Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
65s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/01/2025, 12:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/komsad/likaq/blob/main/DCrat.rar
Resource
win11-20241007-en
General
-
Target
https://github.com/komsad/likaq/blob/main/DCrat.rar
Malware Config
Extracted
njrat
im523
HacKed
5.tcp.eu.ngrok.io:19587
d8c514f6c639c3b8951aabb752c3344a
-
reg_key
d8c514f6c639c3b8951aabb752c3344a
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4988 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c514f6c639c3b8951aabb752c3344a.exe saads.bat File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c514f6c639c3b8951aabb752c3344a.exe saads.bat -
Executes dropped EXE 2 IoCs
pid Process 768 DCrat-main Crack.exe 2984 saads.bat -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\d8c514f6c639c3b8951aabb752c3344a = "\"C:\\Users\\Admin\\AppData\\Roaming\\saads.bat\" .." saads.bat Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d8c514f6c639c3b8951aabb752c3344a = "\"C:\\Users\\Admin\\AppData\\Roaming\\saads.bat\" .." saads.bat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 13 raw.githubusercontent.com 25 raw.githubusercontent.com 1 5.tcp.eu.ngrok.io -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf saads.bat File opened for modification F:\autorun.inf saads.bat File created C:\autorun.inf saads.bat File opened for modification C:\autorun.inf saads.bat File created D:\autorun.inf saads.bat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCrat-main Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language saads.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\DCrat.rar:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2212 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3164 msedge.exe 3164 msedge.exe 4612 msedge.exe 4612 msedge.exe 5024 msedge.exe 5024 msedge.exe 492 identity_helper.exe 492 identity_helper.exe 1708 msedge.exe 1708 msedge.exe 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat 2984 saads.bat -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2212 vlc.exe 2984 saads.bat -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 4248 7zG.exe Token: 35 4248 7zG.exe Token: SeSecurityPrivilege 4248 7zG.exe Token: SeSecurityPrivilege 4248 7zG.exe Token: SeDebugPrivilege 2984 saads.bat Token: 33 2984 saads.bat Token: SeIncBasePriorityPrivilege 2984 saads.bat Token: 33 3300 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3300 AUDIODG.EXE Token: 33 2212 vlc.exe Token: SeIncBasePriorityPrivilege 2212 vlc.exe Token: 33 2984 saads.bat Token: SeIncBasePriorityPrivilege 2984 saads.bat Token: 33 2984 saads.bat Token: SeIncBasePriorityPrivilege 2984 saads.bat -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4248 7zG.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe 2212 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2212 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4612 wrote to memory of 400 4612 msedge.exe 77 PID 4612 wrote to memory of 400 4612 msedge.exe 77 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 4236 4612 msedge.exe 78 PID 4612 wrote to memory of 3164 4612 msedge.exe 79 PID 4612 wrote to memory of 3164 4612 msedge.exe 79 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80 PID 4612 wrote to memory of 3832 4612 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/komsad/likaq/blob/main/DCrat.rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8fd703cb8,0x7ff8fd703cc8,0x7ff8fd703cd82⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵PID:4236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:82⤵PID:3832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵PID:1408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵PID:3420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:12⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,16451357882850526674,6657144648858709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:4992
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:728
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:972
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1220
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2969:72:7zEvent17761⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4248
-
C:\Users\Admin\Downloads\DCrat-Crack\DCrat-main Crack.exe"C:\Users\Admin\Downloads\DCrat-Crack\DCrat-main Crack.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768 -
C:\Users\Admin\AppData\Roaming\saads.bat"C:\Users\Admin\AppData\Roaming\saads.bat"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\saads.bat" "saads.bat" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4988
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\DCrat-Crack\Sound\Sound.wav"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2212
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c0a1774f8079fe496e694f35dfdcf8bc
SHA1da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA51260d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b
-
Filesize
152B
MD5e11c77d0fa99af6b1b282a22dcb1cf4a
SHA12593a41a6a63143d837700d01aa27b1817d17a4d
SHA256d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e4b80b626242b4a8a96257c355cacf02
SHA1f2d1287f1d80947d13254902e291dd5f25076abc
SHA25665ff40a3c51a14e36e8b5761cb3ac7fd5ed4236912ab3ff8901789be6dcbc05d
SHA512c977867032d9e908811c5ba85d31b4de100c6f1a7a4a56caaedf524e60638000a1e4b7e29b666357776fb76b9d7e2b8f92c54e3fb3a9f224850c96b1267e1feb
-
Filesize
6KB
MD516f530dedf04a312ac525a797747c8a6
SHA18ed895af636d1e25fba5709b36d605ec264df8e1
SHA2568a95a9a8dc87d29d07c82e812257f5cb6df3e4e6a84400ad330a2a6c12d3e54f
SHA5122e0c5ea994d850f8926fc1f8dac1da13e84b097f4c45d806274791affdf2d9f0cb385e376919447370e5d39fd4b735546925f71c6fa9c0ffb2428618ac46fd8c
-
Filesize
6KB
MD54742f28a4993eee68bc28e0b18407f34
SHA1a93a1c1c1495cc790862d061a49022297c2b3139
SHA25607daa67678572c6d65fa17803d82e053aa50a388fda05699b85c12c04c903cf7
SHA51287ba19a4d0813ccdce31a5fdf2d674a7daeda74a4aeecb8eee9b29fa87de560c2d5cb957a24bdb97d6074563f460a570a6a29422fca4dce6bb33415c6295eb08
-
Filesize
1KB
MD53c561cf88efe939ca4d252d37c239395
SHA1e6da6cfffb3a28d446cb90fd264c27a1f0ef4e63
SHA256194c6676e3bc0b081cdb6fb61643e29fa53aaf3211d33f5bb67ad642d910a2d7
SHA512568b3c6eeabd2874407530be066792f6e41346de7e56fb3faab535ddad121e8f38258c0a9aac19afe6db5fc7dc4a3187f51bc293b02bca70339b00cf8f3a1d0b
-
Filesize
1KB
MD58ba2c2c65485931470cb44dd1b548299
SHA1c6d2866521d8c91e4e44b2b1021965e9254142f7
SHA256608181de6a5af00c4ee1e7f5863cfe3ba4f8d26dac3aeb1a2f4e608481eaf67c
SHA51233e753845af483531c83824fa4e53285bd523dc910c6fb4ba6c3ebbbbb10ed77cd55a79ddcd248151c391ca2d1d3c9324f8f27dbc3c3dcd964729014bed81178
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eefced16-2310-45ea-bab8-3147289c5749.tmp
Filesize5KB
MD5ad13afedc7d9e7dfa770bd5f0004b18c
SHA13afb5e9c2cdb897d27ae96773564c15f2ee54c2c
SHA256a8b5208b487d1ab000eff8098c2da9fb6c06a92f06bb1b070824c91a2cf1d3bf
SHA512a89a020a53cb2409ec1aaa80061163609806da799e495d15ff773df438aa56b55098adf2e14458e6d72fd1de8e4c8846ac93a8d1cd358fb7ef2993d53931f90a
-
Filesize
10KB
MD533ee7ff298b969fb0b60d56b64fe2191
SHA1815444ea50d97895a227b2c0a521daabfa13640d
SHA2564906718d896b388f51445e2a91bb34e1c9198b7389bc32a8bed568d94ab5e1de
SHA512ebcaeaf87ef822e35368af124bb974f5830be9ed6d3185cc78f6b0082cb9b8dd78a2f61e3505402f816558c32a7834a6b658b516759a5019ad3cfff88315eff0
-
Filesize
10KB
MD5c0e433709c4b2398920b8a7aa6bfcb8c
SHA16225f273c167ff667091271722cea3da3b813d19
SHA25603a3063ace8b8478cd8984530a17db2a940b6745682c4112653976497c4d4698
SHA512159ef04cdc6c6e97415a7f7e893cafa281be6e986ac3df4cdac918819def02c993fd6bfa86151278b56da9af9f6b991f40dd393c8d14cfe77154cdcb16263e1b
-
Filesize
10KB
MD5597ec5a7ff84ba72349d0dd1bd4500b5
SHA1ebb95422dc4c77f1bbbf2efdd19dcfbf83635cc2
SHA256bf6049e4d37fa7fa2589b1d44f7a3000d62295e14eeffe07b296595ae8d95058
SHA512406d1c36d2d0c1d1a86fd09b4082d4b71ed1cbfdb3b883abbde0c719d0cfe94be23ebdbb3bc9a91d8a1b406e21aab8edd1c0fa928eda89e7dd275807fe1563fd
-
Filesize
37KB
MD5744e1221f6467d0b7e73a10f52e6cd6c
SHA133e85ae9412fa870e5d6de31502e7d48c64ce224
SHA25631c37ff61aa322192236c9672f09e3d97b6e6e09c5019077df7d0567d4c0b48b
SHA512704389db8c842344a21c4563f1154b57bf208466083b1fded330c4f53b7931fdb216e1e8dada0733729f8ac7aebf1047e77d7c96d2b6950b7bc69872b93a90de
-
Filesize
643KB
MD5562fb3b4b1b1eafd2cf107f2e92e0670
SHA1cebf2a65c99e1b2c13d7212bf111bdf0fe5c13ce
SHA2565ff592b183b2c990448f1dcd842a29cfe17a3eaa9956e0135c945c578676344a
SHA512807cd580a04c84fb671c1dfa0fc2b90bbf2428e4727d7fa3956011623cae5c7e093acf55d5f0ad325116b729c96e845f06f3fc3007e8048238aacdea7f21386a
-
Filesize
1.4MB
MD5dadb31f9cd6b19e2aa650eabcf03fdce
SHA1f8b860ac70adb921a96408ed564b7426b9eabd96
SHA25633c8efdf697a2bf43e2aace180bd3512e51e422aa562c6a3ecb0b04d893ea656
SHA512e2f2599a5ba122b5c54ddaf65756a92b360217e9cdbcc3cbea0f3319a78e6a3be4be8292dcec5716882a6b46947fd517f15d7f4a25574a8e927ba1ba6c825246
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6