hxxps://drive[.]google[.]com/file/d/1_ClhugMqa4buQZorO2-ef4gHZE5lXsbH/view

Analysis

max time kernel
236s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1_ClhugMqa4buQZorO2-ef4gHZE5lXsbH/view

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4056	DCRat (3).exe
4304	DCRat.exe
5028	php.exe

Loads dropped DLL 1 IoCs

pid	Process
5028	php.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1204	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
9	drive.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
316	msedge.exe
316	msedge.exe
4648	msedge.exe
4648	msedge.exe
2944	identity_helper.exe
2944	identity_helper.exe
2284	msedge.exe
2284	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3128	7zFM.exe
5092	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3128	7zFM.exe
Token: 35	3128	7zFM.exe
Token: SeSecurityPrivilege	3128	7zFM.exe
Token: SeSecurityPrivilege	3128	7zFM.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeSecurityPrivilege	2888	WMIC.exe
Token: SeTakeOwnershipPrivilege	2888	WMIC.exe
Token: SeLoadDriverPrivilege	2888	WMIC.exe
Token: SeSystemProfilePrivilege	2888	WMIC.exe
Token: SeSystemtimePrivilege	2888	WMIC.exe
Token: SeProfSingleProcessPrivilege	2888	WMIC.exe
Token: SeIncBasePriorityPrivilege	2888	WMIC.exe
Token: SeCreatePagefilePrivilege	2888	WMIC.exe
Token: SeBackupPrivilege	2888	WMIC.exe
Token: SeRestorePrivilege	2888	WMIC.exe
Token: SeShutdownPrivilege	2888	WMIC.exe
Token: SeDebugPrivilege	2888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2888	WMIC.exe
Token: SeRemoteShutdownPrivilege	2888	WMIC.exe
Token: SeUndockPrivilege	2888	WMIC.exe
Token: SeManageVolumePrivilege	2888	WMIC.exe
Token: 33	2888	WMIC.exe
Token: 34	2888	WMIC.exe
Token: 35	2888	WMIC.exe
Token: 36	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2888	WMIC.exe
Token: SeSecurityPrivilege	2888	WMIC.exe
Token: SeTakeOwnershipPrivilege	2888	WMIC.exe
Token: SeLoadDriverPrivilege	2888	WMIC.exe
Token: SeSystemProfilePrivilege	2888	WMIC.exe
Token: SeSystemtimePrivilege	2888	WMIC.exe
Token: SeProfSingleProcessPrivilege	2888	WMIC.exe
Token: SeIncBasePriorityPrivilege	2888	WMIC.exe
Token: SeCreatePagefilePrivilege	2888	WMIC.exe
Token: SeBackupPrivilege	2888	WMIC.exe
Token: SeRestorePrivilege	2888	WMIC.exe
Token: SeShutdownPrivilege	2888	WMIC.exe
Token: SeDebugPrivilege	2888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2888	WMIC.exe
Token: SeRemoteShutdownPrivilege	2888	WMIC.exe
Token: SeUndockPrivilege	2888	WMIC.exe
Token: SeManageVolumePrivilege	2888	WMIC.exe
Token: 33	2888	WMIC.exe
Token: 34	2888	WMIC.exe
Token: 35	2888	WMIC.exe
Token: 36	2888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4612	WMIC.exe
Token: SeSecurityPrivilege	4612	WMIC.exe
Token: SeTakeOwnershipPrivilege	4612	WMIC.exe
Token: SeLoadDriverPrivilege	4612	WMIC.exe
Token: SeSystemProfilePrivilege	4612	WMIC.exe
Token: SeSystemtimePrivilege	4612	WMIC.exe
Token: SeProfSingleProcessPrivilege	4612	WMIC.exe
Token: SeIncBasePriorityPrivilege	4612	WMIC.exe
Token: SeCreatePagefilePrivilege	4612	WMIC.exe
Token: SeBackupPrivilege	4612	WMIC.exe
Token: SeRestorePrivilege	4612	WMIC.exe
Token: SeShutdownPrivilege	4612	WMIC.exe
Token: SeDebugPrivilege	4612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4612	WMIC.exe
Token: SeRemoteShutdownPrivilege	4612	WMIC.exe
Token: SeUndockPrivilege	4612	WMIC.exe
Token: SeManageVolumePrivilege	4612	WMIC.exe
Token: 33	4612	WMIC.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
3128	7zFM.exe
4648	msedge.exe
3128	7zFM.exe
3128	7zFM.exe
3128	7zFM.exe
5092	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1632	OpenWith.exe
1632	OpenWith.exe
1632	OpenWith.exe
4724	javaw.exe
4724	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4484	4648	msedge.exe	83
PID 4648 wrote to memory of 4484	4648	msedge.exe	83
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 3740	4648	msedge.exe	84
PID 4648 wrote to memory of 316	4648	msedge.exe	85
PID 4648 wrote to memory of 316	4648	msedge.exe	85
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86
PID 4648 wrote to memory of 1560	4648	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1_ClhugMqa4buQZorO2-ef4gHZE5lXsbH/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdb8546f8,0x7ffcdb854708,0x7ffcdb854718
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,7491799614691064662,13993236923358341183,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6244 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:392

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\dcrat.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3128

C:\Users\Admin\Desktop\dcrat\dcrat\DCRat (3).exe
"C:\Users\Admin\Desktop\dcrat\dcrat\DCRat (3).exe"
1⤵
- Executes dropped EXE
PID:4056
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dprism.dirtyopts=false -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar;lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar;lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar;lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar;lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar;lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar;lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar;lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar;lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar;lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar;lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar;lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar;lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar;lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4724
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:1204
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboard get Manufac ��
    3⤵
    PID:3664
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe baseboard get Manufac
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2888
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c USERPR ��
    3⤵
    PID:3040
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe baseboap��3��
    3⤵
    PID:2648
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe baseboap��3��
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4612
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe CPU get Proc ��8�Y
    3⤵
    PID:436
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe CPU get Proc
      4⤵
      PID:4028
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
    3⤵
    PID:4316
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe diskdrive where "'Index*'L��] ��\�X[�[X�\\"
      4⤵
      PID:3016
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[��\�
    3⤵
    PID:2928
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe Path Win32_VideoConp��3�\��]�Y[��\�
      4⤵
      PID:408
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L��] ��^"
    3⤵
    PID:2408
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe diskdrive where "'Il*'L��] ��^"
      4⤵
      PID:4580

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\dcrat\dcrat\DCRat.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\dcrat\dcrat\123.bat" "
1⤵
PID:1540
- C:\Users\Admin\Desktop\dcrat\dcrat\DCRat.exe
  DCRat.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Users\Admin\Desktop\dcrat\dcrat\php\php.exe
  php -S 127.0.0.1:8000 -t ..\server
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
9294ab8c9f770313d365cbc552c46d12

SHA1
344d4f772d21837d9b3eaf05b627e5ff0c80a6ed

SHA256
959f40eae973e9ff335598263537274fddb74a770cedb157949d13b9cdd36572

SHA512
468755dedf01c2227f0d07e5373268895abcc4b930e43c915d9fac5a907c70b5e408e3350010e0aa060e8c7f4eb73fdbb360d97ddc0917845a2cd5189129f912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\82e67715-c213-43b1-b6d5-5edb5854c16e.tmp

Filesize
6KB

MD5
d8c98cfcfaa1560178fae994ec5f5ed8

SHA1
3a027526cde7c4b94d60be13aa7ebc0a6d475d71

SHA256
40e7fd8cb1980c80bd71a9311f2db1b7794cd59de2814e2063d3b199ab9775d9

SHA512
5bff661e888d106894b3f66ad5729ab2793179cfa9f33fe0a40c365bbc914394aca16804d5983bc3838ed58184fe45c12271ece3440f58f34e7da9f67d94e28e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
27713d276513cf8390bdb5b6bd09ceeb

SHA1
931f5c6dacbb48a3a20d9001f46f02a6f9ba53ab

SHA256
523a33df0a881a22e11b6e8233dbd960dc9095a2d7d46c707d3fef1ef446d1c3

SHA512
41df1624cb95bd4ac850c48d24f7b426180e8dcf36a6dc5c5cfec4e5113df9bde3c47331d372c3f76b9e101b49e4e55d226974eef00cc38c0489c95c93fa2503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7accf96eef9abfbebf546493e78a5f77

SHA1
1b9774a6fe9c26e165811b1e5428371a070e507a

SHA256
b6de931066f4a86ea24e55232a594068d726e7d3a592fade2cda0a182a9768db

SHA512
43b963a362ed1387b96e8cb7fe7573d340ea17396586a37d20f293d7b4ed50e87a4c93ed7dbbb5ee6652c25c51c88340f55458e2a5d6c17b873b8b24b772a015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8abc417c671f2723a332f417a187c476

SHA1
6fda06e48bab350ca33d470feb0e748105db483b

SHA256
e972988af9341287c33cdd605bec18d61c746825c0b9f56e892dc581cce5c93b

SHA512
7f820af81fe05bf742bd50add2ea968b5e983a9a60a857a4437ee206897db931182ddbcfb843fa1ec563770775b5ef2e6e9f5e1a9fdd1e90d81ff326cf1e0fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1c53febcb3abcd15faf0dae89dfaf1bb

SHA1
6ef5132af0cd11d024d0a943f21435b96741531f

SHA256
03280666fe86ec65c518c09e46848e1a8f3fa3176721416d922f9bda4fe70917

SHA512
0432e324496c4c18e8d64c4bfaae94cef278c9cfe3b0647db29e6b79cebd53d1459b666d42fc235f314cf992b5747d44f327d152964016ae761b1c67ac1fcb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2ee1d567ca9ffd4d06304c3292910e25

SHA1
7d1ac1e8cc0afc533543f2950a4a203c6678a3b6

SHA256
d34d97f36e4db5bf972f621cba378c41e7b1601e1b1c16f07a55f55131a9b159

SHA512
4c5fb5f9ca6c42ce75883623354b30ee8586bab608b1b301a96deb68e46271ede1061629e1aecdf4ecf4c23c8515d02c39de6f8114803283d7fa0125a2052592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a9ec87cbcbd6b73a6fe6a3c812180125

SHA1
2da6f1700a855c66263c9d9b66f9214d560d00d7

SHA256
98677edb7c042b063057c72ef1949af7fa432d8f9d1403591f13041f5c25cda4

SHA512
88ae3d9406b82e247251bf75275fa75f6dcb30a49f7788eddcdaf398b752c8bfc1b161af31fda4ae6fc2bb77d2623b87746d54a5771044f812b5771567e09a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfa8195d4e14787d3ad5344b77887b9f

SHA1
446d2ed8d966ffc1b7c48bd07bcd5cc0e75e6efc

SHA256
e09df17438b8d37ea313da17e5f4b29ef6f8cf05e56c33002883adc17877216e

SHA512
e403a950b28e1e41bbf3ba1c113723f60dd5ad366bb76cfbfa0af7295b306dcd32fa3cc420db6e3183c620bfd77bd0c897200ba3098c2e7fec4c8c92ae0f8e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93ad7b615054212d589ef3edc9d9d1c7

SHA1
c4f7a24ec5c8f04f8abcb24c951b95fff06b2d56

SHA256
25869ed13fa007145f8929f430adc9d664851aea52447d1279081eca7d848e16

SHA512
a14deee8c748ffe17bcfc3f2f29b2a419ece7f0c7b07000ff4ac5d14143a3622ed5bdff2a616ed3399dc0cbe5ee1eec91020afaddd7715c525ef4edce1081fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a813bad1d1604959606dae7ab04dcc1

SHA1
3420e10e01eee12369e64f0e0c357f1e29df428b

SHA256
71f3b037df124d1a7790a22e74c5ac00bc0f2325ef1de374192cdeb3419c73e9

SHA512
4d9a680a2d08061046f7033afd27f75b9a0701cbe14fdc82dc6798648f2e901c46f6eef1ed38cfe35380a8ca925f36940dabc23a6ea14198aa200b443c4183d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a2c1c43a74e43a9ce66b680279fa7f7c

SHA1
72f5a42dd918ad75d14c34dbb9da46000e0e430c

SHA256
1307a89c05533feca498dfe7b380d3b632c544756a7ae206b88d4dcc33daed36

SHA512
5debfd432eaede7e624512313f086e702d1cea6f3ee08359939962832609683885a704d9656ff070c1b45b6f97f75552a635b92d4d75681aa0322f9e8b042b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
53627b4451ce6f585d3a982eea0ba659

SHA1
cb06f4fe08ee1effb9f5bfb9c083ff6ffe3b5e5c

SHA256
e32b90c08117b9fd40551059f5915a0280d1dce020d47f72d23755f0fb95b685

SHA512
10df0337ef99b865e74209a541ff07c8d4df19d88b361ae4d4d6d02cc010203f764ad26c66ee6a2b2bf67b0a11e717f18f030e64753627bc4faae557b1d048d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE83C05B39\dcrat\plugins\chat_native\fav.png

Filesize
2KB

MD5
a8e72c0e27750ce36da3110126c38afe

SHA1
e96bc3555f8ed8e715af94d492965b4e6597563c

SHA256
a4f7e5adde35c1979fbf2cc44b37e2907ec963468443e34262b207dd3dab81b8

SHA512
e43e2c6abb6006c783331cb8b0e290560bb65f7cfd0e113bbddb31a6978aee31fb39a2b22b38ef83f27d512152329d066bc270e640e8900b2746a2a4e0b4dd48

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\DCRat (3).exe

Filesize
72KB

MD5
2c7d37e90dd8ab57d06dad5bc7956885

SHA1
da789c107c4c68b8250b6589e45e5a3cf7a9a143

SHA256
5ede5d774ab65f25357cf5a1fa5e354f6f2a9868651a0fa717485802b21b1939

SHA512
e74ae891771bfd9c6fcdfbe8e4f33f0d5f7c3457cd84b257500cdaf8fa8b16fe458a18db9b3a60591465982fc2871f4c3f2e7541c765f00a0516f805e7e9ca0f

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\DCRat.exe

Filesize
415KB

MD5
75166680c090f5404d5aa5e93cf39601

SHA1
e5c5e0e4554e6685f97eaca897c844c9238608c4

SHA256
89728bd6f1c47ac7b3574e3d2865cb42e36ae6efc16ce72cc94d60d7c7bceea2

SHA512
57919dfab5071121ef8a6fa6c8091bf825e65996e93efa151bb25a55eb7533be9eabc03685da747084ac3ca762ea621f8c69acf3bb32f0d29c406d8ef5552d2b

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\back.o

Filesize
664KB

MD5
aef4b8423ae335762bbae012e2fc49d6

SHA1
87e31aa55052205cba347c62c595cd054b5a1585

SHA256
1dad158eebe2b6437b0ed6089495158be9e6ed7e31725894536888ab3f1a8b5f

SHA512
2aff6a5254e65d7b3d8d102cf5d28949d0de735f88a0e17d5a57c78cb3f54955622ff0e0dcf9389305bba31fa835fb706bd4c84a6400a84511f394582bdf8c3a

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\config.cson

Filesize
128B

MD5
abad3aaf668fa447d2a82ca6aa1d96d8

SHA1
e96bf53b6e819c8d1841c056ce05656fe3f544dd

SHA256
421c444a495ca95c91ccfb2f49bed456119841f5d70caf96588d9404f93828bc

SHA512
cda7f019fa630c4b095d16a7aa7072573e6d8514107b020e78a3dfdde5390b9a1941b878328163bfc6d7e3b0e1c672e58ac39829c0e2aff1551bb633810e4708

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\history.cson

Filesize
428B

MD5
b0793c415db6944bfe0442fd5102cbad

SHA1
efeaed75daa2a2d8149110e1f6b5ab16bcbfa553

SHA256
a4f1391b33300ae12e69149a295dd761028d20d87e02caac1a6d8d9e114f3e32

SHA512
30e32f6e2ea9b5179a61447420030f7ddaa7de104dabefa23c61e16ea3093d61e379dc0ad6ea517948cbd49d43b779e1fac28d41af2d89a2b8f4b80589e06173

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllI.jar

Filesize
2.3MB

MD5
6316f84bc78d40b138dab1adc978ca5d

SHA1
b12ea05331ad89a9b09937367ebc20421f17b9ff

SHA256
d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17

SHA512
1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\IIIllllIlIlllIlIIIIlllIlIlIlllllIIIlIIllllIIIlIllIIlIIllllIIllllllIIlIIIIIIlllIIIlIllllllIIllIlIllIlllIllIlIIIIIIIIllllIIilIl.jar

Filesize
5.5MB

MD5
f323bd3b1e342a856bf3036453cd01b2

SHA1
a8c48a731c350d1514ddcc6a99738cb93277fe14

SHA256
64bc153889ab341d4ec8e693fafe117651d3b627d1a608dad951f5b030aab26f

SHA512
764e1643f2f0b2a5c64e2fd52b2ed8cb3597469ec7ea2c28c2009c0d0b1f5e1dbbcc12b6cf36e94ae7db53bb9d118cd3d33ad92de0c3e256b751c5085e3489a4

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\IIlIlIllIIlIIllIIllIIlIIIllIlIlIlIIIIlIlIllIIlIIllIIIIIllIIIIlIIIlIIlIIlIIlIllIIlllIIIllIIIlIIlIllllIllIIIIlIIIlIllllllI.jar

Filesize
464KB

MD5
7e5e3d6d352025bd7f093c2d7f9b21ab

SHA1
ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57

SHA256
5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a

SHA512
c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\IlIIlIllllIIIIIlIlllIllIlIlIIIIIlIIIlIlIlllIIllIllIIIIIIlIIlllIIIlIIIlllIIIlllllIlIlIlllllIIlIllIIlIIlIIlIIIlllllllIlIII.jar

Filesize
19KB

MD5
0a79304556a1289aa9e6213f574f3b08

SHA1
7ee3bde3b1777bf65d4f62ce33295556223a26cd

SHA256
434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79

SHA512
1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\IlIlIIIIIIIlIlllllllIllIIlIIllIllllIIIlIIIlIlIIlIIlIIlIllIlllIlIlIIllIIlIIIIIIIlIIIIIIIIIlIlllIIllIlIIlIIIlIlIlllIIIIIIl.jar

Filesize
250KB

MD5
fe734f7ab030363362fe3d3ba5e8f913

SHA1
2e9d54e3b410557c51c3ea101d66efbb5266b80a

SHA256
03ead999502aefbf1380bd2e9c4a407acb7a92a7b2fe61f6995aba3fca85efd4

SHA512
303ecea5f3f1130f473cde0d78270090290b6f13311bf7459282257ac3097b2b6086db461183f2d8c97a9101372155bf59bbfa12a74925136d0a2a615b648b2a

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\IlIllIIllllllllIlIIlllllIIIIllIIIlIIlllIIllIIllllIIllIlIIIlIIIIlIIIIIlllllllIllIIlIlIllIIlIlIlIIllIlIllIIIlIIIIlIllIIIIl.jar

Filesize
688KB

MD5
6696368a09c7f8fed4ea92c4e5238cee

SHA1
f89c282e557d1207afd7158b82721c3d425736a7

SHA256
c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4

SHA512
0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\IllIIIIllIlIIIIlIlIllIIlIIllIIlIllIIlllllIlllIllIlIIlIIlllIIlIlIlIllIllIIlIIIlIIIllIIIIIllIIlllllIlIIIIIlIIIIIIIIIIIIlII.jar

Filesize
226KB

MD5
5134a2350f58890ffb9db0b40047195d

SHA1
751f548c85fa49f330cecbb1875893f971b33c4e

SHA256
2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32

SHA512
c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\lIIllIIlIlllIlIlllIlIIlIIIlllllIIlIlIIllIllIlIlllIlIIlIlIlIIllIlIIIIIllIIlIIlIIlIIllIIIlIIllIlIIIIlIlIIlIIlIllIIlIIlIlIl.jar

Filesize
50KB

MD5
d093f94c050d5900795de8149cb84817

SHA1
54058dda5c9e66a22074590072c8a48559bba1fb

SHA256
4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba

SHA512
3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\llIlIIIIlIlIlllllIlIIllllIIIlIlIllllIIllllIlllIIlllllIIlIlllIIIIIIlIIllIIIlIlIlllIlIIIlIIIIIllIlllIlllIIllIIllIlIlIIlllI.jar

Filesize
16KB

MD5
fde38932b12fc063451af6613d4470cc

SHA1
bc08c114681a3afc05fb8c0470776c3eae2eefeb

SHA256
9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830

SHA512
0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\llIlIlIIIllllIIIllllllllllIllIlIlllIIlllIIlllIIllIIllllIlllIIIIIllllIIlllIIllIIIIlIlIlIlIIIlIIIlIlIlIlIIlllIIlllIlIlIlII.jar

Filesize
103KB

MD5
0c8768cdeb3e894798f80465e0219c05

SHA1
c4da07ac93e4e547748ecc26b633d3db5b81ce47

SHA256
15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669

SHA512
35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\lllIIlIlIIlIIllllIIllllIIlIllllIIIlIllllIIllIIIlllIIIIIIlIIlllIIllIllIIlllIlIIlIlIlllIIlllIlllIlIIlIIIllIlllIIIlIIIIIlll.jar

Filesize
12KB

MD5
3e5e8cccff7ff343cbfe22588e569256

SHA1
66756daa182672bff27e453eed585325d8cc2a7a

SHA256
0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4

SHA512
8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\lllIlIIIIIlIllIlIlIIllIlIIIlIIllIllllIIIIIllIlllIllIIllIIllIllIllIIlIlllllIIlIllIllIIlIIlIIIllIlIlIIlIIIIIIIllIIlllIllIl.jar

Filesize
1.1MB

MD5
d5ef47c915bef65a63d364f5cf7cd467

SHA1
f711f3846e144dddbfb31597c0c165ba8adf8d6b

SHA256
9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6

SHA512
04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\llllIlIIIIIllllIlIIIlIllIlIIIllllIIIllIllllIIlllIlIIIlllIIlIlIlllIIlIIIIlIIIIlllIIlIIlIlIIIIIIIIllllIllIlIIIlIllIlIlIIll.jar

Filesize
16KB

MD5
b50e2c75f5f0e1094e997de8a2a2d0ca

SHA1
d789eb689c091536ea6a01764bada387841264cb

SHA256
cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23

SHA512
57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\lib\llllIlIIlIllllIlIlIIIlIIIlIllIlIIIIlIlIIlIlIIIIllIIlIIllIIIllllIlIllIlllllIIIIIIIIllIllIlIlllllllIllIIIllllIIllIIlIllIll.jar

Filesize
95KB

MD5
4bc2aea7281e27bc91566377d0ed1897

SHA1
d02d897e8a8aca58e3635c009a16d595a5649d44

SHA256
4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288

SHA512
da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\ActiveWindowNotifier.plg

Filesize
233B

MD5
9d79462a38f05c98f8af9ce194086de3

SHA1
2a1fbacc08c1b6f69bf285a2efa181ce0e14bb89

SHA256
759adec692b3fc93e3a13c817536f70b80ca77f1c47f0998bab55d258dfd2173

SHA512
b54509ef21eb1e0df66f52d44dde3026c18b35d67c73dc8d2a15d434dbf297377a906c8d92e47ba2a5c85aa09227432c8643e21e61354009856970a1ff185e66

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\ActiveWindowNotifier\configuration.json

Filesize
112B

MD5
7274b40806ddc9b05aaf679efd9ed503

SHA1
06a0ed8394004318859859c50dcb412153e65453

SHA256
720b6c93d9bed8c9bf8a745762883256c9d9fc4bd3c1d282dced559742165163

SHA512
e2eeca868aef81e67d09af46525e98fcc6af3d17fdef321a5a97d5a85c8bbd34206f19f4fdaef9481985075f15d0acb1efb6e80671317d6080cc06bcc85e8dfd

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\AntiAnalysisPlugin.plg

Filesize
222B

MD5
745952c4ce75067e520be681d9c2112b

SHA1
a442210c6b9c519faf04d38889ec6c459934bced

SHA256
07b57c642aad49c6cee7c9707906c65f2d76bca587427709261190a8a6c2887f

SHA512
ce42290e5a0c558af5d72604447e18bc8cfeaa703809d7b7cd49af339dc067563b9f418266b53c1f126f16cfedb8f5aa1ec747b88a9f5e5566a7c111e713a3b2

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\AntiAnalysisPlugin\configuration.json

Filesize
96B

MD5
3575f0e3dd5316c2122c8723b80a53f3

SHA1
feb80619c8ea7f43322e02ab99cb69135d83cd29

SHA256
524cca97e3d0be041b4c52a20f83ccb5555c8e2abc23a69c434433cc8ce66113

SHA512
78bd14afe21e7a0516dd4880ec76a1b22d5ba8f9b3323eca0f867f2315566c46008147f9652d9a7aeba11ed11f98c80a1622ca6380c18f130ec8670fda647c4e

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\Audio_native.plg

Filesize
168B

MD5
630f22251fedbe30e968432d68ae8543

SHA1
6d25f9813b0995a3d032482abb7844cf4646b66f

SHA256
822869646486a798dc943c015e1bca6ac19b440652f8c93ddec4373c76846bef

SHA512
acc1b2ca19c4d30202423ecfd94c32420ea11171d72ac309d6849a31b67ca9832903987cffd807cfaf36a6760dcc60d45fdd9aafffb25669f40d864c4fdf545d

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\Audio_native\configuration.json

Filesize
102B

MD5
4829fde8c25c2763214293eb37e50500

SHA1
1949db855ffdde8c96a7ff370e08abbaab459fbf

SHA256
96184ab6b632d6715d7b9f22de206319c44e3b268db4ac7b85acf4cfd17f6902

SHA512
b4dcfb999ae54d111e80fc4e2f0f4241699e15e4c3045648f9c2470414e88eee21d6ae8f2921fbc937e13caf00fb677c655cd08d541c549b84e7d6719432cb4e

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\BSoDProtection.plg

Filesize
285B

MD5
88584f350c58c51eb2ae11a96dc62391

SHA1
b56aba2558e2386b1803f34fefa62029d5c94417

SHA256
dd760670b178a06aab1a1a0dbe78a9f6d36cc82cb538705e50bb13dbdacd8e42

SHA512
2290ebfad38de62f6fd61ded0becca29e9498bd0ddc29f27fc76b6f842955d012dc1c8d5b956c339ff857bfedce39308c326094389c4cf3112b7c0a402524966

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\BSoDProtection\configuration.json

Filesize
104B

MD5
192d9ad2141908acde6d3e67d469274e

SHA1
2c23154ff73e202167b58593b1306311fd39e59c

SHA256
954c72fefc76cadb975b81e4ffa8a651e91229f98179e945da0a248b22fe2d54

SHA512
820e0875fbbc5a098c36c35d82fcb6dc739b2175c82fdc00c15fe7bc0a03a76ee7f3b2cb3867dcaf38b3084a399cd66ee70238bd10cac45801c31d3a6d92d9fa

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\BlockInputPlugin.plg

Filesize
229B

MD5
b6d792cf92aaab098bd20c610a32dc7d

SHA1
938bd54611ec0769fd6c868280d0e1a27f517bce

SHA256
ad04867256b8adec506febb62980c0a516c05fbad7a4aaafaf86d72c42d9d5c0

SHA512
f9919c05330f98c566f9fff9012bbae5fb54923a1f96110df5ad7505edc9530beb988c0ea58aaf9dcbf69dd57856f77a80f5cd49358be15065fcc9eca1afa5d4

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\BlockInputPlugin\configuration.json

Filesize
106B

MD5
afb18e21483320c671fbf3fc0e8852bf

SHA1
492d35550208e62ac013822b92379850fc76e877

SHA256
53e5c864b7b35564c6c7b5d263b6f625c755127dab893ed6db3fba767fa1a180

SHA512
5bffc0b2cf7479f231993c4aace989bafeed798855a18c5f14f97a54065861eceffe3ef44cd24c77d9ee872188f34311f4b0544db20b809808108516fd9ae535

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\BrowsersStealer_native.plg

Filesize
200B

MD5
6f572698625a63133bb2084d9bb71d94

SHA1
c8a328c8d7377ddf189410be32a2e10f1fd74f50

SHA256
d02d6b6f1e2e7291e41d0d076d45322f9d34ba23c9b35be843cf43afffbc06b8

SHA512
898c17d4001aef45eb8585b0601c18899010717f2d867c7d3a5a947b4fdd57ffe5cec900732267eee798e559c452156dd94b826e76239020eb1b9ea9e6f7e05e

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\BrowsersStealer_native\configuration.json

Filesize
112B

MD5
7fee909db2d84b923b5b1a557d980def

SHA1
487cabe13d30e4d9841ddabc4a2c5aab8971316d

SHA256
d5b69f3ce285b018f0cd1c4b93f4eacdbd02853f7c17c4c26e65f9665e59de84

SHA512
b8bf4e9c24555d6421dd54b3c138813da8c6ec5f8e0c34f03e64ec686f6c8ca984a34eff361e6ff4e5a2476b47c36b534252b85c2fc0dfa7983dea51825c5cca

Download Submit
C:\Users\Admin\Desktop\dcrat\dcrat\plugins\BuildInstallationTweaksPlugin.plg

Filesize
302B

MD5
d2296986b47083fdc965d3bcccc8cce8

SHA1
6bedc82418395705201c17a86a80619815833fd5

SHA256
2d66eb6ac35a4cebe4df0dd9efff13e662ff4e3d71a47f4314eac7ae167d1f67

SHA512
01bc9f996c2ec55a90179365d4d6ad6a4d70901f2f8532ac5b723fd48f1950f6d0a2ce4ed101ec8a22e0bfb25aeec37c64facc46dcb6128e0afe32b57fc518fa

Download Submit
C:\Users\Admin\Downloads\dcrat.rar

Filesize
44.3MB

MD5
3cd571bc8f91ead1efd573aabf8d8db6

SHA1
38a33abe12923709c8a4eb6b6d179f959920cd15

SHA256
9186710bd411d861ef42ae3a452da392156cc20f23613c3d752b01e0204438c6

SHA512
f0cd13036ef34aa44999379b4d3e1ceff39d2a8ecd67d63c7f307bab26ff1e941f784f9478455580ffde6df0d2fa7db3db8d9e07284c70204e8abf4c350addce

Download Submit
memory/4056-877-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4304-1535-0x0000000000790000-0x00000000007FE000-memory.dmp

Filesize
440KB

Download
memory/4724-901-0x0000021961D60000-0x0000021961D61000-memory.dmp

Filesize
4KB

Download
memory/4724-1202-0x0000021963580000-0x0000021964580000-memory.dmp

Filesize
16.0MB

Download
memory/4724-1204-0x0000021963580000-0x0000021964580000-memory.dmp

Filesize
16.0MB

Download
memory/4724-1203-0x0000021963580000-0x0000021964580000-memory.dmp

Filesize
16.0MB

Download
memory/4724-1071-0x0000021961D60000-0x0000021961D61000-memory.dmp

Filesize
4KB

Download
memory/4724-1059-0x0000021961D60000-0x0000021961D61000-memory.dmp

Filesize
4KB

Download
memory/4724-984-0x0000021961D60000-0x0000021961D61000-memory.dmp

Filesize
4KB

Download
memory/4724-973-0x0000021961D60000-0x0000021961D61000-memory.dmp

Filesize
4KB

Download
memory/4724-959-0x0000021961D60000-0x0000021961D61000-memory.dmp

Filesize
4KB

Download
memory/4724-912-0x0000021961D60000-0x0000021961D61000-memory.dmp

Filesize
4KB

Download