File name:

E480E6E977F641B1A85D7A5F2DE184B0.exe

Full analysis: https://app.any.run/tasks/fd9d4b7a-73f4-4f98-b1c5-0481ad2742eb
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 03:27:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

E480E6E977F641B1A85D7A5F2DE184B0

SHA1:

372BA4D290705E67E693D80883806E9D1362E94D

SHA256:

A9D75ED3310AF93AE5F009FEDDF41F2B75FB20414ED6B323970D33942F7808B8

SSDEEP:

98304:JMcPAL9X9ywAwowjqQ9zFR+Am0u36EDCdqmPGMkrjW/kLyEHEr5pQDPgrJmyNAD+:jLTSGUVuF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6840)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6840)

    • Reads security settings of Internet Explorer

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)

    • The executable file from the user directory is run by the CMD process

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)

    • Reads the date of Windows installation

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)

    • Executing commands from a ".bat" file

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)

    • Starts CMD.EXE for commands execution

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1964)
      • cmd.exe (PID: 5188)
      • cmd.exe (PID: 684)
      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 4412)
      • cmd.exe (PID: 6796)
      • cmd.exe (PID: 7124)
      • cmd.exe (PID: 6240)
      • cmd.exe (PID: 1480)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 1964)
      • cmd.exe (PID: 5188)
      • cmd.exe (PID: 684)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 4412)
      • cmd.exe (PID: 6796)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 7124)
      • cmd.exe (PID: 6240)
      • cmd.exe (PID: 1480)

  • INFO

    • Reads the computer name

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6840)

    • Checks supported languages

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • chcp.com (PID: 1568)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • chcp.com (PID: 3584)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • chcp.com (PID: 6344)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • chcp.com (PID: 3608)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • chcp.com (PID: 2728)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • chcp.com (PID: 2064)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • chcp.com (PID: 6228)
      • chcp.com (PID: 4984)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • chcp.com (PID: 3896)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)
      • chcp.com (PID: 4120)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6840)
      • chcp.com (PID: 3628)

    • Process checks computer location settings

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)

    • Reads the machine GUID from the registry

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6840)

    • Reads Environment values

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1604)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6840)

    • Create files in a temporary directory

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)

    • Creates files in the program directory

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 4888)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1964)
      • cmd.exe (PID: 5188)
      • cmd.exe (PID: 684)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 4412)
      • cmd.exe (PID: 6796)
      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 7124)
      • cmd.exe (PID: 6240)
      • cmd.exe (PID: 1480)

    • Checks proxy server information

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)
      • slui.exe (PID: 5244)

    • Disables trace logs

      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 3788)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2124)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6268)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 1232)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 2464)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 6340)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5764)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5904)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 5300)
      • E480E6E977F641B1A85D7A5F2DE184B0.exe (PID: 424)

    • Reads the software policy settings

      • slui.exe (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:27 13:17:58+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 3766784
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x39985e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.7.1277
ProductVersionNumber: 1.2.7.1277
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: -
FileDescription: -
FileVersion: 1.2.7.1277
InternalName: SpotifyStartupTask
LegalCopyright: Copyright (c) 2023, Spotify Ltd
OriginalFileName: SpotifyStartupTask.exe
ProductName: -
ProductVersion: 1.2.7.1277
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
60
Malicious processes
25
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe conhost.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs slui.exe #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT e480e6e977f641b1a85d7a5f2de184b0.exe

Process information

PID
CMD
Path
Indicators
Parent process
424"C:\Users\admin\AppData\Local\Temp\E480E6E977F641B1A85D7A5F2DE184B0.exe" C:\Users\admin\AppData\Local\Temp\E480E6E977F641B1A85D7A5F2DE184B0.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\users\admin\appdata\local\temp\e480e6e977f641b1a85d7a5f2de184b0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
684"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\VTvBzponnF.bat" C:\Windows\System32\cmd.exeE480E6E977F641B1A85D7A5F2DE184B0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1232"C:\Users\admin\AppData\Local\Temp\E480E6E977F641B1A85D7A5F2DE184B0.exe" C:\Users\admin\AppData\Local\Temp\E480E6E977F641B1A85D7A5F2DE184B0.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\users\admin\appdata\local\temp\e480e6e977f641b1a85d7a5f2de184b0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1380\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1480"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\qM3gKm3hFC.bat" C:\Windows\System32\cmd.exeE480E6E977F641B1A85D7A5F2DE184B0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1604"C:\Users\admin\AppData\Local\Temp\E480E6E977F641B1A85D7A5F2DE184B0.exe" C:\Users\admin\AppData\Local\Temp\E480E6E977F641B1A85D7A5F2DE184B0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\users\admin\appdata\local\temp\e480e6e977f641b1a85d7a5f2de184b0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1816"C:\WINDOWS\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\HRKp7XGsej.bat" C:\Windows\System32\cmd.exeE480E6E977F641B1A85D7A5F2DE184B0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
Total events
30 549
Read events
30 532
Write events
17
Delete events
0

Modification events

(PID) Process:(4888) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_CURRENT_USER\SOFTWARE\ad185f1ad36ef42dfef31f4a44e699190b500959
Operation:writeName:5f02b04861d0bc2f8da96755479c251047ef4a2a
Value:
H4sIAAAAAAAEAH2Nuw6CQBBFf8VYG7IYFLTjGQsLYzQWjjHrMsBGYMkAKn/vAg2NTjOZx7nnOve3AAdSKfFiFskcaz36O+R5k/kZiifAsS0bWaBH6olk4Afni4FKVFvGBmMMIJZ0Z2MtDZH9gY4o1AupA9irVLvaKhGT80WWsXrrvf+oT1hUPZDKuqHup1h3c3QmkjBRn8nnuUbSYTwuZAngVlXAG96rBc8BRkFoOSxchxvbjtaW6ZmuswpsdxUtg9B0LI8NcbcvLis72ikBAAA=
(PID) Process:(4888) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(4888) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(3788) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\E480E6E977F641B1A85D7A5F2DE184B0_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3788) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\E480E6E977F641B1A85D7A5F2DE184B0_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3788) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\E480E6E977F641B1A85D7A5F2DE184B0_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3788) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\E480E6E977F641B1A85D7A5F2DE184B0_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3788) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\E480E6E977F641B1A85D7A5F2DE184B0_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3788) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\E480E6E977F641B1A85D7A5F2DE184B0_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3788) E480E6E977F641B1A85D7A5F2DE184B0.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\E480E6E977F641B1A85D7A5F2DE184B0_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
303
Suspicious files
0
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\QffAhbxF.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\CGVtqCre.logexecutable
MD5:BBDE7073BAAC996447F749992D65FFBA
SHA256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\XdTzKqru.logexecutable
MD5:9B25959D6CD6097C0EF36D2496876249
SHA256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\fHbptkHb.logexecutable
MD5:87765D141228784AE91334BAE25AD743
SHA256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\zQeCjGrl.logexecutable
MD5:240E98D38E0B679F055470167D247022
SHA256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\YRXHvEns.logexecutable
MD5:16B480082780CC1D8C23FB05468F64E7
SHA256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\yYOVNpSr.logexecutable
MD5:51B1964F31C557AE8C2B01EA164ABD9F
SHA256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\UTxyJYMt.logexecutable
MD5:A4F19ADB89F8D88DBDF103878CF31608
SHA256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\MpoJafwM.logexecutable
MD5:2E116FC64103D0F0CF47890FD571561E
SHA256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
1604E480E6E977F641B1A85D7A5F2DE184B0.exeC:\Users\admin\Desktop\wOsUNWmq.logexecutable
MD5:F4B38D0F95B7E844DD288B441EBC9AAF
SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
31
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3788
E480E6E977F641B1A85D7A5F2DE184B0.exe
POST
405
77.222.61.245:80
http://forgta135g.temp.swtest.ru/packetCpuupdateAuthapi.php
unknown
unknown
1232
E480E6E977F641B1A85D7A5F2DE184B0.exe
POST
405
77.222.61.245:80
http://forgta135g.temp.swtest.ru/packetCpuupdateAuthapi.php
unknown
unknown
2464
E480E6E977F641B1A85D7A5F2DE184B0.exe
POST
405
77.222.61.245:80
http://forgta135g.temp.swtest.ru/packetCpuupdateAuthapi.php
unknown
unknown
5904
E480E6E977F641B1A85D7A5F2DE184B0.exe
POST
405
77.222.61.245:80
http://forgta135g.temp.swtest.ru/packetCpuupdateAuthapi.php
unknown
unknown
2940
svchost.exe
GET
200
23.3.109.48:80
http://x1.c.lencr.org/
unknown
whitelisted
5300
E480E6E977F641B1A85D7A5F2DE184B0.exe
POST
405
77.222.61.245:80
http://forgta135g.temp.swtest.ru/packetCpuupdateAuthapi.php
unknown
unknown
424
E480E6E977F641B1A85D7A5F2DE184B0.exe
POST
405
77.222.61.245:80
http://forgta135g.temp.swtest.ru/packetCpuupdateAuthapi.php
unknown
unknown
5764
E480E6E977F641B1A85D7A5F2DE184B0.exe
POST
405
77.222.61.245:80
http://forgta135g.temp.swtest.ru/packetCpuupdateAuthapi.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6732
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3788
E480E6E977F641B1A85D7A5F2DE184B0.exe
77.222.61.245:80
forgta135g.temp.swtest.ru
SpaceWeb Ltd
RU
unknown
4520
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
forgta135g.temp.swtest.ru
  • 77.222.61.245
unknown
login.live.com
  • 20.190.160.128
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.4
  • 40.126.32.72
  • 20.190.160.132
  • 20.190.160.20
  • 40.126.32.76
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
E480E6E977F641B1A85D7A5F2DE184B0.exe