njrat | hxxps://github[.]com/komsad/likaq/blob/main/DCrat[.]rar

Analysis

max time kernel
61s
max time network
65s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05/01/2025, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/komsad/likaq/blob/main/DCrat.rar

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

5.tcp.eu.ngrok.io:19587

Mutex

d8c514f6c639c3b8951aabb752c3344a

Attributes

reg_key
d8c514f6c639c3b8951aabb752c3344a
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4988	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c514f6c639c3b8951aabb752c3344a.exe	saads.bat
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c514f6c639c3b8951aabb752c3344a.exe	saads.bat

Executes dropped EXE 2 IoCs

pid	Process
768	DCrat-main Crack.exe
2984	saads.bat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\d8c514f6c639c3b8951aabb752c3344a = "\"C:\\Users\\Admin\\AppData\\Roaming\\saads.bat\" .."	saads.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d8c514f6c639c3b8951aabb752c3344a = "\"C:\\Users\\Admin\\AppData\\Roaming\\saads.bat\" .."	saads.bat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
25	raw.githubusercontent.com
1	5.tcp.eu.ngrok.io

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	saads.bat
File opened for modification	F:\autorun.inf	saads.bat
File created	C:\autorun.inf	saads.bat
File opened for modification	C:\autorun.inf	saads.bat
File created	D:\autorun.inf	saads.bat

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCrat-main Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saads.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DCrat.rar:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2212	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
4612	msedge.exe
4612	msedge.exe
5024	msedge.exe
5024	msedge.exe
492	identity_helper.exe
492	identity_helper.exe
1708	msedge.exe
1708	msedge.exe
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat
2984	saads.bat

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2212	vlc.exe
2984	saads.bat

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	4248	7zG.exe
Token: 35	4248	7zG.exe
Token: SeSecurityPrivilege	4248	7zG.exe
Token: SeSecurityPrivilege	4248	7zG.exe
Token: SeDebugPrivilege	2984	saads.bat
Token: 33	2984	saads.bat
Token: SeIncBasePriorityPrivilege	2984	saads.bat
Token: 33	3300	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3300	AUDIODG.EXE
Token: 33	2212	vlc.exe
Token: SeIncBasePriorityPrivilege	2212	vlc.exe
Token: 33	2984	saads.bat
Token: SeIncBasePriorityPrivilege	2984	saads.bat
Token: 33	2984	saads.bat
Token: SeIncBasePriorityPrivilege	2984	saads.bat

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4248	7zG.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe
2212	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2212	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 400	4612	msedge.exe	77
PID 4612 wrote to memory of 400	4612	msedge.exe	77
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 4236	4612	msedge.exe	78
PID 4612 wrote to memory of 3164	4612	msedge.exe	79
PID 4612 wrote to memory of 3164	4612	msedge.exe	79
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80
PID 4612 wrote to memory of 3832	4612	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/komsad/likaq/blob/main/DCrat.rar
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fd703cb8,0x7ff8fd703cc8,0x7ff8fd703cd8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1220

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2969:72:7zEvent1776
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4248

C:\Users\Admin\Downloads\DCrat-Crack\DCrat-main Crack.exe
"C:\Users\Admin\Downloads\DCrat-Crack\DCrat-main Crack.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768
- C:\Users\Admin\AppData\Roaming\saads.bat
  "C:\Users\Admin\AppData\Roaming\saads.bat"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\saads.bat" "saads.bat" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4988

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\DCrat-Crack\Sound\Sound.wav"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e4b80b626242b4a8a96257c355cacf02

SHA1
f2d1287f1d80947d13254902e291dd5f25076abc

SHA256
65ff40a3c51a14e36e8b5761cb3ac7fd5ed4236912ab3ff8901789be6dcbc05d

SHA512
c977867032d9e908811c5ba85d31b4de100c6f1a7a4a56caaedf524e60638000a1e4b7e29b666357776fb76b9d7e2b8f92c54e3fb3a9f224850c96b1267e1feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
16f530dedf04a312ac525a797747c8a6

SHA1
8ed895af636d1e25fba5709b36d605ec264df8e1

SHA256
8a95a9a8dc87d29d07c82e812257f5cb6df3e4e6a84400ad330a2a6c12d3e54f

SHA512
2e0c5ea994d850f8926fc1f8dac1da13e84b097f4c45d806274791affdf2d9f0cb385e376919447370e5d39fd4b735546925f71c6fa9c0ffb2428618ac46fd8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4742f28a4993eee68bc28e0b18407f34

SHA1
a93a1c1c1495cc790862d061a49022297c2b3139

SHA256
07daa67678572c6d65fa17803d82e053aa50a388fda05699b85c12c04c903cf7

SHA512
87ba19a4d0813ccdce31a5fdf2d674a7daeda74a4aeecb8eee9b29fa87de560c2d5cb957a24bdb97d6074563f460a570a6a29422fca4dce6bb33415c6295eb08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c561cf88efe939ca4d252d37c239395

SHA1
e6da6cfffb3a28d446cb90fd264c27a1f0ef4e63

SHA256
194c6676e3bc0b081cdb6fb61643e29fa53aaf3211d33f5bb67ad642d910a2d7

SHA512
568b3c6eeabd2874407530be066792f6e41346de7e56fb3faab535ddad121e8f38258c0a9aac19afe6db5fc7dc4a3187f51bc293b02bca70339b00cf8f3a1d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ba2c2c65485931470cb44dd1b548299

SHA1
c6d2866521d8c91e4e44b2b1021965e9254142f7

SHA256
608181de6a5af00c4ee1e7f5863cfe3ba4f8d26dac3aeb1a2f4e608481eaf67c

SHA512
33e753845af483531c83824fa4e53285bd523dc910c6fb4ba6c3ebbbbb10ed77cd55a79ddcd248151c391ca2d1d3c9324f8f27dbc3c3dcd964729014bed81178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eefced16-2310-45ea-bab8-3147289c5749.tmp

Filesize
5KB

MD5
ad13afedc7d9e7dfa770bd5f0004b18c

SHA1
3afb5e9c2cdb897d27ae96773564c15f2ee54c2c

SHA256
a8b5208b487d1ab000eff8098c2da9fb6c06a92f06bb1b070824c91a2cf1d3bf

SHA512
a89a020a53cb2409ec1aaa80061163609806da799e495d15ff773df438aa56b55098adf2e14458e6d72fd1de8e4c8846ac93a8d1cd358fb7ef2993d53931f90a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33ee7ff298b969fb0b60d56b64fe2191

SHA1
815444ea50d97895a227b2c0a521daabfa13640d

SHA256
4906718d896b388f51445e2a91bb34e1c9198b7389bc32a8bed568d94ab5e1de

SHA512
ebcaeaf87ef822e35368af124bb974f5830be9ed6d3185cc78f6b0082cb9b8dd78a2f61e3505402f816558c32a7834a6b658b516759a5019ad3cfff88315eff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c0e433709c4b2398920b8a7aa6bfcb8c

SHA1
6225f273c167ff667091271722cea3da3b813d19

SHA256
03a3063ace8b8478cd8984530a17db2a940b6745682c4112653976497c4d4698

SHA512
159ef04cdc6c6e97415a7f7e893cafa281be6e986ac3df4cdac918819def02c993fd6bfa86151278b56da9af9f6b991f40dd393c8d14cfe77154cdcb16263e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
597ec5a7ff84ba72349d0dd1bd4500b5

SHA1
ebb95422dc4c77f1bbbf2efdd19dcfbf83635cc2

SHA256
bf6049e4d37fa7fa2589b1d44f7a3000d62295e14eeffe07b296595ae8d95058

SHA512
406d1c36d2d0c1d1a86fd09b4082d4b71ed1cbfdb3b883abbde0c719d0cfe94be23ebdbb3bc9a91d8a1b406e21aab8edd1c0fa928eda89e7dd275807fe1563fd

Download Submit
C:\Users\Admin\Downloads\DCrat-Crack\DCrat-main Crack.exe

Filesize
37KB

MD5
744e1221f6467d0b7e73a10f52e6cd6c

SHA1
33e85ae9412fa870e5d6de31502e7d48c64ce224

SHA256
31c37ff61aa322192236c9672f09e3d97b6e6e09c5019077df7d0567d4c0b48b

SHA512
704389db8c842344a21c4563f1154b57bf208466083b1fded330c4f53b7931fdb216e1e8dada0733729f8ac7aebf1047e77d7c96d2b6950b7bc69872b93a90de

Download Submit
C:\Users\Admin\Downloads\DCrat-Crack\Sound\Sound.wav

Filesize
643KB

MD5
562fb3b4b1b1eafd2cf107f2e92e0670

SHA1
cebf2a65c99e1b2c13d7212bf111bdf0fe5c13ce

SHA256
5ff592b183b2c990448f1dcd842a29cfe17a3eaa9956e0135c945c578676344a

SHA512
807cd580a04c84fb671c1dfa0fc2b90bbf2428e4727d7fa3956011623cae5c7e093acf55d5f0ad325116b729c96e845f06f3fc3007e8048238aacdea7f21386a

Download Submit
C:\Users\Admin\Downloads\DCrat.rar

Filesize
1.4MB

MD5
dadb31f9cd6b19e2aa650eabcf03fdce

SHA1
f8b860ac70adb921a96408ed564b7426b9eabd96

SHA256
33c8efdf697a2bf43e2aace180bd3512e51e422aa562c6a3ecb0b04d893ea656

SHA512
e2f2599a5ba122b5c54ddaf65756a92b360217e9cdbcc3cbea0f3319a78e6a3be4be8292dcec5716882a6b46947fd517f15d7f4a25574a8e927ba1ba6c825246

Download Submit
C:\Users\Admin\Downloads\DCrat.rar:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/2212-302-0x00007FF7B8560000-0x00007FF7B8658000-memory.dmp

Filesize
992KB

Download
memory/2212-303-0x00007FF8E9E40000-0x00007FF8E9E74000-memory.dmp

Filesize
208KB

Download
memory/2212-304-0x00007FF8E9B80000-0x00007FF8E9E36000-memory.dmp

Filesize
2.7MB

Download
memory/2212-305-0x00007FF8E7F50000-0x00007FF8E9000000-memory.dmp

Filesize
16.7MB

Download