Malware Analysis Report

2025-08-05 11:00

Sample ID 241031-ec2jrs1jdr
Target 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
SHA256 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
Tags
dcrat discovery infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a

Threat Level: Known bad

The file 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe was found to be: Known bad.

Malicious Activity Summary

dcrat discovery infostealer rat

DcRat

Dcrat family

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:48

Reported

2024-10-31 03:51

Platform

win7-20240903-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Windows\LiveKernelReports\dllhost.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File opened for modification C:\Windows\LiveKernelReports\dllhost.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Windows\LiveKernelReports\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Windows\system\dllhost.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2964 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2964 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2612 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2612 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2612 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2612 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2612 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2612 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 2612 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 2612 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 2504 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2504 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2504 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1972 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1972 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1972 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1972 wrote to memory of 1932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1972 wrote to memory of 1932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1972 wrote to memory of 1932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1972 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 1972 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 1972 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 1952 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1152 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1152 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1152 wrote to memory of 880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1152 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1152 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1152 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1152 wrote to memory of 1688 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 1152 wrote to memory of 1688 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 1152 wrote to memory of 1688 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 1688 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1688 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1688 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1080 wrote to memory of 824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1080 wrote to memory of 824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1080 wrote to memory of 824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1080 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1080 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1080 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1080 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 1080 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 1080 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 2428 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2428 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2428 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2512 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2512 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2512 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2512 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2512 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2512 wrote to memory of 324 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 2512 wrote to memory of 324 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 2512 wrote to memory of 324 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe
PID 324 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 324 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 324 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 1944 wrote to memory of 2800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UXovnHxixt.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kE5LbAifMs.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4U0fcSq6WH.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqmi30yQ6b.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MWkXPhK5zP.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BVR2CWKREk.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZVE1dxM5B8.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 114936cm.nyashcrack.top udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp

Files

memory/2964-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

memory/2964-1-0x0000000000930000-0x0000000000CB6000-memory.dmp

memory/2964-2-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-3-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-4-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-6-0x00000000023F0000-0x0000000002416000-memory.dmp

memory/2964-7-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-9-0x0000000000190000-0x000000000019E000-memory.dmp

memory/2964-11-0x00000000005F0000-0x000000000060C000-memory.dmp

memory/2964-12-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-14-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/2964-16-0x000000001B1D0000-0x000000001B1E8000-memory.dmp

memory/2964-18-0x00000000003C0000-0x00000000003D0000-memory.dmp

memory/2964-20-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2964-22-0x0000000000560000-0x000000000056E000-memory.dmp

memory/2964-23-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-25-0x000000001B210000-0x000000001B222000-memory.dmp

memory/2964-27-0x0000000000920000-0x0000000000930000-memory.dmp

memory/2964-29-0x000000001B230000-0x000000001B246000-memory.dmp

memory/2964-30-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-32-0x000000001B250000-0x000000001B262000-memory.dmp

memory/2964-34-0x0000000002360000-0x000000000236E000-memory.dmp

memory/2964-36-0x0000000002420000-0x0000000002430000-memory.dmp

memory/2964-38-0x0000000002590000-0x00000000025A0000-memory.dmp

memory/2964-39-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-41-0x000000001B860000-0x000000001B8BA000-memory.dmp

memory/2964-43-0x000000001B1F0000-0x000000001B1FE000-memory.dmp

memory/2964-45-0x000000001B200000-0x000000001B210000-memory.dmp

memory/2964-46-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2964-48-0x000000001B270000-0x000000001B27E000-memory.dmp

memory/2964-50-0x000000001B800000-0x000000001B818000-memory.dmp

memory/2964-52-0x000000001BC40000-0x000000001BC8E000-memory.dmp

C:\Windows\system\dllhost.exe

MD5 6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1 0eba0dd22b3f5053798eba26e027ef7383602774
SHA256 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512 f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

memory/2964-67-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UXovnHxixt.bat

MD5 e686a2706e183645f92ae0ea08207c02
SHA1 6f4762a0bd6687d18ea172e22c456b6f74762e65
SHA256 9f1db0783260540cb60e5ff8bf7bd27172e4da9411e72119199229aab8c3d642
SHA512 0a34358a91ca08c1c7668cc1728d83d4e44f3c9d3f56cb8bf7cce334bb9cdc140a3d6d9d5e8b6118b658f4c6db82db4eeebe94f944f3e67bc939cbdc2c388753

memory/2964-69-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/2504-71-0x00000000010E0000-0x0000000001466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kE5LbAifMs.bat

MD5 02f7731e9934c2cdb991356487d7fff1
SHA1 05453942f1c110ca51ba848a586e5f0f32582d96
SHA256 2f9e31e1e241872be10e1408a740efae6594d2ac7c82b8ff0741a20177121fcb
SHA512 f25e9761c8f833c3b656864fa8e20469f9a558c36d9f785dfba191f9e3d865ef089d7a3b90fffd1b75011845968202acd53ace212ae74144c95abb5b569e3508

C:\Users\Admin\AppData\Local\Temp\4U0fcSq6WH.bat

MD5 e5d8f647d623d641e6796899b0285756
SHA1 58bb40b0c07bdcc5c7a9afbac0e9f0613d069b1f
SHA256 2326b4db373cec6f8d635c2999dd51029a00976a72153eea058722243b4f6198
SHA512 55ac841becd33810e7947e1693b8ecd19c01c9964bcfc1e72bba1aa046d8c12686d13500b953a98a5712fc6e1fe34f78bfe8a4e18a834bd1f6f93371de91bf06

memory/1688-124-0x0000000000010000-0x0000000000396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iqmi30yQ6b.bat

MD5 c8beb8eb16d9dfb853259a6a19bd6804
SHA1 96689025e44cce468663b25f894165f76e3513eb
SHA256 5c351cb3fb26d6d08f2226712aa231919cd14b1a717ba789723cfc2c8668e71e
SHA512 315ce1624323ed5794bd96c42d0888b78a4fe28d7a4e16a00ca4645c17acdced36e3bb848be03043aa94827f95befa19d5fcb0e51ff0ab618386d30980f3aa55

memory/2428-151-0x0000000000A50000-0x0000000000DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MWkXPhK5zP.bat

MD5 be6196e4965ace9c677f740099ebcb83
SHA1 e0d89668bf7d79201d0fdaf5bfe2e97ec63d022b
SHA256 b1a616aba8614a0cdd257498a4175b9b8e99be867dcbf5484fabf74c6c0139ce
SHA512 42b523e06327eddd8955776d163ee9b439980c9668d40d146ebfd16d58d18dd6daf7ffbef054a402711c1d2c1ab1dc9f5a1d105d145f41236252e639c496549b

memory/324-178-0x0000000001250000-0x00000000015D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BVR2CWKREk.bat

MD5 f610728524e90c0c27d1692a5969a731
SHA1 87de4635b1b1cd6378772e28ace84762fe6a5c25
SHA256 a59c79dddbf35afd2b0c701b7310d4372ebc28a2ded197481aac874597455e98
SHA512 645153d1ebbdcab7d9cd9009b19a9a6364b6a968a3eea3898c10490f0b3113ec6eb45bacc01a65b245e030d25cfcfb6dc8801e28eb705cda83b615685cd3cd15

C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat

MD5 4dac3b53725754fff338cf006a8d6fbf
SHA1 d915dec24102922ae0d453e47cf12a5ac21fa341
SHA256 cc86b5b91c09a16d9897c34c1ac4e55923801d9315d5ed997a5b60d9a729ec06
SHA512 cd6bc60d69ba4be98cedb3c7a997faf17ff7b41777aa9d377a2c22697fef6d1d18cc48d60d4360404279165874c29e858312d5df942c4eab055a9713188d55ed

C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat

MD5 8a97785a93e5eeb74c16444eca4620d7
SHA1 5c67449dcc8e8773c94f28c85b32e5b331c48509
SHA256 3fa5bd1dd2c5986be8e6eabe25da6f185538654de92fd742268d23ee4f1d95d8
SHA512 5e895cb22553667e80e81cde231fc32a1247c929ec6451324904d4d55f8acd5a97b00d29e6718a03f64b621f7295c5808541dbbe754d828a781a923493ba7e28

C:\Users\Admin\AppData\Local\Temp\ZVE1dxM5B8.bat

MD5 934daefeeb926725df4e3561f9a07198
SHA1 2bc811912a8b7b6de302a4c86f9acac18852f7ed
SHA256 4b6ba06499d7f5947cb048ec17bb4ab459fce705001abcb47dca143b9d48de42
SHA512 1089955283721f5fc9abbbf4b5f3094c41274373c54f174c28aa69c7bc11c9065e69a6bb3581dec8c23ed924414c0b244f0bfb858628c9525fbe67d99e42c1bf

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:48

Reported

2024-10-31 03:51

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Security\BrowserCore\en-US\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Program Files\Mozilla Firefox\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Program Files\Mozilla Firefox\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IdentityCRL\production\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
File created C:\Windows\IdentityCRL\production\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Public\AccountPictures\backgroundTaskHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 4708 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe C:\Windows\System32\cmd.exe
PID 3408 wrote to memory of 4844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3408 wrote to memory of 4844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3408 wrote to memory of 2200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3408 wrote to memory of 2200 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3408 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 3408 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 2412 wrote to memory of 208 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 208 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 208 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 208 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 208 wrote to memory of 460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 208 wrote to memory of 460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 208 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 208 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 2080 wrote to memory of 3496 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 3496 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 3496 wrote to memory of 60 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3496 wrote to memory of 60 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3496 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3496 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3496 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 3496 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 4628 wrote to memory of 2608 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 4628 wrote to memory of 2608 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 2608 wrote to memory of 3984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2608 wrote to memory of 3984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2608 wrote to memory of 1580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2608 wrote to memory of 1580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2608 wrote to memory of 3952 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 2608 wrote to memory of 3952 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 3952 wrote to memory of 4540 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 3952 wrote to memory of 4540 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 4540 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4540 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4540 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4540 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4540 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 4540 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 3680 wrote to memory of 436 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 3680 wrote to memory of 436 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 436 wrote to memory of 4636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 436 wrote to memory of 4636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 436 wrote to memory of 2948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 436 wrote to memory of 2948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 436 wrote to memory of 4612 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 436 wrote to memory of 4612 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 4612 wrote to memory of 2436 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 4612 wrote to memory of 2436 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 2436 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2436 wrote to memory of 636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2436 wrote to memory of 392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2436 wrote to memory of 392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2436 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 2436 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 3044 wrote to memory of 2896 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 3044 wrote to memory of 2896 N/A C:\Users\Public\AccountPictures\backgroundTaskHost.exe C:\Windows\System32\cmd.exe
PID 2896 wrote to memory of 3108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2896 wrote to memory of 3108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2896 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2896 wrote to memory of 3532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2896 wrote to memory of 1128 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe
PID 2896 wrote to memory of 1128 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\backgroundTaskHost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe

"C:\Users\Admin\AppData\Local\Temp\9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jszP8stzPH.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWxYzFHQ21.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PaEim0VbRY.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PaEim0VbRY.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Public\AccountPictures\backgroundTaskHost.exe

"C:\Users\Public\AccountPictures\backgroundTaskHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 114936cm.nyashcrack.top udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 250.238.44.37.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp
FR 37.44.238.250:80 114936cm.nyashcrack.top tcp

Files

memory/4708-0-0x00007FFBF6CA3000-0x00007FFBF6CA5000-memory.dmp

memory/4708-1-0x0000000000980000-0x0000000000D06000-memory.dmp

memory/4708-2-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-3-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-4-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-6-0x000000001B950000-0x000000001B976000-memory.dmp

memory/4708-7-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-8-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-10-0x0000000002F30000-0x0000000002F3E000-memory.dmp

memory/4708-13-0x000000001BE40000-0x000000001BE90000-memory.dmp

memory/4708-12-0x000000001B980000-0x000000001B99C000-memory.dmp

memory/4708-16-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/4708-14-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-21-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/4708-19-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-18-0x000000001B9A0000-0x000000001B9B8000-memory.dmp

memory/4708-23-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/4708-26-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

memory/4708-29-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-28-0x000000001B9F0000-0x000000001BA02000-memory.dmp

memory/4708-31-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

memory/4708-24-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-33-0x000000001BE90000-0x000000001BEA6000-memory.dmp

memory/4708-34-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-36-0x000000001BEB0000-0x000000001BEC2000-memory.dmp

memory/4708-40-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

memory/4708-38-0x000000001C400000-0x000000001C928000-memory.dmp

memory/4708-37-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-42-0x000000001BA10000-0x000000001BA20000-memory.dmp

memory/4708-43-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-45-0x000000001BA20000-0x000000001BA30000-memory.dmp

memory/4708-48-0x000000001BF30000-0x000000001BF8A000-memory.dmp

memory/4708-46-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

memory/4708-50-0x000000001BED0000-0x000000001BEDE000-memory.dmp

memory/4708-52-0x000000001BEE0000-0x000000001BEF0000-memory.dmp

memory/4708-54-0x000000001BEF0000-0x000000001BEFE000-memory.dmp

memory/4708-56-0x000000001BF90000-0x000000001BFA8000-memory.dmp

memory/4708-58-0x000000001C000000-0x000000001C04E000-memory.dmp

C:\Windows\IdentityCRL\production\taskhostw.exe

MD5 6c5f6433bae4cbf3dc2d1fd40b716b08
SHA1 0eba0dd22b3f5053798eba26e027ef7383602774
SHA256 9bcfa4a19be080565caf27f4ea1bc691c124601bb120aac4ca55802593af400a
SHA512 f82e07cce03b3bc2b661b1ce014cc4c9f4becbd695415b714c4c1a0fbf0f3bcafb59a1f550bbee687e7be927f54b20624d6fb017106ca16ee8c0ee126113e84d

memory/4708-75-0x000000001CC80000-0x000000001CD4D000-memory.dmp

memory/4708-77-0x00007FFBF6CA0000-0x00007FFBF7761000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jszP8stzPH.bat

MD5 963779672271214a08958b2f3b292a83
SHA1 141f7c06e9f1499421e3e44f21ac9285bb0e62b6
SHA256 3ab1af6d364ff0a2df8b080d219a4cbbe575ccaaabfd368eaa985345871f05e3
SHA512 43426808c0c64a571adc8bb80fb014b1f12bd58a5cd2dc8b62d4f89c75e636c8da142461e428dbec36b076300ae103b7158297a813a551f709a56775c4e47f3b

memory/2412-102-0x000000001C320000-0x000000001C3ED000-memory.dmp

memory/2412-108-0x000000001C320000-0x000000001C3ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD0ryYfNdr.bat

MD5 f47676aa5caf45a862265600f87badeb
SHA1 a927b76c2649afff665c44e01e0aa70290ec8c87
SHA256 fc7ca33027cfa7a8d05fd90a0c5b45d8d209a1320da79cb2b16806e1b680778e
SHA512 1657af6beeb65862dd4c8e4ba195803e684a5222b8905d3dad073db31a18cd13cf0a5178f87b365635bc061c405954eae7d4f92eb52a8057afa233204c9f87f3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

MD5 8ee01a9d8d8d1ecf515b687bf5e354ca
SHA1 c3b943dce30e425ae34e6737c7d5c3cdd92f79c5
SHA256 c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1
SHA512 6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

memory/2080-137-0x000000001C840000-0x000000001C90D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

MD5 3f5774a125a5114a5f39e87ff7b4bf83
SHA1 a45d9ffc9029e74f321892e49f5c8b218972aa99
SHA256 4c727a04460b77729e865e1a0abdf04cc2542ae2d50c03d6a07167f342c2f5cc
SHA512 969d804ee93af9023dc902a7ddff2c27fa5f44aef16b14fa99517c19fadf1f5f5ee9cce417f1fe4eb1fe0783e8e6aec4df1b1eaeb81917bc335365d7081470b3

memory/4628-165-0x000000001BA60000-0x000000001BB2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat

MD5 6377ec5e1c3b8622f324ea625626af6b
SHA1 80860efea595ed72d5457c28a399831c1aa30c23
SHA256 c194b882b23e677916461f9195a97ca9b9fe78a4571d58fa81a0b90f9671c9f2
SHA512 7b0689774ee3586c10508dd707c2324de6bbb87e7adf8843ea7195aa006f5d34d2ebefa82d73f8c32e4bc74f3647fc19f505b415a326061dcfbf853cb72aabb0

memory/3952-193-0x000000001C290000-0x000000001C35D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yWxYzFHQ21.bat

MD5 1c8f15107f14079883711c9b820b3b35
SHA1 6b2f4d6ec38113588319b31fc2691245799e78ac
SHA256 9ae9571d43551ebf3a36fe5021784a4672ae2c530b65654a7fa97d3c23e4d60e
SHA512 ad69863b936b1b063ab9413d8d17ea2b3df36fde8b791f3c5e243ca13e9f1f257b47fdc206af6a8321a2f9b32c427a10344452e176ed80210e59382557c8c3bd

memory/3680-221-0x000000001BF70000-0x000000001C03D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PaEim0VbRY.bat

MD5 318581eb7c0682cfa68c2896453b54d0
SHA1 e0139e6f1701983f82d151627d106bd3b0aaa621
SHA256 89e1a9acd7924984cd68b355d10021e9f9f78c1afd9b6beac3130939a419fffa
SHA512 6a1f0fd9c0113d5a5a46c5777d9b0e03beed320e8fe5b0ff42f7d0cbd63a43d18c9aaa32cf9e42fc8c109a34679656487df12c9de363972ae7cec07212c2ac04

memory/4612-249-0x000000001BE00000-0x000000001BECD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat

MD5 579ddf83684ba55a7adda6c240c37911
SHA1 6f5516e7c28ded0699ebb175b6a91636a4e631af
SHA256 2c4e4bbc58f95edded30b2a6647aeaa212fb25888dd9d1c3ee5c7a62734f05df
SHA512 4447c44b3de60bbed6ea3751bb4f2561d56c94ac8fc3beeb82c792b8c86534635d6b4377990b270f71ca85b19583bcf996622ea4f3819585546c3cadfa59a281

memory/3044-277-0x000000001BB20000-0x000000001BBED000-memory.dmp

memory/1128-305-0x000000001C660000-0x000000001C72D000-memory.dmp

memory/2788-333-0x000000001BB40000-0x000000001BC0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat

MD5 902fcb2b060f9511830ea1e883af5782
SHA1 7a60a9d1bbc89f25574bfb0ee537d7f2abb3f83f
SHA256 58d5bbfe247a55871105c25bb7e644b7bc4bf870313ff70d4942e1a5b616e986
SHA512 4b8c7a536f179e74f5182983abb486072342ea152fe64328de42435a283fb79776b090359fd9d9a331aad2b4ddde8cf5e7617cd4489439a043985b3db8721379

memory/4052-361-0x000000001C3B0000-0x000000001C47D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat

MD5 36a3c608902bc3dc4e2c47530f03deaa
SHA1 d75cd63aafd81185d3f2a27aa8134fcdbb52014e
SHA256 136afdfa10df4366f5b891a606b0082a77097ad0767084765ef8a4c3393df6d5
SHA512 9258a99069af7abd22361bfcd2e9b61ffccb4eaa4242c7ade7fc530e90e302661395ba29108bceb2bd97fe6c66caa7a8d4be9a1056f356c94368e019c9abbe2b

memory/1608-389-0x000000001BD00000-0x000000001BDCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat

MD5 6297e7d5ecc85fec0e54cc067581ca74
SHA1 02e450000d6f147cc467c93c1ed74a8f90162a91
SHA256 f9697dc4769e5d47c2b861862203b862dea22bfca94915b20811c98a056ef6f8
SHA512 c808a01d426645f16fe173ce03291f7b6e1d145cb2ef8b1dbd50392b45f096cdf3b7bdec4bd7bee9a518a414f0c80586014e40101ea09fbf00c3bf61146dddc0

memory/2788-417-0x000000001C470000-0x000000001C53D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qJsMcbRTCu.bat

MD5 37eaf9e07d0fc94b8297d2ce7e7a4e11
SHA1 cde06585ca490ebc5eb24ea353e5199043901522
SHA256 861ff7aedb09565f0dba587bc448b315d8272606112e893b0d114bd4ab3d5f29
SHA512 665b6232a8a9757d2c742d15475fd580e113e304127f2cd6755e47d596e82040cdcabc1605fd46a1fd9200b880837ebb1cf5a3df5f8fbeef6ebcdbf654e28337