Analysis Overview
Threat Level: Known bad
The file https://github.com/qwqdanchun/DcRat was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Checks computer location settings
Executes dropped EXE
Drops file in Windows directory
Browser Information Discovery
Enumerates physical storage devices
Uses Volume Shadow Copy WMI provider
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Modifies registry class
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-19 16:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 16:19
Reported
2025-05-19 16:22
Platform
win10ltsc2021-20250425-en
Max time kernel
184s
Max time network
185s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rizzler.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\typosquatting_list.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\v1FieldTypes.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\autofill_bypass_cache_forms.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\edge_autofill_global_block_list.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\regex_patterns.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_etld1_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\sets.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\keys.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_full_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921451771312637" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 5000310000000000b35a7a8210004463526174003c0009000400efbeb35a7a82b35a80822e000000f38202000000090000000000000000000000000000005d7e0e0044006300520061007400000014000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 = 5600310000000000b35a8882100052656c6561736500400009000400efbeb35a7a82b35a88822e000000f5820200000008000000000000000000000000000000f3d50801520065006c006500610073006500000016000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "6" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e00310000000000b35a818211004465736b746f7000680009000400efbe995add66b35a81822e000000f50501000000020000000000000000003e000000000047ad20014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5600310000000000b35a8882100052656c6561736500400009000400efbeb35a7a82b35a88822e000000f5820200000008000000000000000000000000000000f3d50801520065006c006500610073006500000016000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3360380284-3605397551-3210292082-1000\{500844EE-A21F-476D-80D1-CC48BC3D0D43} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "5" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\NodeSlot = "7" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rizzler.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/qwqdanchun/DcRat
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x314,0x7ffa2400f208,0x7ffa2400f214,0x7ffa2400f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1708,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2008,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3484,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3488,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5088,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5456,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5980,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6184,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6792,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x288,0x7ffa2400f208,0x7ffa2400f214,0x7ffa2400f220
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3492,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2256,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=4088,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=4088,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4500,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DcRat\" -spe -an -ai#7zMap30898:70:7zEvent20632
C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe
"C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4568,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4544,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4552,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4588,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Rizzler" /tr '"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1488.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Rizzler" /tr '"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"'
C:\Users\Admin\AppData\Local\Temp\Rizzler.exe
"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4460,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4052,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4492,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4436,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:80 | edge.microsoft.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 2.18.27.68:443 | copilot.microsoft.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 185.199.111.133:443 | user-images.githubusercontent.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| GB | 142.250.187.227:443 | update.googleapis.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| FR | 2.16.165.197:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.61.93:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| N/A | 127.0.0.1:8848 | tcp | |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 26297c135dbdb8bf290fc82a6fc708da |
| SHA1 | 99796e745dd96501d61e13f097cc80b625839514 |
| SHA256 | 6b6f15258934224bc174333990d6e7674af283a4e0410179c00302693ab47d72 |
| SHA512 | 7fb83c8f4a6fc75037817d12d2fcce4099add380a2483967755582033402d05481524228aebab439535cc94b514409fbcb75ddfed74103d92e3f40a3cc109418 |
\??\pipe\crashpad_2372_FXJMRFILHWYKSRMF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8e301722eec030b7b3839831263481c9 |
| SHA1 | 134c3fabea652bf1c900c5fc3f7f790af014d583 |
| SHA256 | d8c2b5afbb12f1bbf64be4b68d48083d3296627bd8da8f3380e6ccf5c53b45d2 |
| SHA512 | e5e2be40522d042f74f672c0fd3137b011325f6d028d35b832327a791ee1ba95b89889173695984ab60ac8ae5dd1b392dc2d82f3f5f4e6900a53ef499d46c142 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | 944def4db76b5776643500a18d78f54f |
| SHA1 | 8351b91ac1056759faaeb48714a2b27ac8d39adf |
| SHA256 | 01a28d30c8859af50f6f1d688fb810f03ff6f861308782c6bc418687ac2694cd |
| SHA512 | 05cb26fec7fa80fb8ea72f654877d0909bcb00416edcf740210744c53e7d8dbe7fd04e080ba8efa37cd64a0e8ff1a8cefab4ff44424365684a6906bc40d5d6d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | a17c5a2f54a990866995553f193d0b60 |
| SHA1 | fa724c21ca3a7d3c05a7eb2843372ecaf759bdf0 |
| SHA256 | 271bf6ddf91efd3306eb38168bdff3558b1c2985e00c42d39f2e090bfdac0622 |
| SHA512 | 24ae1345b856b05b52a919d0c8fc18e7ed74127e1be961a92fe1be0f53c1bc380dafbe24f7373db46b1f24d2c603c0f65a99d2dfc3c4913c369b9c480dc805dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 06d55006c2dec078a94558b85ae01aef |
| SHA1 | 6a9b33e794b38153f67d433b30ac2a7cf66761e6 |
| SHA256 | 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd |
| SHA512 | ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 22cff315798fbfe84cd0b8f5db669792 |
| SHA1 | e19a965613d38c945b1bc7ccefb7a9f14971dd3d |
| SHA256 | 477c154c9e4274336d5c2cac277bfbf089d23725888fa60866558289047f6030 |
| SHA512 | fdb7b82d1fd66e5365b6f7b3733e212c127df8470c492788db591ebef5d91bd450d25cf44e072367f1794d5832ca203171dea8b56855135b3b1015b102586dff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 14d8805d9851a532aa6c11ee9c5e2790 |
| SHA1 | 611ad999dc1284acbe51ea78d6ed262f745b1709 |
| SHA256 | 041becf7d4481b3019bb82573bad17deff3c3ad2c09a81ec8c7d08fe8bbdb076 |
| SHA512 | 0bc1a4bf20519f115f159cbcd50662703573b8831b88a708ca32ade364d5ed043442f6883964e28bf939ac10951c1f32b46551454895484a2babf2eb828cf3e7 |
C:\Users\Admin\Downloads\DcRat.7z.crdownload
| MD5 | 836c2ae55c1baec789b83fa3d79d23b3 |
| SHA1 | 359a091da48369e1e8cea6e004826ee25a93b3db |
| SHA256 | 68115c6e039363be3b80e416ed462d97f8c763af800237b1fa183cca1180bac5 |
| SHA512 | e12f7438545f6615f84e37b81837127aacc79b4aadd3b212702bb662b0f752778ed15d646e8d657b318dfde57d2f893c18831bfb686a0ae1b7d62137c63080be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 85161c3c62da25cfe31019ee3303a436 |
| SHA1 | 3a272b755d34672e6598343391f40908eaba7cd9 |
| SHA256 | f9352f5c6be53ed563cb3c4c0da085c23748ed7e231e8eb0d4881b58d1202a9d |
| SHA512 | fae142acd47850e1fc6d193b44a77c35463fdff1edbf9da83aa6bf9bf0272147c337cd7399e99a213b4bb2adb3569ebd2635afcd7a64fe73f60415abc4071c4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57b3ee.TMP
| MD5 | 3f27c4a3ded6880b7f09f44c9d937e15 |
| SHA1 | 539f90d66afa03c48f11439264a5e49c232505c3 |
| SHA256 | d40a225a77572dd5cd39ce45df81cd45d36125c2b1416306a594d4069f58494f |
| SHA512 | ba763113eb0617981a4f1ddaabebc4ef972d741b31b08447f610c97271a18601a32c2f70a9cf6182522b1269531c3f328634bb5b8318358473cf7f492b836deb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f003a9a7329373c58e71b9bb7e976672 |
| SHA1 | 77211f9973a2740da1aa3c43af81911d4b9593b9 |
| SHA256 | b63d56b3e9c74a14c8501a7c5a53f3e66599123672e8386bd58ead4f8f9d272f |
| SHA512 | d0a641e71533dc759ee29e95e15d7f0d819bd48ccaf65f12f84fddafa862cce358d49b6a10402c77f367c976f419703340781c27fedb7e21df45a15a994e963e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ceb1c0fef5f41ee02d9be5e0619eaa81 |
| SHA1 | a0b29d73af79d4fe134d3f5c5a4746cb6282d9fb |
| SHA256 | e385ff47538f59bdd66c6c28ebbeb3b1b2998a2a7d9ca34c788fd708bce9093f |
| SHA512 | f07e14f803dbbc860dbd83c50575e61f6cca19f2823f0cf2010de55c94397d3a4e3e60327ce2a53ca9d10795e2520fe99163a49882ee364a4293f82f81f6668d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e5304992bc4c321303b88ac19f55816b |
| SHA1 | 55144bd9ce73d03aaef582b3976618db68544a3f |
| SHA256 | 6c59a64ea45629c48c75956fda26c3d2723c79cf7e3d4fd6ce94607e530cb95e |
| SHA512 | 7b47158241caa0da1492f656e41f857e8870ebb9649567319f141cb8a62320070a81f7ca3f392f6ec25a89562ef525da06f5ae9a55d11cded6bb545ceb5338a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 2526b36284e79ea84d89ad8961a86bde |
| SHA1 | c192a940419f0c08f7e568b983973db097c392ff |
| SHA256 | adb4d4b1dd0a878109b4d17197528079b1c57c48d90e02a8b4c341bf6d6d9543 |
| SHA512 | 4f3ba3954224de551340378662c3c69ebe70d4d2319580573df3724441f37303e6b8c2a6e6bda683d6c53afa1b8f7aa0810531f7d96d0ef8c9079c953cb0c2c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8718b2ec9b52bcf8fe1b375145923fea |
| SHA1 | 4908436971e4d396af490303f669c164e7dc23b0 |
| SHA256 | 2dd6831b402e9272f904b68902fb06838afde28711a034af4e11142fd8ed7746 |
| SHA512 | 19c5779ded0df7204c0b4b8221594080bc8570d41d810f8d7ab4e80b8423a17e9080f34abf087834075637a1571ffe0c72b634b0618fea0d56b2e7572b314a3c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 059c52031ba2b1f2a012a2c2f380585e |
| SHA1 | ece149a1499f27977a982febdc268c14e2e88fd0 |
| SHA256 | 51877757aab37818ae2187661f4e112148f39ffa94a026068616a771c5b7c380 |
| SHA512 | fd16f5b5ffb57946d70beb7a77415d4db1c5287911f78b13c4eac1878f4d63df4def0e51ff9c5abdf62b57e0475c5cb636480ce76fcea4cf871fa3a1088c87ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG
| MD5 | f5bfbc15e0c2d1aa44f5b438f3698e38 |
| SHA1 | 9536ee68d7714d6bbbf68988db13e2809f6b2ef2 |
| SHA256 | 22eca03436903b505bfa9fc3e2aa977e694a14bebb7b6d3663f24afea5db45b6 |
| SHA512 | 9e5436324a01aeb98c948ed26ad31c5e68a056bf4f002d4b15bf46d24310201ae8685e1f110c34474c156ffd48fd5e88ce59dfd85ca04ef96902e82da8288da6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
| MD5 | bd2bf506d44d71a0917875e68c084080 |
| SHA1 | 7aa47986879cf9848f979909a48b1e64d92df8f6 |
| SHA256 | 01ac076f9552e3a7e5ffd49c2b3c6220bf9a93bd454d89cc3831f3b0039949de |
| SHA512 | b40cdb6028b9841884cc3423de005c9562fb0df0897131b6f0f76275750772852e866684ae3453dcd3ca3e38136364d156af4780bc58d025a0c2a77e109b5912 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | c4ed9bbe1ea4394c1d4362f8c0d02a8b |
| SHA1 | d5740d0a42686c8318beabab923e54ad084ca219 |
| SHA256 | 23606047031a2c104f7a1b4553553efe1811767f56edd15fe42910172c5616c8 |
| SHA512 | f6119f89a9d724e120e62048e6e070e30bb1123d8c7839bd6a9cf6d7aa0be0080e2cdb752f0a0b43668f5fb510b5cc1ba4a8d74a6f99c296cefc9442b72e6a0e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | c1909fe68747a55514296ed0cd4b6371 |
| SHA1 | bda0990c4086f9c7d15608212b7f15cb88d988a4 |
| SHA256 | ae24d1401f8520f662429408bd3cb74cea8c0c1853a876acdff45a49380ae992 |
| SHA512 | 6c411728adb7662d9547d4a9c6b94e5b205a9d0ff7166aac247e468cc9af6a8fc95fb5cd0ef6d041a7942850c01217f550448e761c87a3590041b19f95865b18 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
| MD5 | 54e3387e40dded66e03b442665d18ca2 |
| SHA1 | 6b810f5a683bb5d2743a9349e3ca09ef5588e74d |
| SHA256 | 2c40d1607a5a9764ed173a147ac5eb3512f362eb3342b421aa2e98ce50c9888d |
| SHA512 | f01111ca7edfec819b6cafcaabf9b98d02bf3a5b679890dddccbd18d112503fe11be3b848d64d65563a09f9dbb7ee36d0ab6c3857b8767bd2d295afe14fa31cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
| MD5 | cffdae3a6e1fd3998d30568422541713 |
| SHA1 | fe69afc424ccc59d13799aa2f30e3379b63a76d5 |
| SHA256 | 23cec31ec166fd1e875f55a397cfba2756f2d64bb2ec35003afc985766a682d2 |
| SHA512 | 903c502264fdc989db486691a7303597ac7b75c7ee3844681329305183a39737fe9c407c4dfe108e5fd347d2d6ba94453847213a843fdab5f4967697cc2241a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
| MD5 | c522ef0ba342f01213da7d8fbf19dbd6 |
| SHA1 | d18a012db219c8608567916bad410b899c8e09e7 |
| SHA256 | 6b4f6fa5a12d3fb4e3b7974ddad9ac4bfae73d926b948edd4e609c40126c2702 |
| SHA512 | d161cf2000100a16d73cb3f4b0571d9cfd574a0f07430ada3b3402b48f00f851cee87c1e37b123f96e334d931c4abedbfcc64e64528b08e53208823c0a115ddb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1
| MD5 | 50cd9b4287f7a69ef3365a143b3512ee |
| SHA1 | 7f964d3aabd8d47e70d7a6ee69f49cf26ee3a773 |
| SHA256 | f7df4c60592f54efa53ab18e9b51515acac1e655a88c18a54276c213543c5324 |
| SHA512 | e8e4f5a192f9cd28dcebe5ca0e5fb31d74c52978bf643d1b2e96564a789bc39c3830b08ac3d3bd3d76bd9ef36b4f7efb010d2c9cd65bf319689b47243fa8c122 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json
| MD5 | 256c40bace492c4e28451ce149d2f9ac |
| SHA1 | b48b0eaf986b9efc91d5c8dd394dccb6d82e2adc |
| SHA256 | f9e4da319fe1f5a7d497c452421f4648a24ec7588f309ebea0f0cd61a6251eef |
| SHA512 | 33b38d1ced015798722180fc8c8ce6daedb18cd5d0e4b3db27d6176c13cf3ccb1bd79f2e68ca390d6eb43ac508c29067e8f1a3ee9f0167cabe37ebbddf6b0ec0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | ff9030ea963edef2a514d9ca4edaba28 |
| SHA1 | 8a5909b239a6cfa5b48a6e51d52895c1ec203f15 |
| SHA256 | 8c5cefd28f63226a0544ad9a4f18d39e052bb6558402c2d6af5381a13c417e8a |
| SHA512 | b2a0d2866fbce13d2e683a10afaf63aba4da5f489885c28cfefe09e59015736c33c7992da73da20c3cb53cd7f54b851be5ab9a954d90004de0009543044c14a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase
| MD5 | 51dfc6170450d52f180ede8e985857d3 |
| SHA1 | 0242adea1b1cf40fba19eee027e59b1fe6453f44 |
| SHA256 | ff6e3bc0d4a208275a5826d46801b36814397753eae3f0321c87275e665a6fd2 |
| SHA512 | a1593c92ee4cf0e4b8936bcd3907c47e0afeeb25d4827097e8e2bfb5b6ee0660fa3419c7733c9838cc99738331ae8faef3424412ce05459104cb4ea3b7f81d6e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma
| MD5 | cfab81b800edabacbf6cb61aa78d5258 |
| SHA1 | 2730d4da1be7238d701dc84eb708a064b8d1cf27 |
| SHA256 | 452a5479b9a2e03612576c30d30e6f51f51274cd30ef576ea1e71d20c657376f |
| SHA512 | ec188b0ee4d3daabc26799b34ee471bee988bdd7ceb011ed7df3d4cf26f98932bbbb4b70dc2b7fd4df9a3981b3ce22f4b5be4a0db97514d526e521575efb2ec6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
| MD5 | 0e404d10a87673d0b4dc2822422c3257 |
| SHA1 | ca0724449d8834e02fd3b715e6d673b5fc66acc7 |
| SHA256 | 9f8f945742fd10cbb7fa25b2cdbf9acbc532eb3d0ddf8b2febbb57665920da71 |
| SHA512 | 1998dbf2bc45dd86f44304aac9e9ff2b71ea2dffc942af8650ab074f3404573c29de2d1a132713724135ad78422891c94b6ab39d0971101c5dba7a8b436b64a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | ef25c8280d454555fe9f1ac668bde1ae |
| SHA1 | 72db10f060a9ab48bf465c2cad66a8e486e7e9af |
| SHA256 | 8ecc92dafde74b8db2ea80365fe5eb799fb71f4b1920cf869a6935a4189e152a |
| SHA512 | 3d6167e3b138b68b8f6c68604b6dbce632ed6ffc437529148ee570e96752ae1a769feb4099167a749d8ecc6fd3fa65e1750be863c3a7e746d6fd993260ec72cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
| MD5 | f1578dd9a1ef7ff87b0712ec80328c03 |
| SHA1 | dca654d2c14105af5fb67c61d8f6f88478a47de8 |
| SHA256 | 07bee29d57ebfce1e519d3e9e52f0d834ade3de40e6bf61e9a1d9c66b541f748 |
| SHA512 | 82ed0b4e746208752137b3f8c74baa71b96a0e9a342537c24c6b7c9c19bb859c3d5843b1af961ad44d0dec02d16883be4c0ec89bf308593a3420ecef3c590bc0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 255a34f58934e653da29a9574a5f010f |
| SHA1 | 70444eb8212f3a359a56ab65b772a13c54628683 |
| SHA256 | 29a546156b59a43dc085369843c8c5f8625b88a8922c6d8c3f4a3de07d1fea44 |
| SHA512 | fcc2aa0dff25b78e49408941314759c3524cfa539b37b5064ad10107fdec5b89c3442f7f19fe5a6f50510e94845b76af92adc13baa7fef201bb8f144d86716fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
| MD5 | 0c693a6897912041fe50dd868428d71a |
| SHA1 | 4a811421c47fa036575233fe3dd92e62ca9b948c |
| SHA256 | 820a844d93f23870bbd6c828452cb72c8c1ffa9f332ddfa3517498599933a105 |
| SHA512 | 989c463320388834e7eeee8ec90687244d2e3fc0d4f1b063dcfcf5a4e42abc466fc0ecf8dac2bd07840757a71cc93dfa0cf922aff2443c8f90ba749862cf201b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
| MD5 | 5a5f3cd25a3cc37422b5b1263433293c |
| SHA1 | c585eeb905bfdb82e807e5b8e3e60c7955bd87d0 |
| SHA256 | 0d9cac97810b2fce10dfad806ddbfe2ce26e7d0b1774e3b438a3ecf403af0428 |
| SHA512 | a6648c2f1e4a7d066e22ce20676d3ac59ae61aed4be8c82b930081c2523e120f9737621415ad313cf155fbc2e5092ec39b40e08a13548198b937f60304c6fbe9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000070
| MD5 | 0ac62fbab3c332dc659c07cdc4ff5092 |
| SHA1 | be0fe7b9786de25de3218d8eb7402564a64edf72 |
| SHA256 | 16f64784da286df41dbfc82234c471eada5a25d3066297a0e842ca2b98299c91 |
| SHA512 | ec8da8c0265f46ee753befa8cc39e39fda2994edacc8134fd4f151d9b239e1172a229f8a32f780eb9c4bf5f1550135f5a1b735c83aaf0c6229e346b6c84ade9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f
| MD5 | a2e53ee908dc616b23256e82e73343f2 |
| SHA1 | c40b4ad46f6433a900536b7abe1d6544d4ee8ec9 |
| SHA256 | dd1a1e2058a992fda5828a86ac635b5efdb488e2aa45daf66f180ed95ef0a857 |
| SHA512 | 3ef3cb8b808e747928df27d5d931ae7a68ec09c05106880680089d4e356bb06acdf6d87cc1a3529c9a6d19e1eb991e563bd6392e8197f6716c1c44dc5b444d6d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006e
| MD5 | 2c5d93f83e9c4810d3fd8257c06f3b56 |
| SHA1 | a33a8a4c75381a0e83e31ff46a2e57dccef1db3e |
| SHA256 | 82eebff2d35e1abd48d48b7ff1908e33059281734c7827b006093fed49e5fee9 |
| SHA512 | 0a03771731876243893af94c7cdb64517647a72830a08ef79055005be8b652b47e0ca1066e3898cdab310f6be18e51901da1c5ec822440f6e69d6b2f5a2aefa0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006d
| MD5 | 17c697496abaa786bb85b036bf480bf5 |
| SHA1 | 4985b2ec44d4baacd34f33203d094c1a2640fbda |
| SHA256 | 38dd822204389527ddd196d536e10131689ca362c63ca959b6557837bc5d33af |
| SHA512 | ba2c64053040e0979ed3933cb3153b56f16ea99423d332f3a649eb92e2cc5b850e5c3cd54706105220fe8d51bc0d0ba61743aaad914d2705e9d43cbe5eae3fe2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006c
| MD5 | 60c6efabb021c8eec4ba448974887f11 |
| SHA1 | 1df8405943257b9356bae8467615d45151931aa2 |
| SHA256 | 709d97f82663324b2c441d42258d4aa6d8a0334f03c1935b0b43c9cad3ae4305 |
| SHA512 | 714c8fcc3343ad259b3b9681c53063dbd99c0023bcbae51f0f607dcff8cde51cc926d6cfe93be8eb6e2e159ae0405bfc9236df984b47083449130a4c0d7f44de |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006b
| MD5 | a1dcd778b8c06c4299a307532ecd6a40 |
| SHA1 | 722771bfa67e4bb8d614a33bdd1e49b55f79c47f |
| SHA256 | a5f807ccdc864cbed778010004bcf2b3510776ff7963c91fb94daa85aceb8986 |
| SHA512 | 7849c1641343912c3cd4f1f312fc9eeccd4a0030735973cb56b308b204250ee5209c726628ce17926bd84748f26df200993355440b90455c3cca7b71a3fcf740 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006a
| MD5 | 7633f17faf3860581e63f3ecd2e80007 |
| SHA1 | cc4f08b6be64d862f5d3b2f8ce37633ead6f34d2 |
| SHA256 | 8dc80090b24abdb7dc37d39fc0e4f808d97326e24bdd837cc56b2881baa7ef50 |
| SHA512 | 59ebfc1a2ead14cb56ba6430ea9e7f159a7d212fa9ddd24df6133158aad7bec1b333e2bb1e3ce50fe293dccfc57185ca90a1726158d637914c6729ae7e831f3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000069
| MD5 | dd9f92d1a1ee662c1472c992ebbe36fd |
| SHA1 | 8b21e6a4915b02bbd247d8846c6a742c120ed880 |
| SHA256 | fb67845b981f637821eb9e809b9fa1c62d41b1bdb0f84247a5a1297dd6b4e154 |
| SHA512 | e5ea698d8345800a7edfbbf0ac800a6368dedfff9df79d4cf13f507f561312ed6ff68268038be7e7e2ed6d0009ce20ed7d7662eb304e49fe7b6cd741ec9091d6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000068
| MD5 | f813ad92abc739744e185e3990efc308 |
| SHA1 | 6391306a6bfe3f30fae3611151c848277c33c31b |
| SHA256 | 28aea16c149f5ee078b34c03cbb8c0eee86663923fc384324cef00f451af764a |
| SHA512 | 3ac8cbb479063ce2ceb339684f86dc87d0a444face209e55de9c68c17c81642fbeec4b64ccea7f424e18b77add3c0caa4bf5d00e5d6f39728d4d61c74120244a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000067
| MD5 | 06683093428834519c100588d3bbbcef |
| SHA1 | d36355db08f9186fc9f502735a5dbb966d139e92 |
| SHA256 | a976b59f11b8e9bfa80d88e3b53e8d2073c3f039a0544066e73f4b58f4ba38a9 |
| SHA512 | 06cca8f8cd9bcf4ed5c972358aa9bd683213f1d58f6a76a5bd3201592ea30803fe56b5fbc7047607111301a67ed1a332be9549578cf73dc04a7f7698c40e4181 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000066
| MD5 | 83acad71f5f83f2cc7fad08fc45e3f62 |
| SHA1 | 0b33d8bda44898fc9e692dedb3c684a14329b32f |
| SHA256 | b78d32e935d4ec3a4803bd01651f7c03b07cfb8ac1ba88fddaa04ff22aa303da |
| SHA512 | 31d09c59e94ba33045028d0d1e3fb142399ea8ca90027fbd77a894293ed14e8099c581bdbe5c8a846aa7beb9834266b40f847fdbbf16a0a8286b9abd44670540 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000065
| MD5 | 7defd708966faefe5c610f256994fb99 |
| SHA1 | 12cbe5e32a480c679457f2738e75aee2618a946b |
| SHA256 | f7a1e98ef42e92cadc8f6232f107ecc0c1507ad11b4e242c05db82ff0ff4c3f6 |
| SHA512 | 25e62926be17e22d979cda3f5214bc4911bbf190bcc7e73f264cb9f97707139fc4779359c1712abddaf3c9adb30f21c006473eec2dd4f9f387281826e247ce40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000064
| MD5 | 08bb3ecd4cc910d5500a9e389441a3da |
| SHA1 | 92117d3f779be41e091381b027ed880b59bb2d91 |
| SHA256 | 408816fdce9f5329c6649efb56a142eb7074ef6e8fef5c70ea72a789f07aa132 |
| SHA512 | d159eb54f1fa15221302ba65d08494d12b6b2303fe6e80bda9b049be5d71d805a42147ec038c7341b5570e08a077a0a1f17402ae93f7743c9aa8b2164f40bf80 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000063
| MD5 | f1fe5f7765a314f313e9d00ea67b3817 |
| SHA1 | a18f5401e60be42fa31326dc7285bb8ccb413c7a |
| SHA256 | cf6f68e9cafded119eb35ce6fad9f80a6b6c64cc0e4cb84e408892f92b3b394a |
| SHA512 | f8f388a1f843748f094f9f97344f221f5afdb1aff8d0be715c1c8b61439c2310e2a9aff9d70ab966cf5d674ceba1bdaadd2ed88ae4da50d12a0b8c4b36b7c977 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3
| MD5 | 04071ea5131d42b928818f5217400c9f |
| SHA1 | 44492c1ba6af6dd75f0ac845b671d801506268ef |
| SHA256 | 8e27b9579bd60098d5cd67a40f4c9fc886a5a8ec136a9c53d4f73a4653ad1154 |
| SHA512 | 6f5bf06cb713642972ecefb5506f458fa5ea7392dfda9a132f40a2973ded8dbe33cabdf2cde18b2c30bcad914fc756f9466656a143e1b7373c86affb5d956950 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2
| MD5 | d457e20774d95726a7570de335ae1b09 |
| SHA1 | 4488e0e14631077221c2dbebd5f3084d06907e04 |
| SHA256 | 819e964aa2c43d19bb1613fa203511e17032e231ddc0ed48a4519b21b628ce8e |
| SHA512 | 1269beb11f83d027caa475489914c9d552e22a7bf9ebd3d29429520cee220aebd11f27db1ffde5ebe96b0c8195f81b1a4b368b0332707cc5482107822023fcb7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1
| MD5 | e261cacc202ddec202f16910ce701155 |
| SHA1 | cff6f0242647494f7b285d1659e12c10684db850 |
| SHA256 | afa47fe803c6e8aa96703e7ea1333ef4b4575e0b0f44c41a9528fd71ea69233f |
| SHA512 | aa0aebc673c975b08489483995f63f48d7ece04628907100eefba605401224e0bd03dd486b95cd852d13465d13410fe77041bfcdd59f4f0b8787b8dbe2c41441 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0
| MD5 | c5d1beade6cb07298f9288ae999d2cb5 |
| SHA1 | baff2b74bf6abe3595861b1a00a33b04a3102b91 |
| SHA256 | aee53a9ff60c2b9fb0256ce46b8ec03556818ed6ba529e6b8893fab2e8d626f0 |
| SHA512 | 6881aa0728c45b9ffd465350668d846d96cf2fc705f61d3881ad4f527d9d020b5d7893204ff78e31c34183787f1385cc2fb08f05608e022f2588d0bdad9a295d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 3e45022839c8def44fd96e24f29a9f4b |
| SHA1 | c798352b5a0860f8edfd5c1589cf6e5842c5c226 |
| SHA256 | 01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd |
| SHA512 | 2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9 |
memory/2108-805-0x0000027B9F0A0000-0x0000027B9FCEA000-memory.dmp
memory/2108-815-0x0000027BBAF20000-0x0000027BBAF2A000-memory.dmp
memory/2108-816-0x0000027BBD560000-0x0000027BBD572000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9b455db4af3a09ae703fd52dbd82d540 |
| SHA1 | 757f38c28e129c118dd6ffbcc172d5b037cf8b6a |
| SHA256 | f9b8b3d89151afee63bb93cb4996caeb63dcb9100b62ab0891d0848c892f6e17 |
| SHA512 | ed44d9573d51ecd3a218c9360637623249e867710df0f74f345c775bd3d2504ea4fa631d36a87fd880361d97db92c86327cc9cb1d9272114bf874641d691661c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 4046d1547058ffd88db3f9a91241533c |
| SHA1 | af91a18842aa687ba3652a8d5308b1e8d823c3ee |
| SHA256 | c11c25fd43e4ed7c9d7efcbab527d9da9b00a684a97de7f4cdd1e73dcb02d2dc |
| SHA512 | e9da78273b4e5e1c6d3a0b1442265ed9f2b92425edcc0ec38b428d9f65663f733ed1bb0cfdb9690e7093d67f9f0b5e10d03b32e5928dd34212136737189cdb56 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\LICENSE
| MD5 | ee002cb9e51bb8dfa89640a406a1090a |
| SHA1 | 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2 |
| SHA256 | 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b |
| SHA512 | d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c |
C:\Users\Admin\Desktop\DcRat\Release\ServerCertificate.p12
| MD5 | e5d252a03d84e50b8ba03027c0e1038a |
| SHA1 | 7c6ab96792d9f9f70937e6e039cc7d6a7d3c8708 |
| SHA256 | 458f32cb83bbf5949e5dcc5cf04b3e7433167a77b53ea146e6a1100c2fda3e90 |
| SHA512 | 63c934fffc9a4a254a4595157fee092e3cc7be7d170d450df369eea5a84263f90be6a57b030c55c8b1d7e122d3f103124b6abd72071d075a73dd300211c312cf |
C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_nzptexryieaskvtv2305jtgersripj4o\1.0.7.0\user.config
| MD5 | 0c6e4f57ebaba0cc4acfc8bb65c589f8 |
| SHA1 | 8c021c2371b87f2570d226b419c64c3102b8d434 |
| SHA256 | a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c |
| SHA512 | c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0 |
C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_nzptexryieaskvtv2305jtgersripj4o\1.0.7.0\user.config
| MD5 | 36979ae44f7fef37e74a41d7ecf37588 |
| SHA1 | 2b836ffa7e561c94e5011bfbd870551d19fa1027 |
| SHA256 | c10c856973fe4599d8f98db1629d9d53230c094b275980d7a4f3e83c98f5f2cd |
| SHA512 | b9bbb40b7b0bb449b394f47a6def4c9527ce3aac02157e2121c42bb7f8eca700115d187330c1fcfcf9ff04f2f5e6abaa4e58c56730f0560356e23e306a9fb2d1 |
memory/3076-955-0x0000000000580000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Rizzler.exe
| MD5 | dfc1a646326a2b5f365f68e3e377e790 |
| SHA1 | 8f1ee85e92ea499799e4f673220df313da8ad1b2 |
| SHA256 | 1893cac4ca324830686eb78513b667bb230be10990ec9b7d8002526054295625 |
| SHA512 | 3ae12d090318262200ba51797d4341533c4b80e867c7e3af7a57106ffd392c863f19cd51c4265e71201915497aa874b1351675e1facb55f9985657bf09962bc7 |
memory/4724-993-0x000000001BD00000-0x000000001BD76000-memory.dmp
memory/4724-994-0x0000000002620000-0x0000000002630000-memory.dmp
memory/4724-995-0x000000001BCA0000-0x000000001BCBE000-memory.dmp
memory/4724-1022-0x00000000025D0000-0x00000000025DE000-memory.dmp