asyncrat | hxxps://mega[.]nz/file/BHFiEDTA#uvoQUSXTmz4kQgLXUbm3cjFcjp1nGRRTT0_RDeV6wwo

Analysis

max time kernel
659s
max time network
605s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/BHFiEDTA#uvoQUSXTmz4kQgLXUbm3cjFcjp1nGRRTT0_RDeV6wwo

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x00070000000234b9-319.dat	disable_win_def

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x00070000000234cb-262.dat	family_asyncrat
behavioral1/files/0x000b0000000234db-285.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 4 IoCs

pid	Process
4400	DcRat.exe
3920	DcRat.exe
1912	DcRat.exe
5760	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000020000000100000000000000ffffffff	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3	DcRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	DcRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000a8582d611100557365727300640009000400efbe874f7748ae584d792e000000c70500000000010000000000000000003a00000000001b3d6b0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000ae5855791100444f574e4c4f7e3100006c0009000400efbea8582d61ae5855792e00000076e101000000010000000000000000004200000000000e671e0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000000000000200000001000000ffffffff	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	DcRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f684929140a1da01064ca59440a1da0199f28e9540a1da0114000000	DcRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = ffffffff	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000030000000200000001000000ffffffff	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	DcRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	DcRat.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	DcRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = ffffffff	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	DcRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	DcRat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3284	msedge.exe
3284	msedge.exe
3604	msedge.exe
3604	msedge.exe
3644	identity_helper.exe
3644	identity_helper.exe
3968	msedge.exe
3968	msedge.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe
3920	DcRat.exe
4400	DcRat.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1912	DcRat.exe
5760	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	4636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4636	AUDIODG.EXE
Token: SeRestorePrivilege	4364	7zG.exe
Token: 35	4364	7zG.exe
Token: SeSecurityPrivilege	4364	7zG.exe
Token: SeSecurityPrivilege	4364	7zG.exe
Token: SeDebugPrivilege	3920	DcRat.exe
Token: SeDebugPrivilege	4400	DcRat.exe
Token: SeDebugPrivilege	1912	DcRat.exe
Token: SeDebugPrivilege	5760	Client.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
4364	7zG.exe
4400	DcRat.exe
3920	DcRat.exe
1912	DcRat.exe
1912	DcRat.exe
5760	Client.exe
5760	Client.exe
5760	Client.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
4400	DcRat.exe
3920	DcRat.exe
1912	DcRat.exe
1912	DcRat.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1912	DcRat.exe
1912	DcRat.exe
1912	DcRat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 116	3604	msedge.exe	83
PID 3604 wrote to memory of 116	3604	msedge.exe	83
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 2728	3604	msedge.exe	85
PID 3604 wrote to memory of 3284	3604	msedge.exe	86
PID 3604 wrote to memory of 3284	3604	msedge.exe	86
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87
PID 3604 wrote to memory of 2744	3604	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/BHFiEDTA#uvoQUSXTmz4kQgLXUbm3cjFcjp1nGRRTT0_RDeV6wwo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8517946f8,0x7ff851794708,0x7ff851794718
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11028496389861709154,11674693579060419161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5900 /prefetch:2
  2⤵
  PID:10976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x4b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3600

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21828:70:7zEvent3186
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4364

C:\Users\Admin\Downloads\Release\DcRat.exe
"C:\Users\Admin\Downloads\Release\DcRat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4400

C:\Users\Admin\Downloads\Release\DcRat.exe
"C:\Users\Admin\Downloads\Release\DcRat.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920

C:\Users\Admin\Downloads\Release\DcRat.exe
"C:\Users\Admin\Downloads\Release\DcRat.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5292

C:\Users\Admin\Downloads\Release\Client.exe
"C:\Users\Admin\Downloads\Release\Client.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9896
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1352
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9520
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10784
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7300
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8860
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7912
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9148
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8352
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8584
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11024
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11000
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9370ffa44eff28a6603d83a700165001

SHA1
b4bc66ef8763ce4dc5a9b6dee19983995d067959

SHA256
bdba29690129539c94749f8a41456593e877dd2708fc635ba77e18e39376981f

SHA512
b06290e3b8abe12d3ef5930c397042e7b216ff2a4e1313e2d72c9461b32e8800b0d5e3b3a027a2790571d9ae74c6e822244c7ea4e95ff3c11c19e7fa742ac07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c79362b4157ec07ca148a2daf5c72348

SHA1
7c136c895f1473306abafc91da0c582e08118c6c

SHA256
9ed41648a08864eb3a8f72771a8ae24f6316b57b55bdd32a9354ea95199a6955

SHA512
9ca611f4f01262123cc66fcd70548b1668046722c372b3c0f0851b2fd2b68483bfd39ad12fa2f8315a0f44b73cd35327f731b5a5391f28cb0c62ed62a1129e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
248741b1ff577704e131256fb9793323

SHA1
ad112a7acfb5d5a0563201bbdb8f28d1020c3d77

SHA256
157db3ae2b49d2f9769c745f5c366656976c96fa71a57b3b4cbb267e0f7d387c

SHA512
bd028b3405b22c00c1fad426ff35974b1c841124a3ac43399bb56cf530f93b24d08d1493ba972c50525dac9c58de3e9ec8e0ab4f4a2439f2990012b2b3aba9e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb13b7a49c8df3bc259159e56e4a6c5d

SHA1
c5f71c0df1ead1c24795c1dad41ed927127dab49

SHA256
e62f84872c4d9cc723a8cd5fd8a1dfa56a5536296a08c49c208eaa2bdf975e97

SHA512
0b5274f63d681ee1f1b1a5cb2c1f6369acd378e12b133eddf09e73cc162bf96c65f0674aef9df5ad222d1b222fc6cc2453cea6808a942c52ec9ae57b96a11b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a5b1ece8c9191cac172c3439ace05d64

SHA1
57d8d0fc7769efa259dcdbd41d94b6465eca8910

SHA256
23fb60deb8a701f22613a8450272d0e100ea34a85dac9cd2f78e724f45cf7373

SHA512
f6992f09e065ad60f5a5cd49d80df53b94ed87779c7c25172d988f90a0d056d3e719fcde34d107e4552c4d1b830edd32b7c509332763a9ce65671720ab3f657f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57aebe.TMP

Filesize
48B

MD5
f0de19fe96de60c575477e420e294b5f

SHA1
d651d558db0cf3fa60a4dad20a85d666eb34f581

SHA256
1505557cf050e58dd5bb2b709f1c588c597e52984e525be8f05e5cd203b25ecb

SHA512
3a1add9347ae3ecd32355003816783ff78283130e186d4b372474ac16f76dcb697fc133b2f179e8ee6b9d429cba178738e8d224d0f399c9584fee40b0ad46618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2988ef968f4e940a9c8173772aeb5cab

SHA1
19b7a80802a2e6d9e3a1f027be037dbbc1804975

SHA256
3585c71ce5c5034aed00983e3af475132ab43c6b82aa90a8815b69053bc0c88f

SHA512
0fadc81f6cff91f4aa47a924f6b10593dab80fa5fab6b29ee1acc88d40f24ae241c499ae398d75587aed11c77f0741edee0d12c64c2e47e98a044fd893740ef3

Download Submit
C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_o1gpprukvfzdh3gw1firfjrqc1rjrv5q\1.0.7.0\user.config

Filesize
309B

MD5
0c6e4f57ebaba0cc4acfc8bb65c589f8

SHA1
8c021c2371b87f2570d226b419c64c3102b8d434

SHA256
a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c

SHA512
c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

Download Submit
C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_o1gpprukvfzdh3gw1firfjrqc1rjrv5q\1.0.7.0\user.config

Filesize
580B

MD5
acb6df8bd0fe9236ea87ea6e3c28173f

SHA1
8b1d88bd749b58905c6db258e7224a67d1179938

SHA256
ec2b3fc4d011e9b8a04188d8f2ff280de854dde7d6ebf8e871e0642f789dfa5b

SHA512
a4222c0f5aeba58679c21361dcb6ab2c7ed1d9cae41d2839089fdb7bbaac3b8735afff8b302557f85389daa977b826cee77b944ba598e3fa6c2a16781453a832

Download Submit
C:\Users\Admin\Downloads\DcRat.7z

Filesize
4.0MB

MD5
836c2ae55c1baec789b83fa3d79d23b3

SHA1
359a091da48369e1e8cea6e004826ee25a93b3db

SHA256
68115c6e039363be3b80e416ed462d97f8c763af800237b1fa183cca1180bac5

SHA512
e12f7438545f6615f84e37b81837127aacc79b4aadd3b212702bb662b0f752778ed15d646e8d657b318dfde57d2f893c18831bfb686a0ae1b7d62137c63080be

Download Submit
C:\Users\Admin\Downloads\Release\Client.exe

Filesize
47KB

MD5
03faea22cd5d17556490b96ae0f438da

SHA1
a3893d33f4518a9dad8b62a16d096b2601e62587

SHA256
f007cd6e9983e89bc671153e95e56bfc51dae904b555bcb718c179488e33cb9d

SHA512
b6f9fcb54ebcd5c8b33859be791a0724b3c05c2be5a25f5035f3a2fa3f40e761b996bcd5fef1bfd8b7d31a5a66f3836f7ab9e194c2b019578295db72036a08ab

Download Submit
C:\Users\Admin\Downloads\Release\DcRat.exe

Filesize
12.3MB

MD5
7fce411ea2b74f227489659113960b18

SHA1
543d95b74193a188fe273ce7b065aa177405beb5

SHA256
c73b1ffa39c5843b2ed951ac48350d1deb33db4057341f1dab1ee64ea1a62248

SHA512
42de7bc4a0b47e1053ff3ff52a3f887e56759f81cfa691996a533d769e80f98b3e8dcf869785fce801d9cc7a2bc3d675e2eb832b520846b053d6b07093be2678

Download Submit
C:\Users\Admin\Downloads\Release\DcRat.exe.config

Filesize
5KB

MD5
f8806ec6bcfeda3bfaab9821506ef15c

SHA1
ede84267e6df98f8c60ecdb72a1546013cb4ba3b

SHA256
dc698c4a2c1b33a2e449f4f4c8ef6058c325b4125584a70b71efde05715b78e7

SHA512
2617bd0917f5de770c06adec6484ffd2b34406e6708c67929192531bd95eed9e216825909f610573dd6bbef64870c6a7c5801d9d201c0d98010fc634b8f28477

Download Submit
C:\Users\Admin\Downloads\Release\Plugins\Audio.dll

Filesize
22KB

MD5
9834bb111cfe8084c4f88b10c246f4b0

SHA1
68fc9f2e8df32a350a56300b3c2bc97f7159c340

SHA256
b843447e46f13e5cddc2d3ccc974fdea22a03a4a393a9310787c56b9f18a4c5d

SHA512
7b7f7b93c2094f8010fc8ee696a16d3fe8190ce79bfa1fa083a4a09d9d9bc187eb5b43ddd4674c3d11ddadca273c4c108a64d5d7316d923ddb2c351d0be556d9

Download Submit
C:\Users\Admin\Downloads\Release\Plugins\Chat.dll

Filesize
387KB

MD5
485874ca1ca6a970edbf93deacade012

SHA1
d6d94a485d4a43f538d305178408f34c032ece60

SHA256
eb772c641008eb5d441c37095a4e0b395748b0246f187d30a92c9284e56507fd

SHA512
2d49477be64537841de35973575b0f1d3aa44cda9cbe76e3b53fc4d31c8156caa6e1a33af6a60892f912a683b1600a264f256d913ed1a90499796b493ba4aef8

Download Submit
C:\Users\Admin\Downloads\Release\Plugins\Extra.dll

Filesize
29KB

MD5
00d372a4d492c46625e6a2bcf98e12f8

SHA1
6663347f6dc00942e32127b4de64a55a348082df

SHA256
df8bc945b8e62b82f31e5eb11f472392130becfcee16fd0832e7ae4f109a427e

SHA512
051bb37839176ec7c22bf3af57ad3a3e162dd833074be2ea6be937663bb9e6a880007d99425debd6a39ebd255131076a84cd128806990bc253aaea385e656931

Download Submit
C:\Users\Admin\Downloads\Release\Plugins\FileManager.dll

Filesize
32KB

MD5
67f3e90ab8453715362f181b55315e57

SHA1
31b93df1ead2b4abe01234444965398b3fe93be0

SHA256
1a311b860252d4aa0c306d9a4e580c1dce91a7f3a03e289ff02b3d4f59588276

SHA512
6e8fb1d9f5d568376ab15894f1709d5aa0cb467cb34a1aa9ab3f0bfb78af8cfba76cb185cdfc797ba6afd30f88c9bcf79d118efc2999af12e6bbc21debd3a6cd

Download Submit
C:\Users\Admin\Downloads\Release\Plugins\FileSearcher.dll

Filesize
277KB

MD5
6d837cc3170240963302c07cdb0cfa06

SHA1
d6aab1c8842ef388a756259f49e97de3caaf2732

SHA256
6ad83748dae28b4f8e6e93c54ff08fdb01c91eb4f510967145852a2c4b64703c

SHA512
baaea2aaaa42d75012c7fcf735b31deb0531e35c7a6a9d93965630a3fa31e8fed836f98a850760eefc253a2ebc001be4c79956efdd6ce51289dd0296cf7c7f1b

Download Submit
C:\Users\Admin\Downloads\Release\Plugins\Fun.dll

Filesize
33KB

MD5
4db70bd8aab4b9b62ce8c318db634b21

SHA1
7f5b4b21a021b5fd95702426d97a62222d26520b

SHA256
8b8ecd3edab14d136f3257411e2ff9436ae2eebc96f3613e84abdad0fb0a1f3c

SHA512
78b59c833075b904c404eb860d309dd15c364032154401a910538bde573be90d7057e2ec390d76104b55da8e586660022633f5566950c1e0eea775474a282004

Download Submit
C:\Users\Admin\Downloads\Release\ServerCertificate.p12

Filesize
1KB

MD5
4cabfe649910447ea2f05531cb7c265a

SHA1
374364a1ee3bb2e6a90305fc2404c1840ef8b3cb

SHA256
a23bebedb6bcbdd4dbdf200e07fc1d2a2be7f93315f0fb372ea7d6547733eb34

SHA512
55400044f8b7b22f4bf781791e0ebc4f8f54e1a85ed60497f0eb3e2aac3bfe00bc972965c8e4fd8704382c9085985fc4b4fc14b3e2d557d45cb796e88205ab22

Download Submit
C:\Users\Admin\Downloads\Release\Stub\Client.exe

Filesize
45KB

MD5
c007eafb83bde10955e1fb1f559a207e

SHA1
5dcf9702941e41c01fc0a8379df21a5691fa1b5f

SHA256
f003f20a3f57d41c72f2874a889a7a2a8e396a57f42cce35fbed9869c6a01964

SHA512
cd25e388f06a313fb35abb7fc66d1f01c3df18a9ae01e9e2a8d005f44a749d8151650f01d32af83dc23e09ec3b3a6ce3e5a33c8bc1a32c883f848445714fbba6

Download Submit
memory/1912-252-0x0000023DF3B80000-0x0000023DF3B92000-memory.dmp

Filesize
72KB

Download
memory/3920-251-0x000001ABC8940000-0x000001ABC894A000-memory.dmp

Filesize
40KB

Download
memory/4400-248-0x0000016A63CE0000-0x0000016A6492A000-memory.dmp

Filesize
12.3MB

Download
memory/5760-287-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/5760-322-0x000000001C350000-0x000000001C3C6000-memory.dmp

Filesize
472KB

Download
memory/5760-323-0x0000000002A00000-0x0000000002A0E000-memory.dmp

Filesize
56KB

Download
memory/5760-324-0x000000001C2F0000-0x000000001C30E000-memory.dmp

Filesize
120KB

Download