Analysis
-
max time kernel
184s -
max time network
185s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250425-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250425-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
19/05/2025, 16:19
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
asyncrat
1.0.7
Default5
127.0.0.1:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Rizzler.exe
-
install_folder
%Temp%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x01800000000278a0-970.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 3 IoCs
pid Process 2108 DcRat.exe 3076 Client.exe 4724 Rizzler.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\typosquatting_list.pb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\v1FieldTypes.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\manifest.fingerprint msedge.exe File opened for modification C:\Windows\SystemTemp msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\autofill_bypass_cache_forms.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\edge_autofill_global_block_list.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\manifest.json msedge.exe File opened for modification C:\Windows\SystemTemp msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\regex_patterns.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_etld1_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\LICENSE msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\sets.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\keys.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_full_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\LICENSE msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4380 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921451771312637" msedge.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 DcRat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" DcRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 5000310000000000b35a7a8210004463526174003c0009000400efbeb35a7a82b35a80822e000000f38202000000090000000000000000000000000000005d7e0e0044006300520061007400000014000000 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 = 5600310000000000b35a8882100052656c6561736500400009000400efbeb35a7a82b35a88822e000000f5820200000008000000000000000000000000000000f3d50801520065006c006500610073006500000016000000 DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 DcRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "6" DcRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e00310000000000b35a818211004465736b746f7000680009000400efbe995add66b35a81822e000000f50501000000020000000000000000003e000000000047ad20014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = 00000000ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5600310000000000b35a8882100052656c6561736500400009000400efbeb35a7a82b35a88822e000000f5820200000008000000000000000000000000000000f3d50801520065006c006500610073006500000016000000 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" DcRat.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3360380284-3605397551-3210292082-1000\{500844EE-A21F-476D-80D1-CC48BC3D0D43} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "5" DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\NodeSlot = "7" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\MRUListEx = ffffffff DcRat.exe Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" DcRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 DcRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" DcRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" DcRat.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 8 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 4264 msedge.exe 4264 msedge.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 3076 Client.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2108 DcRat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 5888 7zG.exe Token: 35 5888 7zG.exe Token: SeSecurityPrivilege 5888 7zG.exe Token: SeSecurityPrivilege 5888 7zG.exe Token: SeDebugPrivilege 2108 DcRat.exe Token: SeDebugPrivilege 3076 Client.exe Token: SeDebugPrivilege 4724 Rizzler.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 2372 msedge.exe 5888 7zG.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 2108 DcRat.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe 4724 Rizzler.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2108 DcRat.exe 2108 DcRat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2108 DcRat.exe 2108 DcRat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 4968 2372 msedge.exe 82 PID 2372 wrote to memory of 4968 2372 msedge.exe 82 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 5912 2372 msedge.exe 84 PID 2372 wrote to memory of 5912 2372 msedge.exe 84 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 8 2372 msedge.exe 83 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 PID 2372 wrote to memory of 3704 2372 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/qwqdanchun/DcRat1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x314,0x7ffa2400f208,0x7ffa2400f214,0x7ffa2400f2202⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:22⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1708,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:32⤵PID:5912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2008,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:82⤵PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3484,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3488,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:12⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:82⤵PID:520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5088,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:82⤵PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5456,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:82⤵PID:696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:82⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:82⤵PID:5472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5980,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:82⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6184,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6792,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:82⤵PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4264 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x288,0x7ffa2400f208,0x7ffa2400f214,0x7ffa2400f2203⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:33⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3492,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:23⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2256,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:83⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=4088,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:83⤵PID:6092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=4088,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:83⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4500,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:83⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4568,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:83⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:83⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4544,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:83⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4552,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:83⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4588,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:83⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4460,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:83⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4052,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:83⤵PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4492,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:83⤵PID:5736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4436,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:83⤵PID:1500
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:6132
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:684
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2944
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:2428
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DcRat\" -spe -an -ai#7zMap30898:70:7zEvent206321⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5888
-
C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe"C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2108
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1792
-
C:\Users\Admin\Desktop\Client.exe"C:\Users\Admin\Desktop\Client.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Rizzler" /tr '"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"' & exit2⤵PID:4872
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Rizzler" /tr '"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:8
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1488.tmp.bat""2⤵PID:1232
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4724
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5cfab81b800edabacbf6cb61aa78d5258
SHA12730d4da1be7238d701dc84eb708a064b8d1cf27
SHA256452a5479b9a2e03612576c30d30e6f51f51274cd30ef576ea1e71d20c657376f
SHA512ec188b0ee4d3daabc26799b34ee471bee988bdd7ceb011ed7df3d4cf26f98932bbbb4b70dc2b7fd4df9a3981b3ce22f4b5be4a0db97514d526e521575efb2ec6
-
Filesize
280B
MD58e301722eec030b7b3839831263481c9
SHA1134c3fabea652bf1c900c5fc3f7f790af014d583
SHA256d8c2b5afbb12f1bbf64be4b68d48083d3296627bd8da8f3380e6ccf5c53b45d2
SHA512e5e2be40522d042f74f672c0fd3137b011325f6d028d35b832327a791ee1ba95b89889173695984ab60ac8ae5dd1b392dc2d82f3f5f4e6900a53ef499d46c142
-
Filesize
44KB
MD5c5d1beade6cb07298f9288ae999d2cb5
SHA1baff2b74bf6abe3595861b1a00a33b04a3102b91
SHA256aee53a9ff60c2b9fb0256ce46b8ec03556818ed6ba529e6b8893fab2e8d626f0
SHA5126881aa0728c45b9ffd465350668d846d96cf2fc705f61d3881ad4f527d9d020b5d7893204ff78e31c34183787f1385cc2fb08f05608e022f2588d0bdad9a295d
-
Filesize
264KB
MD5e261cacc202ddec202f16910ce701155
SHA1cff6f0242647494f7b285d1659e12c10684db850
SHA256afa47fe803c6e8aa96703e7ea1333ef4b4575e0b0f44c41a9528fd71ea69233f
SHA512aa0aebc673c975b08489483995f63f48d7ece04628907100eefba605401224e0bd03dd486b95cd852d13465d13410fe77041bfcdd59f4f0b8787b8dbe2c41441
-
Filesize
1.0MB
MD5d457e20774d95726a7570de335ae1b09
SHA14488e0e14631077221c2dbebd5f3084d06907e04
SHA256819e964aa2c43d19bb1613fa203511e17032e231ddc0ed48a4519b21b628ce8e
SHA5121269beb11f83d027caa475489914c9d552e22a7bf9ebd3d29429520cee220aebd11f27db1ffde5ebe96b0c8195f81b1a4b368b0332707cc5482107822023fcb7
-
Filesize
8.0MB
MD504071ea5131d42b928818f5217400c9f
SHA144492c1ba6af6dd75f0ac845b671d801506268ef
SHA2568e27b9579bd60098d5cd67a40f4c9fc886a5a8ec136a9c53d4f73a4653ad1154
SHA5126f5bf06cb713642972ecefb5506f458fa5ea7392dfda9a132f40a2973ded8dbe33cabdf2cde18b2c30bcad914fc756f9466656a143e1b7373c86affb5d956950
-
Filesize
49KB
MD5f1fe5f7765a314f313e9d00ea67b3817
SHA1a18f5401e60be42fa31326dc7285bb8ccb413c7a
SHA256cf6f68e9cafded119eb35ce6fad9f80a6b6c64cc0e4cb84e408892f92b3b394a
SHA512f8f388a1f843748f094f9f97344f221f5afdb1aff8d0be715c1c8b61439c2310e2a9aff9d70ab966cf5d674ceba1bdaadd2ed88ae4da50d12a0b8c4b36b7c977
-
Filesize
37KB
MD508bb3ecd4cc910d5500a9e389441a3da
SHA192117d3f779be41e091381b027ed880b59bb2d91
SHA256408816fdce9f5329c6649efb56a142eb7074ef6e8fef5c70ea72a789f07aa132
SHA512d159eb54f1fa15221302ba65d08494d12b6b2303fe6e80bda9b049be5d71d805a42147ec038c7341b5570e08a077a0a1f17402ae93f7743c9aa8b2164f40bf80
-
Filesize
20KB
MD57defd708966faefe5c610f256994fb99
SHA112cbe5e32a480c679457f2738e75aee2618a946b
SHA256f7a1e98ef42e92cadc8f6232f107ecc0c1507ad11b4e242c05db82ff0ff4c3f6
SHA51225e62926be17e22d979cda3f5214bc4911bbf190bcc7e73f264cb9f97707139fc4779359c1712abddaf3c9adb30f21c006473eec2dd4f9f387281826e247ce40
-
Filesize
22KB
MD583acad71f5f83f2cc7fad08fc45e3f62
SHA10b33d8bda44898fc9e692dedb3c684a14329b32f
SHA256b78d32e935d4ec3a4803bd01651f7c03b07cfb8ac1ba88fddaa04ff22aa303da
SHA51231d09c59e94ba33045028d0d1e3fb142399ea8ca90027fbd77a894293ed14e8099c581bdbe5c8a846aa7beb9834266b40f847fdbbf16a0a8286b9abd44670540
-
Filesize
38KB
MD506683093428834519c100588d3bbbcef
SHA1d36355db08f9186fc9f502735a5dbb966d139e92
SHA256a976b59f11b8e9bfa80d88e3b53e8d2073c3f039a0544066e73f4b58f4ba38a9
SHA51206cca8f8cd9bcf4ed5c972358aa9bd683213f1d58f6a76a5bd3201592ea30803fe56b5fbc7047607111301a67ed1a332be9549578cf73dc04a7f7698c40e4181
-
Filesize
27KB
MD5f813ad92abc739744e185e3990efc308
SHA16391306a6bfe3f30fae3611151c848277c33c31b
SHA25628aea16c149f5ee078b34c03cbb8c0eee86663923fc384324cef00f451af764a
SHA5123ac8cbb479063ce2ceb339684f86dc87d0a444face209e55de9c68c17c81642fbeec4b64ccea7f424e18b77add3c0caa4bf5d00e5d6f39728d4d61c74120244a
-
Filesize
18KB
MD5dd9f92d1a1ee662c1472c992ebbe36fd
SHA18b21e6a4915b02bbd247d8846c6a742c120ed880
SHA256fb67845b981f637821eb9e809b9fa1c62d41b1bdb0f84247a5a1297dd6b4e154
SHA512e5ea698d8345800a7edfbbf0ac800a6368dedfff9df79d4cf13f507f561312ed6ff68268038be7e7e2ed6d0009ce20ed7d7662eb304e49fe7b6cd741ec9091d6
-
Filesize
59KB
MD57633f17faf3860581e63f3ecd2e80007
SHA1cc4f08b6be64d862f5d3b2f8ce37633ead6f34d2
SHA2568dc80090b24abdb7dc37d39fc0e4f808d97326e24bdd837cc56b2881baa7ef50
SHA51259ebfc1a2ead14cb56ba6430ea9e7f159a7d212fa9ddd24df6133158aad7bec1b333e2bb1e3ce50fe293dccfc57185ca90a1726158d637914c6729ae7e831f3e
-
Filesize
46KB
MD5a1dcd778b8c06c4299a307532ecd6a40
SHA1722771bfa67e4bb8d614a33bdd1e49b55f79c47f
SHA256a5f807ccdc864cbed778010004bcf2b3510776ff7963c91fb94daa85aceb8986
SHA5127849c1641343912c3cd4f1f312fc9eeccd4a0030735973cb56b308b204250ee5209c726628ce17926bd84748f26df200993355440b90455c3cca7b71a3fcf740
-
Filesize
55KB
MD560c6efabb021c8eec4ba448974887f11
SHA11df8405943257b9356bae8467615d45151931aa2
SHA256709d97f82663324b2c441d42258d4aa6d8a0334f03c1935b0b43c9cad3ae4305
SHA512714c8fcc3343ad259b3b9681c53063dbd99c0023bcbae51f0f607dcff8cde51cc926d6cfe93be8eb6e2e159ae0405bfc9236df984b47083449130a4c0d7f44de
-
Filesize
20KB
MD517c697496abaa786bb85b036bf480bf5
SHA14985b2ec44d4baacd34f33203d094c1a2640fbda
SHA25638dd822204389527ddd196d536e10131689ca362c63ca959b6557837bc5d33af
SHA512ba2c64053040e0979ed3933cb3153b56f16ea99423d332f3a649eb92e2cc5b850e5c3cd54706105220fe8d51bc0d0ba61743aaad914d2705e9d43cbe5eae3fe2
-
Filesize
99KB
MD52c5d93f83e9c4810d3fd8257c06f3b56
SHA1a33a8a4c75381a0e83e31ff46a2e57dccef1db3e
SHA25682eebff2d35e1abd48d48b7ff1908e33059281734c7827b006093fed49e5fee9
SHA5120a03771731876243893af94c7cdb64517647a72830a08ef79055005be8b652b47e0ca1066e3898cdab310f6be18e51901da1c5ec822440f6e69d6b2f5a2aefa0
-
Filesize
88KB
MD5a2e53ee908dc616b23256e82e73343f2
SHA1c40b4ad46f6433a900536b7abe1d6544d4ee8ec9
SHA256dd1a1e2058a992fda5828a86ac635b5efdb488e2aa45daf66f180ed95ef0a857
SHA5123ef3cb8b808e747928df27d5d931ae7a68ec09c05106880680089d4e356bb06acdf6d87cc1a3529c9a6d19e1eb991e563bd6392e8197f6716c1c44dc5b444d6d
-
Filesize
17KB
MD50ac62fbab3c332dc659c07cdc4ff5092
SHA1be0fe7b9786de25de3218d8eb7402564a64edf72
SHA25616f64784da286df41dbfc82234c471eada5a25d3066297a0e842ca2b98299c91
SHA512ec8da8c0265f46ee753befa8cc39e39fda2994edacc8134fd4f151d9b239e1172a229f8a32f780eb9c4bf5f1550135f5a1b735c83aaf0c6229e346b6c84ade9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5e5304992bc4c321303b88ac19f55816b
SHA155144bd9ce73d03aaef582b3976618db68544a3f
SHA2566c59a64ea45629c48c75956fda26c3d2723c79cf7e3d4fd6ce94607e530cb95e
SHA5127b47158241caa0da1492f656e41f857e8870ebb9649567319f141cb8a62320070a81f7ca3f392f6ec25a89562ef525da06f5ae9a55d11cded6bb545ceb5338a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57b3ee.TMP
Filesize3KB
MD53f27c4a3ded6880b7f09f44c9d937e15
SHA1539f90d66afa03c48f11439264a5e49c232505c3
SHA256d40a225a77572dd5cd39ce45df81cd45d36125c2b1416306a594d4069f58494f
SHA512ba763113eb0617981a4f1ddaabebc4ef972d741b31b08447f610c97271a18601a32c2f70a9cf6182522b1269531c3f328634bb5b8318358473cf7f492b836deb
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
319B
MD5cffdae3a6e1fd3998d30568422541713
SHA1fe69afc424ccc59d13799aa2f30e3379b63a76d5
SHA25623cec31ec166fd1e875f55a397cfba2756f2d64bb2ec35003afc985766a682d2
SHA512903c502264fdc989db486691a7303597ac7b75c7ee3844681329305183a39737fe9c407c4dfe108e5fd347d2d6ba94453847213a843fdab5f4967697cc2241a5
-
Filesize
20KB
MD5f1578dd9a1ef7ff87b0712ec80328c03
SHA1dca654d2c14105af5fb67c61d8f6f88478a47de8
SHA25607bee29d57ebfce1e519d3e9e52f0d834ade3de40e6bf61e9a1d9c66b541f748
SHA51282ed0b4e746208752137b3f8c74baa71b96a0e9a342537c24c6b7c9c19bb859c3d5843b1af961ad44d0dec02d16883be4c0ec89bf308593a3420ecef3c590bc0
-
Filesize
192KB
MD5255a34f58934e653da29a9574a5f010f
SHA170444eb8212f3a359a56ab65b772a13c54628683
SHA25629a546156b59a43dc085369843c8c5f8625b88a8922c6d8c3f4a3de07d1fea44
SHA512fcc2aa0dff25b78e49408941314759c3524cfa539b37b5064ad10107fdec5b89c3442f7f19fe5a6f50510e94845b76af92adc13baa7fef201bb8f144d86716fc
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
20KB
MD55a5f3cd25a3cc37422b5b1263433293c
SHA1c585eeb905bfdb82e807e5b8e3e60c7955bd87d0
SHA2560d9cac97810b2fce10dfad806ddbfe2ce26e7d0b1774e3b438a3ecf403af0428
SHA512a6648c2f1e4a7d066e22ce20676d3ac59ae61aed4be8c82b930081c2523e120f9737621415ad313cf155fbc2e5092ec39b40e08a13548198b937f60304c6fbe9
-
Filesize
3KB
MD52526b36284e79ea84d89ad8961a86bde
SHA1c192a940419f0c08f7e568b983973db097c392ff
SHA256adb4d4b1dd0a878109b4d17197528079b1c57c48d90e02a8b4c341bf6d6d9543
SHA5124f3ba3954224de551340378662c3c69ebe70d4d2319580573df3724441f37303e6b8c2a6e6bda683d6c53afa1b8f7aa0810531f7d96d0ef8c9079c953cb0c2c7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
859B
MD50c693a6897912041fe50dd868428d71a
SHA14a811421c47fa036575233fe3dd92e62ca9b948c
SHA256820a844d93f23870bbd6c828452cb72c8c1ffa9f332ddfa3517498599933a105
SHA512989c463320388834e7eeee8ec90687244d2e3fc0d4f1b063dcfcf5a4e42abc466fc0ecf8dac2bd07840757a71cc93dfa0cf922aff2443c8f90ba749862cf201b
-
Filesize
16KB
MD514d8805d9851a532aa6c11ee9c5e2790
SHA1611ad999dc1284acbe51ea78d6ed262f745b1709
SHA256041becf7d4481b3019bb82573bad17deff3c3ad2c09a81ec8c7d08fe8bbdb076
SHA5120bc1a4bf20519f115f159cbcd50662703573b8831b88a708ca32ade364d5ed043442f6883964e28bf939ac10951c1f32b46551454895484a2babf2eb828cf3e7
-
Filesize
17KB
MD5ceb1c0fef5f41ee02d9be5e0619eaa81
SHA1a0b29d73af79d4fe134d3f5c5a4746cb6282d9fb
SHA256e385ff47538f59bdd66c6c28ebbeb3b1b2998a2a7d9ca34c788fd708bce9093f
SHA512f07e14f803dbbc860dbd83c50575e61f6cca19f2823f0cf2010de55c94397d3a4e3e60327ce2a53ca9d10795e2520fe99163a49882ee364a4293f82f81f6668d
-
Filesize
36KB
MD585161c3c62da25cfe31019ee3303a436
SHA13a272b755d34672e6598343391f40908eaba7cd9
SHA256f9352f5c6be53ed563cb3c4c0da085c23748ed7e231e8eb0d4881b58d1202a9d
SHA512fae142acd47850e1fc6d193b44a77c35463fdff1edbf9da83aa6bf9bf0272147c337cd7399e99a213b4bb2adb3569ebd2635afcd7a64fe73f60415abc4071c4b
-
Filesize
335B
MD5f5bfbc15e0c2d1aa44f5b438f3698e38
SHA19536ee68d7714d6bbbf68988db13e2809f6b2ef2
SHA25622eca03436903b505bfa9fc3e2aa977e694a14bebb7b6d3663f24afea5db45b6
SHA5129e5436324a01aeb98c948ed26ad31c5e68a056bf4f002d4b15bf46d24310201ae8685e1f110c34474c156ffd48fd5e88ce59dfd85ca04ef96902e82da8288da6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize112B
MD5bd2bf506d44d71a0917875e68c084080
SHA17aa47986879cf9848f979909a48b1e64d92df8f6
SHA25601ac076f9552e3a7e5ffd49c2b3c6220bf9a93bd454d89cc3831f3b0039949de
SHA512b40cdb6028b9841884cc3423de005c9562fb0df0897131b6f0f76275750772852e866684ae3453dcd3ca3e38136364d156af4780bc58d025a0c2a77e109b5912
-
Filesize
347B
MD5c4ed9bbe1ea4394c1d4362f8c0d02a8b
SHA1d5740d0a42686c8318beabab923e54ad084ca219
SHA25623606047031a2c104f7a1b4553553efe1811767f56edd15fe42910172c5616c8
SHA512f6119f89a9d724e120e62048e6e070e30bb1123d8c7839bd6a9cf6d7aa0be0080e2cdb752f0a0b43668f5fb510b5cc1ba4a8d74a6f99c296cefc9442b72e6a0e
-
Filesize
323B
MD5059c52031ba2b1f2a012a2c2f380585e
SHA1ece149a1499f27977a982febdc268c14e2e88fd0
SHA25651877757aab37818ae2187661f4e112148f39ffa94a026068616a771c5b7c380
SHA512fd16f5b5ffb57946d70beb7a77415d4db1c5287911f78b13c4eac1878f4d63df4def0e51ff9c5abdf62b57e0475c5cb636480ce76fcea4cf871fa3a1088c87ec
-
Filesize
22KB
MD5a17c5a2f54a990866995553f193d0b60
SHA1fa724c21ca3a7d3c05a7eb2843372ecaf759bdf0
SHA256271bf6ddf91efd3306eb38168bdff3558b1c2985e00c42d39f2e090bfdac0622
SHA51224ae1345b856b05b52a919d0c8fc18e7ed74127e1be961a92fe1be0f53c1bc380dafbe24f7373db46b1f24d2c603c0f65a99d2dfc3c4913c369b9c480dc805dc
-
Filesize
25KB
MD5ff9030ea963edef2a514d9ca4edaba28
SHA18a5909b239a6cfa5b48a6e51d52895c1ec203f15
SHA2568c5cefd28f63226a0544ad9a4f18d39e052bb6558402c2d6af5381a13c417e8a
SHA512b2a0d2866fbce13d2e683a10afaf63aba4da5f489885c28cfefe09e59015736c33c7992da73da20c3cb53cd7f54b851be5ab9a954d90004de0009543044c14a9
-
Filesize
128KB
MD5c1909fe68747a55514296ed0cd4b6371
SHA1bda0990c4086f9c7d15608212b7f15cb88d988a4
SHA256ae24d1401f8520f662429408bd3cb74cea8c0c1853a876acdff45a49380ae992
SHA5126c411728adb7662d9547d4a9c6b94e5b205a9d0ff7166aac247e468cc9af6a8fc95fb5cd0ef6d041a7942850c01217f550448e761c87a3590041b19f95865b18
-
Filesize
14KB
MD551dfc6170450d52f180ede8e985857d3
SHA10242adea1b1cf40fba19eee027e59b1fe6453f44
SHA256ff6e3bc0d4a208275a5826d46801b36814397753eae3f0321c87275e665a6fd2
SHA512a1593c92ee4cf0e4b8936bcd3907c47e0afeeb25d4827097e8e2bfb5b6ee0660fa3419c7733c9838cc99738331ae8faef3424412ce05459104cb4ea3b7f81d6e
-
Filesize
13KB
MD5256c40bace492c4e28451ce149d2f9ac
SHA1b48b0eaf986b9efc91d5c8dd394dccb6d82e2adc
SHA256f9e4da319fe1f5a7d497c452421f4648a24ec7588f309ebea0f0cd61a6251eef
SHA51233b38d1ced015798722180fc8c8ce6daedb18cd5d0e4b3db27d6176c13cf3ccb1bd79f2e68ca390d6eb43ac508c29067e8f1a3ee9f0167cabe37ebbddf6b0ec0
-
Filesize
14KB
MD554e3387e40dded66e03b442665d18ca2
SHA16b810f5a683bb5d2743a9349e3ca09ef5588e74d
SHA2562c40d1607a5a9764ed173a147ac5eb3512f362eb3342b421aa2e98ce50c9888d
SHA512f01111ca7edfec819b6cafcaabf9b98d02bf3a5b679890dddccbd18d112503fe11be3b848d64d65563a09f9dbb7ee36d0ab6c3857b8767bd2d295afe14fa31cc
-
Filesize
319B
MD5c522ef0ba342f01213da7d8fbf19dbd6
SHA1d18a012db219c8608567916bad410b899c8e09e7
SHA2566b4f6fa5a12d3fb4e3b7974ddad9ac4bfae73d926b948edd4e609c40126c2702
SHA512d161cf2000100a16d73cb3f4b0571d9cfd574a0f07430ada3b3402b48f00f851cee87c1e37b123f96e334d931c4abedbfcc64e64528b08e53208823c0a115ddb
-
Filesize
1KB
MD50e404d10a87673d0b4dc2822422c3257
SHA1ca0724449d8834e02fd3b715e6d673b5fc66acc7
SHA2569f8f945742fd10cbb7fa25b2cdbf9acbc532eb3d0ddf8b2febbb57665920da71
SHA5121998dbf2bc45dd86f44304aac9e9ff2b71ea2dffc942af8650ab074f3404573c29de2d1a132713724135ad78422891c94b6ab39d0971101c5dba7a8b436b64a3
-
Filesize
337B
MD5ef25c8280d454555fe9f1ac668bde1ae
SHA172db10f060a9ab48bf465c2cad66a8e486e7e9af
SHA2568ecc92dafde74b8db2ea80365fe5eb799fb71f4b1920cf869a6935a4189e152a
SHA5123d6167e3b138b68b8f6c68604b6dbce632ed6ffc437529148ee570e96752ae1a769feb4099167a749d8ecc6fd3fa65e1750be863c3a7e746d6fd993260ec72cc
-
Filesize
464B
MD54046d1547058ffd88db3f9a91241533c
SHA1af91a18842aa687ba3652a8d5308b1e8d823c3ee
SHA256c11c25fd43e4ed7c9d7efcbab527d9da9b00a684a97de7f4cdd1e73dcb02d2dc
SHA512e9da78273b4e5e1c6d3a0b1442265ed9f2b92425edcc0ec38b428d9f65663f733ed1bb0cfdb9690e7093d67f9f0b5e10d03b32e5928dd34212136737189cdb56
-
Filesize
13B
MD53e45022839c8def44fd96e24f29a9f4b
SHA1c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA25601a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA5122888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9
-
Filesize
54KB
MD58718b2ec9b52bcf8fe1b375145923fea
SHA14908436971e4d396af490303f669c164e7dc23b0
SHA2562dd6831b402e9272f904b68902fb06838afde28711a034af4e11142fd8ed7746
SHA51219c5779ded0df7204c0b4b8221594080bc8570d41d810f8d7ab4e80b8423a17e9080f34abf087834075637a1571ffe0c72b634b0618fea0d56b2e7572b314a3c
-
Filesize
54KB
MD5f003a9a7329373c58e71b9bb7e976672
SHA177211f9973a2740da1aa3c43af81911d4b9593b9
SHA256b63d56b3e9c74a14c8501a7c5a53f3e66599123672e8386bd58ead4f8f9d272f
SHA512d0a641e71533dc759ee29e95e15d7f0d819bd48ccaf65f12f84fddafa862cce358d49b6a10402c77f367c976f419703340781c27fedb7e21df45a15a994e963e
-
Filesize
40KB
MD522cff315798fbfe84cd0b8f5db669792
SHA1e19a965613d38c945b1bc7ccefb7a9f14971dd3d
SHA256477c154c9e4274336d5c2cac277bfbf089d23725888fa60866558289047f6030
SHA512fdb7b82d1fd66e5365b6f7b3733e212c127df8470c492788db591ebef5d91bd450d25cf44e072367f1794d5832ca203171dea8b56855135b3b1015b102586dff
-
Filesize
39KB
MD526297c135dbdb8bf290fc82a6fc708da
SHA199796e745dd96501d61e13f097cc80b625839514
SHA2566b6f15258934224bc174333990d6e7674af283a4e0410179c00302693ab47d72
SHA5127fb83c8f4a6fc75037817d12d2fcce4099add380a2483967755582033402d05481524228aebab439535cc94b514409fbcb75ddfed74103d92e3f40a3cc109418
-
Filesize
48KB
MD59b455db4af3a09ae703fd52dbd82d540
SHA1757f38c28e129c118dd6ffbcc172d5b037cf8b6a
SHA256f9b8b3d89151afee63bb93cb4996caeb63dcb9100b62ab0891d0848c892f6e17
SHA512ed44d9573d51ecd3a218c9360637623249e867710df0f74f345c775bd3d2504ea4fa631d36a87fd880361d97db92c86327cc9cb1d9272114bf874641d691661c
-
Filesize
264KB
MD550cd9b4287f7a69ef3365a143b3512ee
SHA17f964d3aabd8d47e70d7a6ee69f49cf26ee3a773
SHA256f7df4c60592f54efa53ab18e9b51515acac1e655a88c18a54276c213543c5324
SHA512e8e4f5a192f9cd28dcebe5ca0e5fb31d74c52978bf643d1b2e96564a789bc39c3830b08ac3d3bd3d76bd9ef36b4f7efb010d2c9cd65bf319689b47243fa8c122
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5944def4db76b5776643500a18d78f54f
SHA18351b91ac1056759faaeb48714a2b27ac8d39adf
SHA25601a28d30c8859af50f6f1d688fb810f03ff6f861308782c6bc418687ac2694cd
SHA51205cb26fec7fa80fb8ea72f654877d0909bcb00416edcf740210744c53e7d8dbe7fd04e080ba8efa37cd64a0e8ff1a8cefab4ff44424365684a6906bc40d5d6d5
-
C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_nzptexryieaskvtv2305jtgersripj4o\1.0.7.0\user.config
Filesize309B
MD50c6e4f57ebaba0cc4acfc8bb65c589f8
SHA18c021c2371b87f2570d226b419c64c3102b8d434
SHA256a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c
SHA512c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0
-
C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_nzptexryieaskvtv2305jtgersripj4o\1.0.7.0\user.config
Filesize830B
MD536979ae44f7fef37e74a41d7ecf37588
SHA12b836ffa7e561c94e5011bfbd870551d19fa1027
SHA256c10c856973fe4599d8f98db1629d9d53230c094b275980d7a4f3e83c98f5f2cd
SHA512b9bbb40b7b0bb449b394f47a6def4c9527ce3aac02157e2121c42bb7f8eca700115d187330c1fcfcf9ff04f2f5e6abaa4e58c56730f0560356e23e306a9fb2d1
-
Filesize
47KB
MD5dfc1a646326a2b5f365f68e3e377e790
SHA18f1ee85e92ea499799e4f673220df313da8ad1b2
SHA2561893cac4ca324830686eb78513b667bb230be10990ec9b7d8002526054295625
SHA5123ae12d090318262200ba51797d4341533c4b80e867c7e3af7a57106ffd392c863f19cd51c4265e71201915497aa874b1351675e1facb55f9985657bf09962bc7
-
Filesize
1KB
MD5e5d252a03d84e50b8ba03027c0e1038a
SHA17c6ab96792d9f9f70937e6e039cc7d6a7d3c8708
SHA256458f32cb83bbf5949e5dcc5cf04b3e7433167a77b53ea146e6a1100c2fda3e90
SHA51263c934fffc9a4a254a4595157fee092e3cc7be7d170d450df369eea5a84263f90be6a57b030c55c8b1d7e122d3f103124b6abd72071d075a73dd300211c312cf
-
Filesize
4.0MB
MD5836c2ae55c1baec789b83fa3d79d23b3
SHA1359a091da48369e1e8cea6e004826ee25a93b3db
SHA25668115c6e039363be3b80e416ed462d97f8c763af800237b1fa183cca1180bac5
SHA512e12f7438545f6615f84e37b81837127aacc79b4aadd3b212702bb662b0f752778ed15d646e8d657b318dfde57d2f893c18831bfb686a0ae1b7d62137c63080be
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c