Analysis Overview
SHA256
60064a5d97f4ac6fafa5fdc364f29e22711bf1edd6b86696b4fbad4b1edb1416
Threat Level: Known bad
The file dcrat.rar was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Zgrat family
Process spawned unexpected child process
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Patched UPX-packed file
Reads user/profile data of web browsers
Executes dropped EXE
Modifies file permissions
Checks computer location settings
Loads dropped DLL
UPX packed file
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-03 11:08
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Zgrat family
Patched UPX-packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-03 11:07
Reported
2024-05-03 11:53
Platform
win10v2004-20240419-en
Max time kernel
2643s
Max time network
2699s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
ZGRat
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\dcrat\php\DCRatConnectService.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\System\mbr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\dcrat\DCRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\dcrat\DCRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\dcrat\php\DCRatConnectService.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\dcrat\php\php.exe | N/A |
| N/A | N/A | C:\System\mbr.exe | N/A |
| N/A | N/A | C:\System\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\dcrat\DCRat.exe | N/A |
| N/A | N/A | C:\System\mbr.exe | N/A |
| N/A | N/A | C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\System\mbr.exe | N/A |
| N/A | N/A | C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\System\mbr.exe | N/A |
| N/A | N/A | C:\System\mbr.exe | N/A |
| N/A | N/A | C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\System\mbr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\dcrat\php\php.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kernel32.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\DLL\kernel32.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\ucrtbase.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\ucrtbase.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\DLL\kernel32.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\DLL\kernel32.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\DLL\kernel32.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ucrtbase.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\ucrtbase.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\kernel32.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\ucrtbase.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ucrtbase.pdb | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\Admin\Desktop\dcrat\php\DCRatConnectService.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\System\mbr.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\System\mbr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\dcrat.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\dcrat.rar"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\dcrat.rar
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4394788a-3930-443e-a3bd-973cac0a9bc1} 116 "\\.\pipe\gecko-crash-server-pipe.116" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 26377 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac31b22a-9310-437d-bb86-bcf112cafb88} 116 "\\.\pipe\gecko-crash-server-pipe.116" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3136 -prefsLen 26518 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a8671db-699c-4ac9-8296-793ff131a341} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3888 -prefMapHandle 3896 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db22b6d8-e44d-495c-ba99-87d341f25a38} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4992 -prefMapHandle 5016 -prefsLen 31000 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {216ae58c-c135-4fb2-be0d-6e68c262c89c} 116 "\\.\pipe\gecko-crash-server-pipe.116" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5312 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7d054f1-48fe-4714-a311-96f835207fa5} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b22177f7-1022-481b-a169-9a5418902714} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {324a2d4d-00a5-4a44-9f33-6c3a95d17f2c} 116 "\\.\pipe\gecko-crash-server-pipe.116" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\dcrat.rar"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\dcrat.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\dcrat.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\dcrat\DCRat.exe
"C:\Users\Admin\Desktop\dcrat\DCRat.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar;lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar;lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar;lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar;lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar;lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar;lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar;lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar;lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar;lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar;lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar;lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar;lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboard get Manufac ��
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe baseboard get Manufac
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c USERPR ��
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboap��3���
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe baseboap��3���
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe CPU get Proc ��8�Y
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Proc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[����\�
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[����\�
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L����] ��^"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L����] ��^"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\dcrat\123.bat" "
C:\Users\Admin\Desktop\dcrat\DCRat.exe
DCRat.exe
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar;lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar;lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar;lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar;lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar;lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar;lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar;lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar;lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar;lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar;lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar;lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar;lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Users\Admin\Desktop\dcrat\php\DCRatConnectService.exe
php\DCRatConnectService.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\System\lWwpVq7gHuwgO81vQqwqHneiJIBDuFSKSYTTmU6Tq3dRBEEEDwB9.vbe"
C:\Users\Admin\Desktop\dcrat\php\php.exe
php -S 127.0.0.1:8000 -t ..\server
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\System\unOUSLOLRRxkAR2qU1kiiuwS6WvSqNn.bat" "
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboard get Manufac ��
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe baseboard get Manufac
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\System\mbr.exe
"C:\System/mbr.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c USERPR ��
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboap��3���
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe baseboap��3���
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe CPU get Proc ��8�Y
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Proc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[����\�
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[����\�
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L����] ��^"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L����] ��^"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mbrm" /sc MINUTE /mo 13 /tr "'C:\System\mbr.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mbr" /sc ONLOGON /tr "'C:\System\mbr.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "mbrm" /sc MINUTE /mo 8 /tr "'C:\System\mbr.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\System\mbr.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QT3Ue8RpoK.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\System\mbr.exe
"C:\System\mbr.exe"
C:\Users\Admin\Desktop\dcrat\DCRat.exe
"C:\Users\Admin\Desktop\dcrat\DCRat.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar;lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar;lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar;lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar;lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar;lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar;lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar;lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar;lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar;lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar;lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar;lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar;lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar" org.develnext.jphp.ext.javafx.FXLauncher
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboard get Manufac ��
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe baseboard get Manufac
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c USERPR ��
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboap��3���
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe baseboap��3���
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe CPU get Proc ��8�Y
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe CPU get Proc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[����\�
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[����\�
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L����] ��^"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L����] ��^"
C:\System\mbr.exe
C:\System\mbr.exe
C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe
C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe
C:\System\mbr.exe
C:\System\mbr.exe
C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe
C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe
C:\System\mbr.exe
C:\System\mbr.exe
C:\System\mbr.exe
C:\System\mbr.exe
C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe
C:\Users\{hck3dbitch}\hck3d\mbr.exe\OfficeClickToRun.exe
C:\System\mbr.exe
C:\System\mbr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 44.233.67.78:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 78.67.233.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:52822 | tcp | |
| N/A | 127.0.0.1:52829 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 52.24.210.222:443 | locprod2-elb-us-west-2.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6n6s.gvt1.com | udp |
| GB | 173.194.3.70:443 | r1---sn-aigl6n6s.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6n6s.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6n6s.gvt1.com | udp |
| GB | 173.194.3.70:443 | r1.sn-aigl6n6s.gvt1.com | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.210.24.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.3.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c3lestial.fun | udp |
| US | 172.67.163.28:443 | c3lestial.fun | tcp |
| US | 8.8.8.8:53 | 28.163.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:8000 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 882574cm.nyashkoon.top | udp |
| US | 104.21.72.134:80 | 882574cm.nyashkoon.top | tcp |
| US | 104.21.72.134:80 | 882574cm.nyashkoon.top | tcp |
| US | 8.8.8.8:53 | 134.72.21.104.in-addr.arpa | udp |
| US | 172.67.163.28:443 | c3lestial.fun | tcp |
| N/A | 127.0.0.1:8000 | tcp | |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:8000 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\eccedc9e-4f81-46dc-9f10-c5abbe5bc48d
| MD5 | 5dec9b9c4d812893e233a6c0051da388 |
| SHA1 | 662ac04b8a8da20d7bddb995bc4f75b8c87a1324 |
| SHA256 | d3d6f61f5232c4f5b11ce82bc47bf3da084c9974ea3dd4cefa819f3c79d51458 |
| SHA512 | 0aa4f1ac076b738b54ac28ef2c6730a1199a87e44639fc887c99938e94d1cdf74af107bd6e3e20755dc8a8a5f564077c71ac03f804105f34b00edcd3815fc9c8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\0cc3921a-93ed-4b38-9ec1-54a9a11405f9
| MD5 | 0a6f4bb7c94ffeb0e619d986a4f750e3 |
| SHA1 | 4992e35735852d8c37153d614538588cad73ea55 |
| SHA256 | 2130d812187c77849b3deb2df6237d8c004d6e8324fccf2357725783383e2342 |
| SHA512 | b8c09fe7fd76bca67d3256a412c41b6494cd8f33311c997b8465963f7ff0f911c4c55d1783b7b4bf7cad0287e5a3ad4b8e15ffd07491568729107f2f79784fd1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\pending_pings\6ab1546d-b981-4ef5-ac64-39e51765d413
| MD5 | f2b35ff7bb186a227c9da41a7429dccc |
| SHA1 | cd76bcabaf3489e8f87206cf73f94402a546cfc2 |
| SHA256 | 7978050b4251e079a639d4e227e563c3350f3aaae8098b6e08304996c1dd911f |
| SHA512 | d8a32ee467db6feb441c4632e665a412114bbf50c5d789ceca61c87ec55f78c5828ddac063e7202d93a54637a36c29d6f0f565c681f434b2f445ca013937f02b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | a59d404358706abe71fd37d6e0768316 |
| SHA1 | 788e6f77908cdc0c4eefd07d2e7c5fc71bc8e11e |
| SHA256 | 80b35136051059c0aeffaa5103f7e3739b2d24afc828abf4930eb37009489e0e |
| SHA512 | 544e478d6105fc3ce31b4381e1f0bda4c22ef8306d94b8d91505c5638ef8bb1722a896b77a22f9cb0856ca97305f25a1f256f804277b4de2a882cba43a8a66bd |
C:\Users\Admin\Downloads\rgAaMAj3.rar.part
| MD5 | 01821717f0eeec608936e4db3cb2f375 |
| SHA1 | 4c8245e1064bdfcb3584b64d35bee26f2c30aaa5 |
| SHA256 | 60064a5d97f4ac6fafa5fdc364f29e22711bf1edd6b86696b4fbad4b1edb1416 |
| SHA512 | d9546d11c0677ab51e7f4558f1d5278743b4dadec5124a431d5f4390efe7501141896df4f3232f59edafd41a727bd0a513fb3ff0133228b24190e7e567a18f42 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\l594d31n.default-release\activity-stream.discovery_stream.json
| MD5 | fbdf14d0d74432d54c4617fb2330be49 |
| SHA1 | 7757c33745c2e7c3b3972dca31a5ed919343fa07 |
| SHA256 | b4a6881757c5345d0f4103c53d3c4dc1a45c8af71598befb9df987905badc97e |
| SHA512 | bba7fbbe512a08ceea234a29f5c47b1f2d5240dc4e440d49c90f07e7c0ece956e34b2863982eb96872739bb04a76f4ed36379def8ff045cd101e1fc137a5c8ce |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 24b61b7f8015f3fabeeea5e554765ecf |
| SHA1 | 6e580e0b548ea7e648029bbe7caee2637a45f5c4 |
| SHA256 | 948da935c33cdeeb818f05e875b38fba1abf8df4c7aa870f191164a0ab3003a1 |
| SHA512 | 0eee1dd293637b3d9d83e35bdbf6231ff33dd5e609ec7c36123d0f17860b8b0594ce6c74cb14dd1ae798e1f5a6daaba50de228d82bfc8545b15c2be8cbe87508 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs.js
| MD5 | 287822372bea6fa0b251b5fe99ff2858 |
| SHA1 | 8cef02cd3f0e5a1f7edd3a3f8b6a19041b3f7ef1 |
| SHA256 | 05f5f169840053e0bd83b37cc1839c55442ebf75316525918440dcb10486a3fe |
| SHA512 | 1105a8f64ad212bb299be8178f861151fd165321b660d3ccf31b5a0c079173aa7619fc433cf4667f81a43af2e8c6fb3211bc5840c093ddfa31359a9a660d0e7d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 22cc6cb62d995ec7b1076fd9fabb4000 |
| SHA1 | 5e50f7dc0c6b3e4ac4a88b6cafb0ccbd9c27fa6f |
| SHA256 | fceabf3816cef37c2dd6eab11897693cd4fba38e0bf18e946a46160c4b83e217 |
| SHA512 | 10dcd014e91d807fccde8394bde204db62d86df8d44096c6b167fff982097a73760ab78ac5e6330e7b7585583b741b857173654cd31a911e7760be6b2b996b13 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 4b9501a43a3ac3e4a2deb4ba3772849a |
| SHA1 | cbd68d37a18480fa5ad9fb782369326ee4e87e06 |
| SHA256 | 8d3bee5bbe89b83a9a0bf164ba983f8f902620f7bd0f539b50fb681cff717588 |
| SHA512 | e336dd5013713db6b5ffba09b4a0a4183e35a26a6ace31f1074007a3964c48faa96a2912f40f70bde251cf72373ff56d4f5710cf9071af1e6a5fd3cf16dc6b3b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs-1.js
| MD5 | e19accd982cea331fb67c2a1f969df38 |
| SHA1 | 6ffe69d733fdba283b0d8d7dcc8650063ebf0f0f |
| SHA256 | c647f536b60ef59554652c504d00be26b476036fcbde3b533d4ec6d36c91ec87 |
| SHA512 | 2e2dfcfa942e217027c8cf1aec9d7f0cb5486bbed7baf2e8eb8bb10930f035e910b19787348bd314657438be3afe1350f2333c97a5929a57bbc9fbddf02c36a6 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\AlternateServices.bin
| MD5 | fc45aa1ba06243c000a33092aae2fc31 |
| SHA1 | ee29ea7d990e48bb644637754e38f3384ee168d1 |
| SHA256 | cb5df1960e7bb94132242cd198fe44c54857ef88dde61e3becfe72884eb3c97f |
| SHA512 | 261dd376340132150a9f601d7e0918d99de98ad8ed46cd389548bce1cdf165fce70bec2d6644d1325e3344ba2ca0f0f0855d45e91990378d5d79e1d022f78c0d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs-1.js
| MD5 | 99c4d17be879f948f1ea7965d8b298ad |
| SHA1 | 7fc70f8b0a03a6309526fc35ddd9684792c7c1e5 |
| SHA256 | 78a0f19a96c2f3c30e0d3f874d48324be04bc501a37641e3e03c99712b308a2c |
| SHA512 | 44cb61af51536024b0570d918a81a468f8665b7f2f8283c18f1faece8cd485dd4361e17cfd6c07cb5149ef292a38dd68139fbe61839e63fb146f22e175f82d8c |
C:\Users\Admin\AppData\Local\Temp\7zEC37A3248\dcrat\plugins\chat_native\fav.png
| MD5 | a8e72c0e27750ce36da3110126c38afe |
| SHA1 | e96bc3555f8ed8e715af94d492965b4e6597563c |
| SHA256 | a4f7e5adde35c1979fbf2cc44b37e2907ec963468443e34262b207dd3dab81b8 |
| SHA512 | e43e2c6abb6006c783331cb8b0e290560bb65f7cfd0e113bbddb31a6978aee31fb39a2b22b38ef83f27d512152329d066bc270e640e8900b2746a2a4e0b4dd48 |
C:\Users\Admin\Desktop\dcrat\DCRat.exe
| MD5 | 2c7d37e90dd8ab57d06dad5bc7956885 |
| SHA1 | da789c107c4c68b8250b6589e45e5a3cf7a9a143 |
| SHA256 | 5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939 |
| SHA512 | e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f |
memory/6124-1052-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\Desktop\dcrat\lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar
| MD5 | 6316f84bc78d40b138dab1adc978ca5d |
| SHA1 | b12ea05331ad89a9b09937367ebc20421f17b9ff |
| SHA256 | d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17 |
| SHA512 | 1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c |
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 4da00f3d9824127a833dc7b003977922 |
| SHA1 | 1e6e4e321dd12aa1d868b1a2c12413e6940f89f2 |
| SHA256 | e00dfb30bfa7c5875301e18fe38a2c4ab4071f396250c22d20d1f25c7c969eb7 |
| SHA512 | ade0f0e5523b427042ce4a198713c6608954c3a4cf4a01b6c49004b6f219c3a002e622825283327e5e0d10f356d472898458148c5b25b31f93b0b38c2943a615 |
C:\Users\Admin\Desktop\dcrat\lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar
| MD5 | 6696368a09c7f8fed4ea92c4e5238cee |
| SHA1 | f89c282e557d1207afd7158b82721c3d425736a7 |
| SHA256 | c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4 |
| SHA512 | 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76 |
C:\Users\Admin\Desktop\dcrat\lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar
| MD5 | fe734f7ab030363362fe3d3ba5e8f913 |
| SHA1 | 2e9d54e3b410557c51c3ea101d66efbb5266b80a |
| SHA256 | 03ead999502aefbf1380bd2e9c4a407acb7a92a7b2fe61f6995aba3fca85efd4 |
| SHA512 | 303ecea5f3f1130f473cde0d78270090290b6f13311bf7459282257ac3097b2b6086db461183f2d8c97a9101372155bf59bbfa12a74925136d0a2a615b648b2a |
C:\Users\Admin\Desktop\dcrat\lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar
| MD5 | 0a79304556a1289aa9e6213f574f3b08 |
| SHA1 | 7ee3bde3b1777bf65d4f62ce33295556223a26cd |
| SHA256 | 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79 |
| SHA512 | 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e |
C:\Users\Admin\Desktop\dcrat\lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar
| MD5 | 7e5e3d6d352025bd7f093c2d7f9b21ab |
| SHA1 | ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57 |
| SHA256 | 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a |
| SHA512 | c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad |
C:\Users\Admin\Desktop\dcrat\lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar
| MD5 | f323bd3b1e342a856bf3036453cd01b2 |
| SHA1 | a8c48a731c350d1514ddcc6a99738cb93277fe14 |
| SHA256 | 64bc153889ab341d4ec8e693fafe117651d3b627d1a608dad951f5b030aab26f |
| SHA512 | 764e1643f2f0b2a5c64e2fd52b2ed8cb3597469ec7ea2c28c2009c0d0b1f5e1dbbcc12b6cf36e94ae7db53bb9d118cd3d33ad92de0c3e256b751c5085e3489a4 |
C:\Users\Admin\Desktop\dcrat\lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar
| MD5 | d5ef47c915bef65a63d364f5cf7cd467 |
| SHA1 | f711f3846e144dddbfb31597c0c165ba8adf8d6b |
| SHA256 | 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6 |
| SHA512 | 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8 |
C:\Users\Admin\Desktop\dcrat\lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar
| MD5 | 3e5e8cccff7ff343cbfe22588e569256 |
| SHA1 | 66756daa182672bff27e453eed585325d8cc2a7a |
| SHA256 | 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4 |
| SHA512 | 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522 |
C:\Users\Admin\Desktop\dcrat\lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar
| MD5 | 0c8768cdeb3e894798f80465e0219c05 |
| SHA1 | c4da07ac93e4e547748ecc26b633d3db5b81ce47 |
| SHA256 | 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669 |
| SHA512 | 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106 |
C:\Users\Admin\Desktop\dcrat\lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar
| MD5 | fde38932b12fc063451af6613d4470cc |
| SHA1 | bc08c114681a3afc05fb8c0470776c3eae2eefeb |
| SHA256 | 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830 |
| SHA512 | 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839 |
C:\Users\Admin\Desktop\dcrat\lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar
| MD5 | d093f94c050d5900795de8149cb84817 |
| SHA1 | 54058dda5c9e66a22074590072c8a48559bba1fb |
| SHA256 | 4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba |
| SHA512 | 3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb |
C:\Users\Admin\Desktop\dcrat\lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar
| MD5 | 5134a2350f58890ffb9db0b40047195d |
| SHA1 | 751f548c85fa49f330cecbb1875893f971b33c4e |
| SHA256 | 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32 |
| SHA512 | c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a |
memory/5528-1076-0x00000232F4730000-0x00000232F4731000-memory.dmp
C:\Users\Admin\Desktop\dcrat\lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar
| MD5 | b50e2c75f5f0e1094e997de8a2a2d0ca |
| SHA1 | d789eb689c091536ea6a01764bada387841264cb |
| SHA256 | cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23 |
| SHA512 | 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0 |
C:\Users\Admin\Desktop\dcrat\lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar
| MD5 | 4bc2aea7281e27bc91566377d0ed1897 |
| SHA1 | d02d897e8a8aca58e3635c009a16d595a5649d44 |
| SHA256 | 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288 |
| SHA512 | da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10 |
memory/5528-1126-0x00000232F4730000-0x00000232F4731000-memory.dmp
memory/5528-1147-0x00000232F4730000-0x00000232F4731000-memory.dmp
memory/5528-1199-0x00000232F4730000-0x00000232F4731000-memory.dmp
memory/5528-1221-0x00000232F4730000-0x00000232F4731000-memory.dmp
memory/5528-1230-0x00000232F4730000-0x00000232F4731000-memory.dmp
memory/5528-1363-0x00000232F4730000-0x00000232F4731000-memory.dmp
memory/5528-1380-0x00000232F4730000-0x00000232F4731000-memory.dmp
memory/5528-1376-0x00000232F4730000-0x00000232F4731000-memory.dmp
C:\Users\Admin\Desktop\dcrat\plugins\Audio_native.plg
| MD5 | 630f22251fedbe30e968432d68ae8543 |
| SHA1 | 6d25f9813b0995a3d032482abb7844cf4646b66f |
| SHA256 | 822869646486a798dc943c015e1bca6ac19b440652f8c93ddec4373c76846bef |
| SHA512 | acc1b2ca19c4d30202423ecfd94c32420ea11171d72ac309d6849a31b67ca9832903987cffd807cfaf36a6760dcc60d45fdd9aafffb25669f40d864c4fdf545d |
C:\Users\Admin\Desktop\dcrat\plugins\Keylogger_native.plg
| MD5 | f00a5e16cfab8d3d16a6faa558a98cba |
| SHA1 | 755610d639a93ccc220e5c8f9bc7d9c35f315e8f |
| SHA256 | db96f9e2c164b733e883ae0a9e7921468248e98b063776df65ecb947f2cda52a |
| SHA512 | e5515bc93d8812a7dac6be8a02a77f72e62a3385ff50391c42e82f6266f04980ffba03214104d9d8dd0365178a9b33d488ef71fb2cfd859e444df220e9540303 |
C:\Users\Admin\Desktop\dcrat\plugins\HostsEditor\configuration.json
| MD5 | 8c00555026bf5da18dc07d101db6cdae |
| SHA1 | 43ad16de3d9ac1c03c52b96cfdea51948ee6720e |
| SHA256 | 43a5e423804b6380f8b79d81f2a5b774831a530355c1b241e50880240dca6513 |
| SHA512 | 4d61df12093a6338f57d79b5becb00ea1916a8dd3c4bdd88b43924584572545aee56f4ed31d8c8cdb178acc694c1cdbfc68e59421f10ccefb1b9733f577fb5aa |
C:\Users\Admin\Desktop\dcrat\plugins\HostsEditor.plg
| MD5 | 731d2ed472cfe27dc5a9fba3cd7cbf4d |
| SHA1 | 3c62a0e3a26d98f37ff526b7ff6624a1a89a0b11 |
| SHA256 | 51b6d2d569d24b8cab87925089c33904920b4b6739e0c285f4edda4c0f3740c1 |
| SHA512 | 7f8458ea3d1807411ea9e0f469544412761e2977de80c3b774f4ad20111e6cba5a4d1aa4cc56ef7bc13f5d0d9fdb416daa38f6520fe696b1ee810966f8ea18a5 |
C:\Users\Admin\Desktop\dcrat\plugins\HiddenRemoteDesktop_native\configuration.json
| MD5 | 40fe420aad7deebae11d6b6509daabd0 |
| SHA1 | 4db41dadc85894c5476290594e821d2ce44488a2 |
| SHA256 | 517358ce35d73f02ba6b9bd13d77eb895512e9118f530f4380891011ed336246 |
| SHA512 | 2ac9e9ed93e1f7596a2688fb39a2fafd0afdacc8f6ce277830a2eec8aa5225b7cc95e04ee1334e63ecaaa9eff6f6932f16331afbeaaf0d9cb312a2f100c97986 |
C:\Users\Admin\Desktop\dcrat\plugins\HiddenRemoteDesktop_native.plg
| MD5 | b46f4f8e1f4371590e7fefa16ab0d243 |
| SHA1 | d135c0268e112e6f5afbc4eb8df9ea5e5f29cbdf |
| SHA256 | 7164d4f82c5d759d5fda1dbaa380faac4fd8f83fcda2ee068bcb6c324e1b6dc3 |
| SHA512 | 8438ab6734c07d43d4f46fef8f68aa3ce830434f8690f781f8b6e25069d6fa09451c22aad50d93d6d252b6b5bca57b1f4c1f37bb4f571f16044d79bcb5079c22 |
C:\Users\Admin\Desktop\dcrat\plugins\Fun_native\configuration.json
| MD5 | 2f3433224600a3cdc3f9b9115599a530 |
| SHA1 | 20d13bfe5499ba8cad0aa3026ab907da80091c5c |
| SHA256 | 842fb8642e278e442e15bdd5531cac79dd37cff3496f0614982af7bae5f93e0b |
| SHA512 | f0b1879befc9c0d7de04ad18ea8ae88290f735d260b181b92571618fe4c8887d08728e81e4f089ec763ef7ac5f5ecb3a37d8552ac86c705e2c3263ece420f368 |
C:\Users\Admin\Desktop\dcrat\plugins\Fun_native.plg
| MD5 | dbb324f7c7399f28cdd5a82a08882ef3 |
| SHA1 | 58558c379c06a58f5e70e509073baef5d8a56aa6 |
| SHA256 | a8c4f392de4e778a1f3106988d603f42c54aa00bccedf7a93d468fcd53d1aca0 |
| SHA512 | b72b8e597403b014b7254406665383a4960d095fb3067d7f3d7756eb403815e62effd143b647886ee3a51efc54da25012e73bb53772feac191a5f1b69340f981 |
C:\Users\Admin\Desktop\dcrat\plugins\ForceAdmin\configuration.json
| MD5 | e82af5243b5f44e846974c4c01fa09db |
| SHA1 | 663a2afd36867792809214b9eb3c1a2f40844c2b |
| SHA256 | 1eaab47bcfdb68424c5ed6710acf6f2902eafc266b3da121bd514cff933a96dd |
| SHA512 | 9cf1cd16bf8eb1b1dfbd730ae2cb861431e8e0049b2c88ec240f4d85f0c5ac8e2d9ccc829bea9e9002e90926ee0e920f072302a48f71d00c6b19c0f747612460 |
C:\Users\Admin\Desktop\dcrat\plugins\ForceAdmin.plg
| MD5 | 9d34cdbe36c7c1d9635255000995efad |
| SHA1 | 87f3cc2914cd04e20246e3cc8296c347c85d91d1 |
| SHA256 | 4d45530a98ab32ff2bc6a3fd1d91fea4b5f6d7ce7aca17553b50fca9d78d2d13 |
| SHA512 | 3fcd3d659b72cf9f5baa00c1108bb3e6ef26cb7fd700d77e217ddb5b1134564a70730075d263e330558bc628ed5fca34454eeb830f44e0403a02377fec40e75d |
C:\Users\Admin\Desktop\dcrat\plugins\FileSearcher\configuration.json
| MD5 | 4b13366c8bc0890db6cf99cea80423ec |
| SHA1 | 7820a2c397fcf7eb9979da57ed4dea864836eb38 |
| SHA256 | b2e8c48fe7f87445fff8370e02803b71c06dfb7c3674ad83592c0186ba583f8c |
| SHA512 | a76204eaaa0114a4112a3ccebf4b469f4eddd26951ba4337a49f5fcb695e41c01e9cbea34912e92821265f920fc31f7b6a06c41675fe3255f19ca5bfe7a0301d |
C:\Users\Admin\Desktop\dcrat\plugins\FileSearcher.plg
| MD5 | 76f8b470737338310491265025e0c71c |
| SHA1 | d500ec75aec69dbeef62d79273696f7eb2543b8b |
| SHA256 | 4ce3a1379cb93cb25fbefb15994af4b064e582578a101186b38d7b403a638847 |
| SHA512 | d84a1d49f7d50317449ce96a39102d3e39525098f5195d55e48e49cf3ec154e0119e4218e27f1dd36832abeae4889886247cb2e47b3a9b2ab0e427da301823b8 |
C:\Users\Admin\Desktop\dcrat\plugins\FileGrabberPlugin\configuration.json
| MD5 | 4d2c47275bfa55c305257974b3b02cbb |
| SHA1 | 7d02d9784a080fe804175dedf51cbd6c7bfa345d |
| SHA256 | de8696cb1d37c484482993b4af3264ca5d427d0ade923237e4040752cc73c051 |
| SHA512 | fcb04a7efa58f8228738aa244f7e6438c7d059b09f1439afd6f2bc86e69ea6d0d20e3136c537a3574f2ec5d1312fcde5279cc85892ce4436114a2add7d9b69cd |
C:\Users\Admin\Desktop\dcrat\plugins\FileGrabberPlugin.plg
| MD5 | 216ebf1bdbc0de1f212832987f8bbe47 |
| SHA1 | 9787abc1f775be1a971ac670150e3229b5961e0b |
| SHA256 | f6944fc54b9611c9dd7050235a928aebce4158eebec2f9184d445c4435495c21 |
| SHA512 | 0bc7c96f0ab833da5efcfe8e61db9434e8f00aea14965739853ee871689678e262d4a79010ee581767ba42260250ea146e4717e346ce07b823e969b49ff8124d |
C:\Users\Admin\Desktop\dcrat\plugins\FakeSteamWindows\configuration.json
| MD5 | 5d9116cbd984428cccfa8c6e20d6f0f1 |
| SHA1 | 3cced48d366ff4088a4299c4bc18925090a4ed38 |
| SHA256 | b4bc6ab3ba0db5f3984278fd8d651396636812adf0125a501079d0e2b9b2317e |
| SHA512 | 66beb3ac519219ce469ea7e115c687940913214fd37ba4b9f4197a069d10fe0a07c9e7cc33d6702aa5adf8d865919f269925fe2e6813cdf9d71c077e9b99f3a7 |
C:\Users\Admin\Desktop\dcrat\plugins\FakeSteamWindows.plg
| MD5 | da61683b55b7e89cf5ae23960320980a |
| SHA1 | caff3d5419b6486ae4e89bb800c681aa303f39d0 |
| SHA256 | 2b0d91b02e0249e0f2a19b0ec154c849d08611aa6e8c731317ef6155108ce7ec |
| SHA512 | f00437c80e8658a4b0ff3c8a2a8014eeeb4d38cc4785d83595e712d61160700a6edc05667c3467b871ab640ee3d80f35cfd24ae2eee17e4d6b48191c4e76d9d5 |
C:\Users\Admin\Desktop\dcrat\plugins\DisableUAC\configuration.json
| MD5 | 2b2a2dbd6ae8af2a46fcb420ca4eebc6 |
| SHA1 | 4ece6dfd41a3a3a374982b77096fa756413f0403 |
| SHA256 | ba65b7b97a8d118c10c1fb839646d0512af0501e20aa00cc7f27b25fd564b9f3 |
| SHA512 | 85ec63ff01c45eda1efaa591c1fb53e3e12d000f441c26fc13bb46b380e0f2efe472f9f9944b15ad67b126f85ea7aad2db637184b91d3213bfedef68d7e79107 |
C:\Users\Admin\Desktop\dcrat\plugins\DisableUAC.plg
| MD5 | 6e676e43b744fd7d4e52d1ba98675514 |
| SHA1 | e32f3e1317d3be97b36a2ce82da912081a37fe51 |
| SHA256 | ad6955b9032ab30f648c3c9de6b13b944ea9e11735d6e5e569f94e25c5a69f6d |
| SHA512 | 2755225499cb506890e56b38efe4e0de9f00b41684db40595a0f26101b6a6b54dabb2c8f9c4b5539173865e654f4d69fcdb7f9927cc3d084b878a22ea891d110 |
C:\Users\Admin\Desktop\dcrat\plugins\CryptoStealer\configuration.json
| MD5 | 5e2149e2a884141db7aeb1486516126c |
| SHA1 | b992417484ad0f38150de4f3d02d1771037454ef |
| SHA256 | 4d51e75e2d7ebda91ba80e14462bb0482d4fd950f755c9255da86c5da7774632 |
| SHA512 | 3b453bf7ff5d6b7debdb174516b303a67f3232c284bef4206c49f8d7751818df86a6bf2de88cfe7bf5650ce97195553ed90852fd783950131ddb5f3f1950f43f |
C:\Users\Admin\Desktop\dcrat\plugins\CryptoStealer.plg
| MD5 | 7d0e8191fcb1475a4b5fb85c29345363 |
| SHA1 | a590571d720d6d6a468f6fd0a250a55a12399f24 |
| SHA256 | 0221a13049e8f79f3499939eb75c6ceaf0be835418e92578ba3a7abd649f7310 |
| SHA512 | 8584e3072e75b75675f557e69c17f60c981606e6ea006e630e5551f647c604cba5ee35f6fb3c620705ea87787c8485853ca729069de5b2e5ca74dd6720717a6a |
C:\Users\Admin\Desktop\dcrat\plugins\CrashLogger\configuration.json
| MD5 | 0a127fa54f700f8684c050a55a808cd0 |
| SHA1 | 91099fe6e3effcb4a4698c5a285ed71cf4fb288b |
| SHA256 | 23c26b3316cb33cbaf01d46e02063203f3b5f57a9a20cdd9c85fc9873ea6a828 |
| SHA512 | 41eb2ca6d669cb1784a3a7a49235ce3060c6c64a6b09aaf8efbd9ddc7081c192ede27ae6ad8cd96bdf8bd28d9243989fc40abb2e1cfa6895daec1620fe632535 |
C:\Users\Admin\Desktop\dcrat\plugins\CrashLogger.plg
| MD5 | bb1bb69674cc872f932498e7e4713dfd |
| SHA1 | e877f196c43f8ebbef1e37375dccc34ceb5742b0 |
| SHA256 | 67312c6ca5890d398663b8c0fc704128f9cedb03cbca6750b646edc8107abed2 |
| SHA512 | b1219b0bf6692fcf86fb3091fedca2606466b04ebe15a3ee7916262ec17cdee724c0f0541e80c9c37fbee66a095edbd0c646994d728ddd5a4173c1433aab8042 |
C:\Users\Admin\Desktop\dcrat\plugins\CountryBlackList\configuration.json
| MD5 | 8b9be085529d1d126811f78aa34656ae |
| SHA1 | 796a5a39e8cc496a3a7ea2066a4831c614c4a325 |
| SHA256 | 8fc9fb90aa56ee75b6d021f178baa9dba961905e772c5cd16da36221cea61d12 |
| SHA512 | daf243f71d256c377956957314e035ab193e37875c388ee664113ec7ba8a381402b9ceecfab838b5d0edc5431065e78f79b7e39b010fcd2b4b75711d3a6109d3 |
C:\Users\Admin\Desktop\dcrat\plugins\CountryBlackList.plg
| MD5 | c0494389ad56345479427327f3a105ab |
| SHA1 | dae7cfe32343c0eca4f4045324bb5ba898e87bee |
| SHA256 | d5bb7934e66b18abaa7bf5c385923142721a515919c17a855e69bf89f7cc511a |
| SHA512 | ab1e1d4f4f6a6de5cb70a617caf9146f34a7d854a637a41887c452ceab0e3f20464f22d0fae936dc2db049aacbf09e9102e46075089b1aa7d7b69b851b0bb2dc |
C:\Users\Admin\Desktop\dcrat\plugins\Clipper\configuration.json
| MD5 | e4c48f85060b023b74d50199870e526c |
| SHA1 | 0dbe75f1ea0e354fc98f56d4e4fa66cb57765298 |
| SHA256 | aa8f6257110045d5df7e79224bf32a0a3f6eb59743553871f2a7c1480beb7bea |
| SHA512 | ee6b913023473aad5347b4a7f2e8325c1443d1591c79a4cb7ad6d845cd7ee3b08dcfd902d75538253504eb23fa71cb3e082cbfe7ce7719fa38b1db98804bac7e |
C:\Users\Admin\Desktop\dcrat\plugins\Clipper.plg
| MD5 | f8b2b7f806e58527549377fa6154d993 |
| SHA1 | c75a9895a5ec2fc4670d1a5a13b7264e4707db4d |
| SHA256 | d99a640efb37a5da0c89f270cadb7cfe2a7f8d9d22c63a0ed2b463bdcd202ec3 |
| SHA512 | fc5c349c995dc1c3d6e46d40b65a3d111c72ec71b064ec4297b41f3176097311d0bf10f7b4d07e3cfccfca46f2407974d6e01db8d601892b1977c6fcb66d3da1 |
C:\Users\Admin\Desktop\dcrat\plugins\ClipboardLogger\configuration.json
| MD5 | 9c4f8ac6df6dacc347e2671c8f6b4a62 |
| SHA1 | 4436b88aa68303cd8a48402667d11802aa39937b |
| SHA256 | 143bbc799092c79f0230b2b990e8f2485836bd9cc682d2ac8f92262ccce0c58e |
| SHA512 | 3b53a7c9ccae040171033c66a98009c017c4df54baba008af76ef5b92e098c954c4dfb9ae971112d3536a1dbd9435830171fa748274ac43eb04a70f3c2a27d24 |
C:\Users\Admin\Desktop\dcrat\plugins\ClipboardLogger.plg
| MD5 | 2aea94cd3a00ade5aeb6daf5ecee4ddb |
| SHA1 | d4c6ad77d134f5951fbd9aabe7705b78b20c2207 |
| SHA256 | 1026aa2bf76235de24e90ba49e661a6170364de8b675b650cd67b28e9c64be1b |
| SHA512 | a042b99aa6e3f5bd3e58df3ccb7b251d93c7ed87f1dbd5cf2d508a0fc9267877c80bffa69bd533fb79ef062077e2c640e9a909862618b157d7a75bde3f13f987 |
C:\Users\Admin\Desktop\dcrat\plugins\ClientsStealer_native\configuration.json
| MD5 | a447c276d835363fb44ed5c27e716b02 |
| SHA1 | de1c9b06cb257bad1aeb97718e3837bcee36e993 |
| SHA256 | 9bd962e5d852e0a0c8fb72606bfb0a21ec35e07a0fe34a6ddb22ac7be07fe401 |
| SHA512 | f26f169300f142c58bfa0ec27329bc8690141e960280e001e51a248cf86ad75af6029513aa8651e2f640cd2736982662be3742c597467fe199b5fb5e8cb1779e |
C:\Users\Admin\Desktop\dcrat\plugins\ClientsStealer_native.plg
| MD5 | 77090d6218e6a2f0f6f846f26545ed14 |
| SHA1 | ff0ce654d3d5383e3684de07a882178a5483a92f |
| SHA256 | 0d93e907d03a8a161deaf26d83221d8159e03768e47c67fac3aedf85d7733210 |
| SHA512 | e7953f96233d1d47540b9acc288ae85acc724777998e991d8129a7fd842a5dcf64083f7dc57a220f26826f3fe09fd47df6cb08434a21e519f748d06a6187084d |
C:\Users\Admin\Desktop\dcrat\plugins\chat_native\configuration.json
| MD5 | 5d4b4f6d829676eace149f4c50003829 |
| SHA1 | 18379611c88af3c7e0ebf3ccf1ec4edbd04ce83e |
| SHA256 | 5905a40b34bfbca66378e60dac23ef06bdf8392f1126f72509368e3f683cb100 |
| SHA512 | a36774efa7f9352ff517935f12b97e5b19494563ac38e5623c24a4f7753378337165608be24848767b5fa954652cbe0bbb6c5c443d5caf4b2bb61a0051a55b5e |
C:\Users\Admin\Desktop\dcrat\plugins\chat_native.plg
| MD5 | 7293ef71d2371dd20997ff0d99a1edd3 |
| SHA1 | f380ec631fa6b6ed4f13ed497988bc638eef850b |
| SHA256 | 6e6ad73d10b50a48e2b314bd665e87c0c7f15c84f561be55bc44445021c6f103 |
| SHA512 | 8a35244016543dc1a835a069ca287b97678cbc426108a964024775dcd0934edadd3f22c731707e8624d2d1c59ae6b68d1f42eee3a87d1647d5806d0129c3c438 |
C:\Users\Admin\Desktop\dcrat\plugins\BuildInstallationTweaksPlugin\configuration.json
| MD5 | 8de11d5b207e7c70c515a192dd2661ef |
| SHA1 | 9f3a1da6e0ec83c599c4f0f542de04789afecfe0 |
| SHA256 | 5ff8575dd71be41c39869c1a6f451ba30190b6fa6546da39b0644bb98f27d19d |
| SHA512 | 6440d1561add2e02f3bd6608c9611b75fe26656ad1fe27ab12231baca2d8752c4f62fbe138398457f41b8bb7ec3152809175e4a0663c712249925ab074561f72 |
C:\Users\Admin\Desktop\dcrat\plugins\BuildInstallationTweaksPlugin.plg
| MD5 | d2296986b47083fdc965d3bcccc8cce8 |
| SHA1 | 6bedc82418395705201c17a86a80619815833fd5 |
| SHA256 | 2d66eb6ac35a4cebe4df0dd9efff13e662ff4e3d71a47f4314eac7ae167d1f67 |
| SHA512 | 01bc9f996c2ec55a90179365d4d6ad6a4d70901f2f8532ac5b723fd48f1950f6d0a2ce4ed101ec8a22e0bfb25aeec37c64facc46dcb6128e0afe32b57fc518fa |
C:\Users\Admin\Desktop\dcrat\plugins\BSoDProtection\configuration.json
| MD5 | 192d9ad2141908acde6d3e67d469274e |
| SHA1 | 2c23154ff73e202167b58593b1306311fd39e59c |
| SHA256 | 954c72fefc76cadb975b81e4ffa8a651e91229f98179e945da0a248b22fe2d54 |
| SHA512 | 820e0875fbbc5a098c36c35d82fcb6dc739b2175c82fdc00c15fe7bc0a03a76ee7f3b2cb3867dcaf38b3084a399cd66ee70238bd10cac45801c31d3a6d92d9fa |
C:\Users\Admin\Desktop\dcrat\plugins\BSoDProtection.plg
| MD5 | 88584f350c58c51eb2ae11a96dc62391 |
| SHA1 | b56aba2558e2386b1803f34fefa62029d5c94417 |
| SHA256 | dd760670b178a06aab1a1a0dbe78a9f6d36cc82cb538705e50bb13dbdacd8e42 |
| SHA512 | 2290ebfad38de62f6fd61ded0becca29e9498bd0ddc29f27fc76b6f842955d012dc1c8d5b956c339ff857bfedce39308c326094389c4cf3112b7c0a402524966 |
C:\Users\Admin\Desktop\dcrat\plugins\BrowsersStealer_native\configuration.json
| MD5 | 7fee909db2d84b923b5b1a557d980def |
| SHA1 | 487cabe13d30e4d9841ddabc4a2c5aab8971316d |
| SHA256 | d5b69f3ce285b018f0cd1c4b93f4eacdbd02853f7c17c4c26e65f9665e59de84 |
| SHA512 | b8bf4e9c24555d6421dd54b3c138813da8c6ec5f8e0c34f03e64ec686f6c8ca984a34eff361e6ff4e5a2476b47c36b534252b85c2fc0dfa7983dea51825c5cca |
C:\Users\Admin\Desktop\dcrat\plugins\BrowsersStealer_native.plg
| MD5 | 6f572698625a63133bb2084d9bb71d94 |
| SHA1 | c8a328c8d7377ddf189410be32a2e10f1fd74f50 |
| SHA256 | d02d6b6f1e2e7291e41d0d076d45322f9d34ba23c9b35be843cf43afffbc06b8 |
| SHA512 | 898c17d4001aef45eb8585b0601c18899010717f2d867c7d3a5a947b4fdd57ffe5cec900732267eee798e559c452156dd94b826e76239020eb1b9ea9e6f7e05e |
C:\Users\Admin\Desktop\dcrat\plugins\BlockInputPlugin\configuration.json
| MD5 | afb18e21483320c671fbf3fc0e8852bf |
| SHA1 | 492d35550208e62ac013822b92379850fc76e877 |
| SHA256 | 53e5c864b7b35564c6c7b5d263b6f625c755127dab893ed6db3fba767fa1a180 |
| SHA512 | 5bffc0b2cf7479f231993c4aace989bafeed798855a18c5f14f97a54065861eceffe3ef44cd24c77d9ee872188f34311f4b0544db20b809808108516fd9ae535 |
C:\Users\Admin\Desktop\dcrat\plugins\BlockInputPlugin.plg
| MD5 | b6d792cf92aaab098bd20c610a32dc7d |
| SHA1 | 938bd54611ec0769fd6c868280d0e1a27f517bce |
| SHA256 | ad04867256b8adec506febb62980c0a516c05fbad7a4aaafaf86d72c42d9d5c0 |
| SHA512 | f9919c05330f98c566f9fff9012bbae5fb54923a1f96110df5ad7505edc9530beb988c0ea58aaf9dcbf69dd57856f77a80f5cd49358be15065fcc9eca1afa5d4 |
C:\Users\Admin\Desktop\dcrat\plugins\Audio_native\configuration.json
| MD5 | 4829fde8c25c2763214293eb37e50500 |
| SHA1 | 1949db855ffdde8c96a7ff370e08abbaab459fbf |
| SHA256 | 96184ab6b632d6715d7b9f22de206319c44e3b268db4ac7b85acf4cfd17f6902 |
| SHA512 | b4dcfb999ae54d111e80fc4e2f0f4241699e15e4c3045648f9c2470414e88eee21d6ae8f2921fbc937e13caf00fb677c655cd08d541c549b84e7d6719432cb4e |
C:\Users\Admin\Desktop\dcrat\plugins\AntiAnalysisPlugin\configuration.json
| MD5 | 3575f0e3dd5316c2122c8723b80a53f3 |
| SHA1 | feb80619c8ea7f43322e02ab99cb69135d83cd29 |
| SHA256 | 524cca97e3d0be041b4c52a20f83ccb5555c8e2abc23a69c434433cc8ce66113 |
| SHA512 | 78bd14afe21e7a0516dd4880ec76a1b22d5ba8f9b3323eca0f867f2315566c46008147f9652d9a7aeba11ed11f98c80a1622ca6380c18f130ec8670fda647c4e |
C:\Users\Admin\Desktop\dcrat\plugins\AntiAnalysisPlugin.plg
| MD5 | 745952c4ce75067e520be681d9c2112b |
| SHA1 | a442210c6b9c519faf04d38889ec6c459934bced |
| SHA256 | 07b57c642aad49c6cee7c9707906c65f2d76bca587427709261190a8a6c2887f |
| SHA512 | ce42290e5a0c558af5d72604447e18bc8cfeaa703809d7b7cd49af339dc067563b9f418266b53c1f126f16cfedb8f5aa1ec747b88a9f5e5566a7c111e713a3b2 |
C:\Users\Admin\Desktop\dcrat\plugins\ActiveWindowNotifier\configuration.json
| MD5 | 7274b40806ddc9b05aaf679efd9ed503 |
| SHA1 | 06a0ed8394004318859859c50dcb412153e65453 |
| SHA256 | 720b6c93d9bed8c9bf8a745762883256c9d9fc4bd3c1d282dced559742165163 |
| SHA512 | e2eeca868aef81e67d09af46525e98fcc6af3d17fdef321a5a97d5a85c8bbd34206f19f4fdaef9481985075f15d0acb1efb6e80671317d6080cc06bcc85e8dfd |
C:\Users\Admin\Desktop\dcrat\plugins\ActiveWindowNotifier.plg
| MD5 | 9d79462a38f05c98f8af9ce194086de3 |
| SHA1 | 2a1fbacc08c1b6f69bf285a2efa181ce0e14bb89 |
| SHA256 | 759adec692b3fc93e3a13c817536f70b80ca77f1c47f0998bab55d258dfd2173 |
| SHA512 | b54509ef21eb1e0df66f52d44dde3026c18b35d67c73dc8d2a15d434dbf297377a906c8d92e47ba2a5c85aa09227432c8643e21e61354009856970a1ff185e66 |
C:\Users\Admin\Desktop\dcrat\back.o
| MD5 | aef4b8423ae335762bbae012e2fc49d6 |
| SHA1 | 87e31aa55052205cba347c62c595cd054b5a1585 |
| SHA256 | 1dad158eebe2b6437b0ed6089495158be9e6ed7e31725894536888ab3f1a8b5f |
| SHA512 | 2aff6a5254e65d7b3d8d102cf5d28949d0de735f88a0e17d5a57c78cb3f54955622ff0e0dcf9389305bba31fa835fb706bd4c84a6400a84511f394582bdf8c3a |
memory/4460-1741-0x00000000008A0000-0x0000000000C2E000-memory.dmp
memory/4460-1761-0x00000000015C0000-0x00000000015E6000-memory.dmp
memory/4460-1765-0x0000000001330000-0x000000000133E000-memory.dmp
memory/4460-1767-0x00000000015F0000-0x000000000160C000-memory.dmp
memory/4460-1768-0x000000001BDF0000-0x000000001BE40000-memory.dmp
memory/4460-1770-0x0000000001590000-0x00000000015A0000-memory.dmp
memory/4460-1773-0x0000000001610000-0x0000000001628000-memory.dmp
memory/4460-1776-0x00000000015A0000-0x00000000015B0000-memory.dmp
memory/4460-1780-0x00000000015B0000-0x00000000015C0000-memory.dmp
memory/4460-1789-0x0000000002EE0000-0x0000000002EEE000-memory.dmp
memory/4460-1794-0x0000000002F20000-0x0000000002F32000-memory.dmp
memory/4460-1801-0x0000000002EF0000-0x0000000002F00000-memory.dmp
memory/4460-1805-0x000000001B840000-0x000000001B856000-memory.dmp
memory/4460-1809-0x000000001B860000-0x000000001B872000-memory.dmp
memory/4460-1828-0x000000001C370000-0x000000001C898000-memory.dmp
memory/4460-1830-0x0000000002F00000-0x0000000002F0E000-memory.dmp
memory/4460-1835-0x000000001B820000-0x000000001B830000-memory.dmp
memory/4460-1852-0x000000001BEA0000-0x000000001BEFA000-memory.dmp
memory/4460-1847-0x000000001B830000-0x000000001B840000-memory.dmp
memory/4460-1858-0x000000001B880000-0x000000001B88E000-memory.dmp
memory/4460-1863-0x000000001B890000-0x000000001B8A0000-memory.dmp
memory/4460-1866-0x000000001B9B0000-0x000000001B9BE000-memory.dmp
memory/4460-1868-0x000000001BE40000-0x000000001BE58000-memory.dmp
memory/4460-1871-0x000000001B9C0000-0x000000001B9CC000-memory.dmp
memory/4460-1873-0x000000001BF50000-0x000000001BF9E000-memory.dmp
memory/4932-2002-0x000001F15F0B0000-0x000001F15F0D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zu4hg1cz.zi2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TIZGX89WH6VEW3OZ64PI.temp
| MD5 | a603088d1233c05b5f007c0f8ff9a08c |
| SHA1 | 7af084d75f6ba8cd2913725fd09a7c2b62aa780e |
| SHA256 | cd9a962235c0c85e67d95e10aa956f91b8091e1559685d1237b20b5ab0f3ef13 |
| SHA512 | 24f0adeddb4d8b4b575bc851bf3f5c67bc3b869940f5f294a3af534547fdba989bb776b12ac9b57318e4c59158fa233fd6933b995465ec6b6f80fe0823dff2a4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 4918c50c5616f735169dc342908cf3b4 |
| SHA1 | 6586dfe91cc32ff27bbe5344e08008949914706c |
| SHA256 | de8d38fc26dae5043f4600fe9a8bcf84d9a1d950dce9d4272e782063ca8f359e |
| SHA512 | 0ec110ce8b30a32761aecbaf418570330b667c700e4680d518004c5f69d19673f41824f5e395d8c4aaa7a0462655e3647695b0e512ce3bc0acb2d2822c1c8ff9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\prefs-1.js
| MD5 | b7b0fdfbe838cda0bf3d3bdf17fa67ab |
| SHA1 | c6fdc2f59dca31a2c89dd6aa4af0dc19d30ddaa7 |
| SHA256 | 1e07ccf2333e7eadb3883ec6cb736b604283d8cb0e1520ba4165adf829d85fad |
| SHA512 | 867f17f8a043979513eee81fae7ebece107e0da854a325eae97e9e58c54cdfb9a543a48f2dd382b66aa2f71429c73544a9cfa43a1d0c2f247ff1221935bd63ef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | c266c368b57def68f4d48dc3282f03a1 |
| SHA1 | 40957de21af5f5b0cf5f2405f6d1687858774792 |
| SHA256 | cb9af2055fed9e9c55eabf6518fb59f8a2e3fcb0506698c0f747e920ddfd5bfe |
| SHA512 | 5fac7baa391c81da5d630e7a5a5a95b45a6684bbbba3f1b9b3220d8d9e157080333c0a59c194e85b80d4dc8fcbdc1cb62356cf0ababa6fa2fc5eed31259147e6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\l594d31n.default-release\bookmarkbackups\bookmarks-2024-05-03_11_lGGEHwAiKjDnYqTsLYT0rw==.jsonlz4
| MD5 | 8715856e279b11f43e931810aab4d627 |
| SHA1 | e2878f32348e68d91c1aa4c4775c33b4e5833bef |
| SHA256 | 50e5c4006d73a8668d105ebc128d7a847488f0d5bafeab7fbacbceae66e06290 |
| SHA512 | e4b3802f2480ae44e0672b72866f0f1466e9f88090288168288ba5f965a4e7433b5d8b13be35b2a73c08106582236e4807ede2fb2f5f4c5a6781219651958793 |