Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    61s
  • max time network
    65s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05/01/2025, 12:27

General

  • Target

    https://github.com/komsad/likaq/blob/main/DCrat.rar

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

5.tcp.eu.ngrok.io:19587

Mutex

d8c514f6c639c3b8951aabb752c3344a

Attributes
  • reg_key

    d8c514f6c639c3b8951aabb752c3344a

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/komsad/likaq/blob/main/DCrat.rar
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fd703cb8,0x7ff8fd703cc8,0x7ff8fd703cd8
      2⤵
        PID:400
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        2⤵
          PID:4236
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3164
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
          2⤵
            PID:3832
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
            2⤵
              PID:4584
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
              2⤵
                PID:1124
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                2⤵
                  PID:1764
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
                  2⤵
                  • NTFS ADS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5024
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:492
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1708
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
                  2⤵
                    PID:1408
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
                    2⤵
                      PID:3420
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
                      2⤵
                        PID:3416
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
                        2⤵
                          PID:4992
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:728
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:972
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:1220
                            • C:\Program Files\7-Zip\7zG.exe
                              "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2969:72:7zEvent1776
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              PID:4248
                            • C:\Users\Admin\Downloads\DCrat-Crack\DCrat-main Crack.exe
                              "C:\Users\Admin\Downloads\DCrat-Crack\DCrat-main Crack.exe"
                              1⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:768
                              • C:\Users\Admin\AppData\Roaming\saads.bat
                                "C:\Users\Admin\AppData\Roaming\saads.bat"
                                2⤵
                                • Drops startup file
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Drops autorun.inf file
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2984
                                • C:\Windows\SysWOW64\netsh.exe
                                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\saads.bat" "saads.bat" ENABLE
                                  3⤵
                                  • Modifies Windows Firewall
                                  • Event Triggered Execution: Netsh Helper DLL
                                  • System Location Discovery: System Language Discovery
                                  PID:4988
                            • C:\Program Files\VideoLAN\VLC\vlc.exe
                              "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\DCrat-Crack\Sound\Sound.wav"
                              1⤵
                              • Suspicious behavior: AddClipboardFormatListener
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of SetWindowsHookEx
                              PID:2212
                            • C:\Windows\system32\AUDIODG.EXE
                              C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D8
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3300

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              c0a1774f8079fe496e694f35dfdcf8bc

                              SHA1

                              da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

                              SHA256

                              c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

                              SHA512

                              60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              e11c77d0fa99af6b1b282a22dcb1cf4a

                              SHA1

                              2593a41a6a63143d837700d01aa27b1817d17a4d

                              SHA256

                              d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

                              SHA512

                              c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              1KB

                              MD5

                              e4b80b626242b4a8a96257c355cacf02

                              SHA1

                              f2d1287f1d80947d13254902e291dd5f25076abc

                              SHA256

                              65ff40a3c51a14e36e8b5761cb3ac7fd5ed4236912ab3ff8901789be6dcbc05d

                              SHA512

                              c977867032d9e908811c5ba85d31b4de100c6f1a7a4a56caaedf524e60638000a1e4b7e29b666357776fb76b9d7e2b8f92c54e3fb3a9f224850c96b1267e1feb

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              16f530dedf04a312ac525a797747c8a6

                              SHA1

                              8ed895af636d1e25fba5709b36d605ec264df8e1

                              SHA256

                              8a95a9a8dc87d29d07c82e812257f5cb6df3e4e6a84400ad330a2a6c12d3e54f

                              SHA512

                              2e0c5ea994d850f8926fc1f8dac1da13e84b097f4c45d806274791affdf2d9f0cb385e376919447370e5d39fd4b735546925f71c6fa9c0ffb2428618ac46fd8c

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              4742f28a4993eee68bc28e0b18407f34

                              SHA1

                              a93a1c1c1495cc790862d061a49022297c2b3139

                              SHA256

                              07daa67678572c6d65fa17803d82e053aa50a388fda05699b85c12c04c903cf7

                              SHA512

                              87ba19a4d0813ccdce31a5fdf2d674a7daeda74a4aeecb8eee9b29fa87de560c2d5cb957a24bdb97d6074563f460a570a6a29422fca4dce6bb33415c6295eb08

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                              Filesize

                              1KB

                              MD5

                              3c561cf88efe939ca4d252d37c239395

                              SHA1

                              e6da6cfffb3a28d446cb90fd264c27a1f0ef4e63

                              SHA256

                              194c6676e3bc0b081cdb6fb61643e29fa53aaf3211d33f5bb67ad642d910a2d7

                              SHA512

                              568b3c6eeabd2874407530be066792f6e41346de7e56fb3faab535ddad121e8f38258c0a9aac19afe6db5fc7dc4a3187f51bc293b02bca70339b00cf8f3a1d0b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                              Filesize

                              1KB

                              MD5

                              8ba2c2c65485931470cb44dd1b548299

                              SHA1

                              c6d2866521d8c91e4e44b2b1021965e9254142f7

                              SHA256

                              608181de6a5af00c4ee1e7f5863cfe3ba4f8d26dac3aeb1a2f4e608481eaf67c

                              SHA512

                              33e753845af483531c83824fa4e53285bd523dc910c6fb4ba6c3ebbbbb10ed77cd55a79ddcd248151c391ca2d1d3c9324f8f27dbc3c3dcd964729014bed81178

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              206702161f94c5cd39fadd03f4014d98

                              SHA1

                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                              SHA256

                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                              SHA512

                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eefced16-2310-45ea-bab8-3147289c5749.tmp

                              Filesize

                              5KB

                              MD5

                              ad13afedc7d9e7dfa770bd5f0004b18c

                              SHA1

                              3afb5e9c2cdb897d27ae96773564c15f2ee54c2c

                              SHA256

                              a8b5208b487d1ab000eff8098c2da9fb6c06a92f06bb1b070824c91a2cf1d3bf

                              SHA512

                              a89a020a53cb2409ec1aaa80061163609806da799e495d15ff773df438aa56b55098adf2e14458e6d72fd1de8e4c8846ac93a8d1cd358fb7ef2993d53931f90a

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              33ee7ff298b969fb0b60d56b64fe2191

                              SHA1

                              815444ea50d97895a227b2c0a521daabfa13640d

                              SHA256

                              4906718d896b388f51445e2a91bb34e1c9198b7389bc32a8bed568d94ab5e1de

                              SHA512

                              ebcaeaf87ef822e35368af124bb974f5830be9ed6d3185cc78f6b0082cb9b8dd78a2f61e3505402f816558c32a7834a6b658b516759a5019ad3cfff88315eff0

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              c0e433709c4b2398920b8a7aa6bfcb8c

                              SHA1

                              6225f273c167ff667091271722cea3da3b813d19

                              SHA256

                              03a3063ace8b8478cd8984530a17db2a940b6745682c4112653976497c4d4698

                              SHA512

                              159ef04cdc6c6e97415a7f7e893cafa281be6e986ac3df4cdac918819def02c993fd6bfa86151278b56da9af9f6b991f40dd393c8d14cfe77154cdcb16263e1b

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              597ec5a7ff84ba72349d0dd1bd4500b5

                              SHA1

                              ebb95422dc4c77f1bbbf2efdd19dcfbf83635cc2

                              SHA256

                              bf6049e4d37fa7fa2589b1d44f7a3000d62295e14eeffe07b296595ae8d95058

                              SHA512

                              406d1c36d2d0c1d1a86fd09b4082d4b71ed1cbfdb3b883abbde0c719d0cfe94be23ebdbb3bc9a91d8a1b406e21aab8edd1c0fa928eda89e7dd275807fe1563fd

                            • C:\Users\Admin\Downloads\DCrat-Crack\DCrat-main Crack.exe

                              Filesize

                              37KB

                              MD5

                              744e1221f6467d0b7e73a10f52e6cd6c

                              SHA1

                              33e85ae9412fa870e5d6de31502e7d48c64ce224

                              SHA256

                              31c37ff61aa322192236c9672f09e3d97b6e6e09c5019077df7d0567d4c0b48b

                              SHA512

                              704389db8c842344a21c4563f1154b57bf208466083b1fded330c4f53b7931fdb216e1e8dada0733729f8ac7aebf1047e77d7c96d2b6950b7bc69872b93a90de

                            • C:\Users\Admin\Downloads\DCrat-Crack\Sound\Sound.wav

                              Filesize

                              643KB

                              MD5

                              562fb3b4b1b1eafd2cf107f2e92e0670

                              SHA1

                              cebf2a65c99e1b2c13d7212bf111bdf0fe5c13ce

                              SHA256

                              5ff592b183b2c990448f1dcd842a29cfe17a3eaa9956e0135c945c578676344a

                              SHA512

                              807cd580a04c84fb671c1dfa0fc2b90bbf2428e4727d7fa3956011623cae5c7e093acf55d5f0ad325116b729c96e845f06f3fc3007e8048238aacdea7f21386a

                            • C:\Users\Admin\Downloads\DCrat.rar

                              Filesize

                              1.4MB

                              MD5

                              dadb31f9cd6b19e2aa650eabcf03fdce

                              SHA1

                              f8b860ac70adb921a96408ed564b7426b9eabd96

                              SHA256

                              33c8efdf697a2bf43e2aace180bd3512e51e422aa562c6a3ecb0b04d893ea656

                              SHA512

                              e2f2599a5ba122b5c54ddaf65756a92b360217e9cdbcc3cbea0f3319a78e6a3be4be8292dcec5716882a6b46947fd517f15d7f4a25574a8e927ba1ba6c825246

                            • C:\Users\Admin\Downloads\DCrat.rar:Zone.Identifier

                              Filesize

                              55B

                              MD5

                              0f98a5550abe0fb880568b1480c96a1c

                              SHA1

                              d2ce9f7057b201d31f79f3aee2225d89f36be07d

                              SHA256

                              2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

                              SHA512

                              dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

                            • memory/2212-302-0x00007FF7B8560000-0x00007FF7B8658000-memory.dmp

                              Filesize

                              992KB

                            • memory/2212-303-0x00007FF8E9E40000-0x00007FF8E9E74000-memory.dmp

                              Filesize

                              208KB

                            • memory/2212-304-0x00007FF8E9B80000-0x00007FF8E9E36000-memory.dmp

                              Filesize

                              2.7MB

                            • memory/2212-305-0x00007FF8E7F50000-0x00007FF8E9000000-memory.dmp

                              Filesize

                              16.7MB