308820de87644d7f32efd4891864a1f50ddc25e6dc483ebe75e77

memory/2064-268-0x00000000011E0000-0x0000000001566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EHU1Lrqt50.bat

MD5 39ebc4d759b0230d5f1578ac89a10660
SHA1 00c6e1da239a6173d5de4685fa7880b6055c122b
SHA256 00062765c09df28ae5a10f72549b16607ea076d3956659170c0ba0c9608e1d3e
SHA512 d12d4aa1fefacb13cdbd53298c9f1a635e97e5228556269299c63c3412d5d14a086ac7f631efbb13e1a2c91b564436bf92902d5edd022d1d77cc4d8b7357d181

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\eGpHjHqZig.bat

MD5 fae21672773cfe165d12982f72f1b8cd
SHA1 cab3158a4ae1e28d28db94ed7dc9f5fc2249705a
SHA256 5419945af7441cf8ca93564d8145ed94c8fc99a23b9f8e16836f8c8cfb141d2c
SHA512 4dfa4cde186c53b19a09bcdc3a8c9439025fd81cf9c1b088d0317f8c7e552cbd86b41d4726e11f3da9e0b8250bdbc7088a5b397f6360680537f27725693d54dc

C:\Users\Admin\AppData\Local\Temp\bgR6NVhjy4.bat

MD5 80f9bb211e486e10b18b92ddde0cdfe7
SHA1 ae0183b364b6d5b5570cf45eeb47e6128aaacab4
SHA256 da024c7db228a555a6189e4abff69441b504ce7cc5e7df3a36607270f746acfa
SHA512 c2a4e564c34c9d27e7b2694c712c5dd42ac2ff7a9daf222ef4ef25028a27d93504a8b6ef23201ee24df1abe78f7ef0d98d7f0a62dd75dadf6d3c6cd39621628c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:40

Reported

2024-10-31 03:43

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Public\dllhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Program Files\Java\jdk-1.8\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Public\dllhost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1308 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 4524 wrote to memory of 924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4524 wrote to memory of 924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4524 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4524 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4524 wrote to memory of 4832 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 4524 wrote to memory of 4832 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 4832 wrote to memory of 2332 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 4832 wrote to memory of 2332 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 2332 wrote to memory of 8 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2332 wrote to memory of 8 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2332 wrote to memory of 4308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2332 wrote to memory of 4308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2332 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 2332 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 3032 wrote to memory of 1148 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 3032 wrote to memory of 1148 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 1148 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1148 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1148 wrote to memory of 4564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1148 wrote to memory of 4564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1148 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 1148 wrote to memory of 436 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 436 wrote to memory of 1756 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 436 wrote to memory of 1756 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 1756 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1756 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1756 wrote to memory of 956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1756 wrote to memory of 956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1756 wrote to memory of 3084 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 1756 wrote to memory of 3084 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 3084 wrote to memory of 2636 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 3084 wrote to memory of 2636 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 2636 wrote to memory of 1076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2636 wrote to memory of 1076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2636 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2636 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2636 wrote to memory of 1408 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 2636 wrote to memory of 1408 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 1408 wrote to memory of 4980 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 1408 wrote to memory of 4980 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 4980 wrote to memory of 3196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4980 wrote to memory of 3196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4980 wrote to memory of 1920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4980 wrote to memory of 1920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4980 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 4980 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 1860 wrote to memory of 536 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 1860 wrote to memory of 536 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 536 wrote to memory of 5056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 536 wrote to memory of 5056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 536 wrote to memory of 4800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 536 wrote to memory of 4800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 536 wrote to memory of 3772 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 536 wrote to memory of 3772 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 3772 wrote to memory of 4468 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 3772 wrote to memory of 4468 N/A C:\Users\Public\dllhost.exe C:\Windows\System32\cmd.exe
PID 4468 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4468 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4468 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4468 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4468 wrote to memory of 4884 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe
PID 4468 wrote to memory of 4884 N/A C:\Windows\System32\cmd.exe C:\Users\Public\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0x37yGnMh.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BP5Pm95y6C.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MCv5EqkMBH.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcOKbH0YFO.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2JnastWSjL.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WsfXZ1b1OE.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AAGHIO57vH.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZLKnXXaim4.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ybJBPcXt9a.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ybJBPcXt9a.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\dllhost.exe

"C:\Users\Public\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 114936cm.nyashcrack.top udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 250.238.44.37.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp

Files

memory/1308-0-0x00007FFAC20B3000-0x00007FFAC20B5000-memory.dmp

memory/1308-1-0x0000000000C90000-0x0000000001016000-memory.dmp

memory/1308-2-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-3-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-4-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-7-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-6-0x000000001BB60000-0x000000001BB86000-memory.dmp

memory/1308-8-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-9-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-10-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-11-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-13-0x0000000003130000-0x000000000313E000-memory.dmp

memory/1308-16-0x000000001D220000-0x000000001D270000-memory.dmp

memory/1308-18-0x0000000003140000-0x0000000003150000-memory.dmp

memory/1308-15-0x000000001BB90000-0x000000001BBAC000-memory.dmp

memory/1308-20-0x000000001BBB0000-0x000000001BBC8000-memory.dmp

memory/1308-22-0x000000001BB30000-0x000000001BB40000-memory.dmp

memory/1308-24-0x000000001BB40000-0x000000001BB50000-memory.dmp

memory/1308-26-0x000000001BB50000-0x000000001BB5E000-memory.dmp

memory/1308-30-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

memory/1308-28-0x000000001D1D0000-0x000000001D1E2000-memory.dmp

memory/1308-31-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-33-0x000000001D270000-0x000000001D286000-memory.dmp

memory/1308-36-0x000000001D290000-0x000000001D2A2000-memory.dmp

memory/1308-34-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-37-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-38-0x000000001D7E0000-0x000000001DD08000-memory.dmp

memory/1308-40-0x000000001BBE0000-0x000000001BBEE000-memory.dmp

memory/1308-41-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-43-0x000000001BD00000-0x000000001BD10000-memory.dmp

memory/1308-44-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-46-0x000000001D1F0000-0x000000001D200000-memory.dmp

memory/1308-48-0x000000001D310000-0x000000001D36A000-memory.dmp

memory/1308-50-0x000000001D200000-0x000000001D20E000-memory.dmp

memory/1308-52-0x000000001D210000-0x000000001D220000-memory.dmp

memory/1308-58-0x000000001D3C0000-0x000000001D40E000-memory.dmp

memory/1308-56-0x000000001D2E0000-0x000000001D2F8000-memory.dmp

memory/1308-54-0x000000001D2B0000-0x000000001D2BE000-memory.dmp

memory/1308-64-0x00007FFAC20B3000-0x00007FFAC20B5000-memory.dmp

memory/1308-71-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\dwm.exe

MD5 6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1 0eba0dd22b3f5053798eba26e027ef7383602774
SHA256 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512 f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

memory/1308-77-0x000000001D610000-0x000000001D6DD000-memory.dmp

memory/1308-79-0x00007FFAC20B0000-0x00007FFAC2B71000-memory.dmp

memory/1308-78-0x000000001D6E0000-0x000000001D789000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\I0x37yGnMh.bat

MD5 39d55f6433ba488b1e386bba76180957
SHA1 91d060019c4d2f6851fab11df6521a275d8d932e
SHA256 edb7ff66236283bf2e01af77b5963f6f3222a4cb39ef47d4bfc2f0ba8261cce8
SHA512 58dbb43b7ef6982d8edccf127bcbbf92f2be30190414d7ef1f2575515679369894268eacbb8586555b39d6bef63dd9d6e091990bc4fa31e9bcd0e1d9078d8f3d

memory/4832-110-0x000000001CE80000-0x000000001CF29000-memory.dmp

memory/4832-111-0x000000001D460000-0x000000001D52D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BP5Pm95y6C.bat

MD5 94cc0d1e47dd9251e54dfeae25c5d02f
SHA1 a9038f49165bd82f37efd7d24ef474fa2905ae97
SHA256 bc296e63f640984fcb03269c54368f09ec2fb3e56a1cb9d1d15f4fa00d848e3d
SHA512 a472ceb8fb3c600520f0dfd7f4b6c71c64c70d4a505ead5b4582a07a95b406c506524cad27965a6c753c8c44f7663356861a74049be77ea157246a979800a4d1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

MD5 8ee01a9d8d8d1ecf515b687bf5e354ca
SHA1 c3b943dce30e425ae34e6737c7d5c3cdd92f79c5
SHA256 c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1
SHA512 6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

memory/3032-140-0x000000001CF00000-0x000000001CFA9000-memory.dmp

memory/3032-141-0x000000001D500000-0x000000001D5CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MCv5EqkMBH.bat

MD5 b19b9c5e4aa90386a445070db5a2c416
SHA1 7e041aca6226678d3031bfec934c5e9812f9a1d1
SHA256 7708819fc28b88c79475ffbf588e4f8d542189e4b5f9c87b0cb7c8059085fb57
SHA512 b86ee8dd62f0f9806be40e492f9f240e042c2563d076e1f2ecac81463a78bff01998757080c39a7dcd62badef8ed81003dd13aeceb9c3a922ec8a049cd34aa3c

memory/436-169-0x000000001D840000-0x000000001D8E9000-memory.dmp

memory/436-170-0x000000001D8F0000-0x000000001D9BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JURhlZmnbW.bat

MD5 f06a02e4d5bc476b1eeda20294b6d1bb
SHA1 5f7677f2d10d6ccdf310d26becba48ab08024183
SHA256 05e2db1a44ec4111dab633ba163f3cf2bf5153df0a4e0fd7872845c335f8bcfc
SHA512 5066256328db820db986880068e3728af3ae396024c1ed691d58eba3f01332cb7d4f87a7dc577f1d734903199976f7d7ad8668819fe47b33298b593d5865e7bf

memory/3084-198-0x000000001D400000-0x000000001D4A9000-memory.dmp

memory/3084-199-0x000000001DA00000-0x000000001DACD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fcOKbH0YFO.bat

MD5 d6426ece98d7628bcd9d97f8d7155680
SHA1 7cd33afeb9af51c97f9ac0a5640170314b605b9a
SHA256 2a6723df6e14944b6b2acd1e53c1db4a9303ddbbc9da1f62512962b0aa87b91c
SHA512 905604fe7b0ac681bb70821e5578ac3609b2bd44bebf319b40518e4eec6bfabce3f27418e727c74d901d9eaea06722bcc8001ce4a20727808943ca36fe6e1f84

memory/1408-228-0x000000001CC00000-0x000000001CCCD000-memory.dmp

memory/1408-227-0x000000001CB50000-0x000000001CBF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2JnastWSjL.bat

MD5 92b46ad56d16e21708a94d958bb038dd
SHA1 44f5c37b405386c9ee24531b8477763021d33a62
SHA256 fa3502218c067956414c84190d292e6316594c7e16f1498ad3b04733b2475410
SHA512 2bc078a2f48ba40fde2d2f6c08301e58a4fc41e17fd202e0b2d99647725077d89880bb62be3e170eb85428f991a7a3bf6a752c20cde7ed1d244e5084f73dd395

memory/1860-256-0x000000001CE00000-0x000000001CEA9000-memory.dmp

memory/1860-257-0x000000001CEB0000-0x000000001CF7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat

MD5 203c334cdce00c249caad55d83d9a952
SHA1 82b3b8f183c3f0dcb0db3707694990d3c81dbc5e
SHA256 8ed7aaf066ecd2a7ef371ce390db4bac7c8e28c0a252341763687464fafcc163
SHA512 51273c8390850ff345186564ad2aeb241f7b2f88b32218e79da3f2c76ab741843266900eddbbb7109da55108c9d763e0de3398123be9136a3a3f1cd16f8bb477

memory/3772-285-0x000000001CC30000-0x000000001CCD9000-memory.dmp

memory/3772-286-0x000000001CCE0000-0x000000001CDAD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WsfXZ1b1OE.bat

MD5 990c39c3d21bca0bf60a4f76cbe53f07
SHA1 e55fcbcd1d422b1b0f98b9f1ee052a8de1cfc0e2
SHA256 52e12c91239f41b0c305129d7440a97517a74178aad2289024e8ce5a0e8de583
SHA512 940b689e3a0c4fc56557b6f8f6e1df2cdb49e4d5f7a83344f76d7c65b5b4f63b2276e3a0b2483b0c1e08fb64a0b90a8f10146ede8a5afc798c2d526cce2a35ab

memory/4884-315-0x000000001C980000-0x000000001CA4D000-memory.dmp

memory/4884-314-0x000000001C8D0000-0x000000001C979000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat

MD5 15e3ad5eb76fa344ec75792eb3e13a89
SHA1 48fcb072a11774209776884985e9340af752ec18
SHA256 10a2f2eeda1c046c03ed160dfc3371da4de3bd6e25c696977314ce64e41f1688
SHA512 c8c54b3c5352c4d9b29f38d6397b2ad0fc9a0899cceb861e3e0d974fb8265d4f4fa4b1c3b91a8629b176f157696c5abefbc5adcbe69b49da9c0ded8c7f24c181

memory/2176-343-0x000000001DA30000-0x000000001DAD9000-memory.dmp

memory/2176-344-0x000000001E010000-0x000000001E0DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAGHIO57vH.bat

MD5 d123bf3fbaa0d1012e2bb8adeb2c7406
SHA1 2266f5b9d4344f0154a6da3bcbca92fae225ea64
SHA256 b9e97df409b6fe05774b4bd2e95bbcec6b2ffc989a0f63585485181ec134d0e4
SHA512 e2c194adb29b3efc856d4460f8012a9c12227eec34da92c79b00b2978a40e204ea4fbda752f79b247cbb1c57b577e050ce4ada1886085638ca9f1267558cbd45

memory/2972-373-0x000000001D390000-0x000000001D45D000-memory.dmp

memory/2972-372-0x000000001D2E0000-0x000000001D389000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZLKnXXaim4.bat

MD5 77df627fc67e61dc098f16d1ffae5839
SHA1 742cfe3ad27f60a104559c5bbbcebbfcc6dd4897
SHA256 4e8ea0f9b29aad57524678c243941ed6d2d2bc4614be8ef9b0f43405d6f63a87
SHA512 620d9b4d182f2f893fc04153008ce077cc87dff1cbd02c1f97430ceac70ea98f6802dd2a1eaa3be24504ab20d7ab08ba115370e20f1d3dc1dd5fb05090061ece

memory/548-401-0x000000001C270000-0x000000001C319000-memory.dmp

memory/548-402-0x000000001C320000-0x000000001C3ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat

MD5 c4c013f517623caf0759b986e4a3f81f
SHA1 9991ca37420c3c6250ba1257e805554e701f742b
SHA256 da779cef0a1c9a6013785590db2cf51bda1241aee6f84413cc8c17f5578ec4ed
SHA512 74b699952f4b5c0d5fd35e6b83196025cd6c6155a7bf71937cd541e5ddf83e7c0554604df374a996ee2f9eb97ae4930c46a1a14c42b74c5b8976ebe8c5b41917

memory/3440-430-0x000000001C640000-0x000000001C6E9000-memory.dmp

memory/3440-431-0x000000001C6F0000-0x000000001C7BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat

MD5 1eb87f6fc991a8eccffdc03eb84ca0c9
SHA1 3cf4b63983cdfac76bfe122779290558b30daae5
SHA256 0813301b4376947dc485dd6bc696a2898d7dc52b7ade3bf8f5311e38811e7e29
SHA512 5075951c3749c718010d2c4bd697c045dd9acc6ee169d2b202e02035859d6de661d0a94b84225542f7d4e2ca07ab1e0e87b6a729144e754f0132ea94fa5fac5c

memory/3596-459-0x000000001D220000-0x000000001D2C9000-memory.dmp

memory/3596-460-0x000000001D2D0000-0x000000001D39D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ybJBPcXt9a.bat

MD5 3777e8ec9c23fab201a7aac199967079
SHA1 9c4a61167a20c03098a7efa5b1fbae0902f26fc0
SHA256 7fa90748babeb1f697424cfb32a5cb1d783fff4494906f8a6abc4f99f6bc6824
SHA512 331aa807350c31fa2e2c86fbda99f9ace2d386d29041edf4061289bb98cfb898dab2c22253946bba1f3ea1504fc05fdae6936671a0b56ae40fd39bfb307bb440

memory/384-489-0x000000001CC90000-0x000000001CD5D000-memory.dmp

memory/384-488-0x000000001CBE0000-0x000000001CC89000-memory.dmp