Malware Analysis Report

2025-08-05 15:05

Sample ID 250519-tsnp6s1ly4
Target https://github.com/qwqdanchun/DcRat
Tags
asyncrat default5 discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/qwqdanchun/DcRat was found to be: Known bad.

Malicious Activity Summary

asyncrat default5 discovery rat

AsyncRat

Asyncrat family

Async RAT payload

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

Uses Volume Shadow Copy WMI provider

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 16:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 16:19

Reported

2025-05-19 16:22

Platform

win10ltsc2021-20250425-en

Max time kernel

184s

Max time network

185s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/qwqdanchun/DcRat

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\typosquatting_list.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\v1FieldTypes.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\autofill_bypass_cache_forms.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\edge_autofill_global_block_list.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_688605351\regex_patterns.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_etld1_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\sets.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\keys.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1604751467\deny_full_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_174775514\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1209244472\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921451771312637" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 5000310000000000b35a7a8210004463526174003c0009000400efbeb35a7a82b35a80822e000000f38202000000090000000000000000000000000000005d7e0e0044006300520061007400000014000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 = 5600310000000000b35a8882100052656c6561736500400009000400efbeb35a7a82b35a88822e000000f5820200000008000000000000000000000000000000f3d50801520065006c006500610073006500000016000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "6" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e00310000000000b35a818211004465736b746f7000680009000400efbe995add66b35a81822e000000f50501000000020000000000000000003e000000000047ad20014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5600310000000000b35a8882100052656c6561736500400009000400efbeb35a7a82b35a88822e000000f5820200000008000000000000000000000000000000f3d50801520065006c006500610073006500000016000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3360380284-3605397551-3210292082-1000\{500844EE-A21F-476D-80D1-CC48BC3D0D43} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "5" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\NodeSlot = "7" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3360380284-3605397551-3210292082-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rizzler.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 4968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 4968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 5912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 8 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2372 wrote to memory of 3704 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/qwqdanchun/DcRat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x314,0x7ffa2400f208,0x7ffa2400f214,0x7ffa2400f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1708,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2008,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3484,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3488,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5088,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5456,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5980,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6184,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6792,i,2534757336526655035,15417890461797522095,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x288,0x7ffa2400f208,0x7ffa2400f214,0x7ffa2400f220

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3492,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2256,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=4088,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=4088,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4500,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DcRat\" -spe -an -ai#7zMap30898:70:7zEvent20632

C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe

"C:\Users\Admin\Desktop\DcRat\Release\DcRat.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4568,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4544,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4552,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4588,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8

C:\Users\Admin\Desktop\Client.exe

"C:\Users\Admin\Desktop\Client.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Rizzler" /tr '"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1488.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Rizzler" /tr '"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"'

C:\Users\Admin\AppData\Local\Temp\Rizzler.exe

"C:\Users\Admin\AppData\Local\Temp\Rizzler.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4460,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4052,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=4492,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4436,i,8559855187742935403,11934267023693375648,262144 --variations-seed-version --mojo-platform-channel-handle=2816 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:80 edge.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 2.18.27.68:443 copilot.microsoft.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
GB 142.250.187.227:443 update.googleapis.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
GB 2.18.27.76:443 www.bing.com udp
N/A 224.0.0.251:5353 udp
US 140.82.113.21:443 collector.github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
FR 2.16.165.197:443 www.bing.com tcp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.210.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 26297c135dbdb8bf290fc82a6fc708da
SHA1 99796e745dd96501d61e13f097cc80b625839514
SHA256 6b6f15258934224bc174333990d6e7674af283a4e0410179c00302693ab47d72
SHA512 7fb83c8f4a6fc75037817d12d2fcce4099add380a2483967755582033402d05481524228aebab439535cc94b514409fbcb75ddfed74103d92e3f40a3cc109418

\??\pipe\crashpad_2372_FXJMRFILHWYKSRMF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8e301722eec030b7b3839831263481c9
SHA1 134c3fabea652bf1c900c5fc3f7f790af014d583
SHA256 d8c2b5afbb12f1bbf64be4b68d48083d3296627bd8da8f3380e6ccf5c53b45d2
SHA512 e5e2be40522d042f74f672c0fd3137b011325f6d028d35b832327a791ee1ba95b89889173695984ab60ac8ae5dd1b392dc2d82f3f5f4e6900a53ef499d46c142

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 944def4db76b5776643500a18d78f54f
SHA1 8351b91ac1056759faaeb48714a2b27ac8d39adf
SHA256 01a28d30c8859af50f6f1d688fb810f03ff6f861308782c6bc418687ac2694cd
SHA512 05cb26fec7fa80fb8ea72f654877d0909bcb00416edcf740210744c53e7d8dbe7fd04e080ba8efa37cd64a0e8ff1a8cefab4ff44424365684a6906bc40d5d6d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 a17c5a2f54a990866995553f193d0b60
SHA1 fa724c21ca3a7d3c05a7eb2843372ecaf759bdf0
SHA256 271bf6ddf91efd3306eb38168bdff3558b1c2985e00c42d39f2e090bfdac0622
SHA512 24ae1345b856b05b52a919d0c8fc18e7ed74127e1be961a92fe1be0f53c1bc380dafbe24f7373db46b1f24d2c603c0f65a99d2dfc3c4913c369b9c480dc805dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 06d55006c2dec078a94558b85ae01aef
SHA1 6a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512 ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 22cff315798fbfe84cd0b8f5db669792
SHA1 e19a965613d38c945b1bc7ccefb7a9f14971dd3d
SHA256 477c154c9e4274336d5c2cac277bfbf089d23725888fa60866558289047f6030
SHA512 fdb7b82d1fd66e5365b6f7b3733e212c127df8470c492788db591ebef5d91bd450d25cf44e072367f1794d5832ca203171dea8b56855135b3b1015b102586dff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 14d8805d9851a532aa6c11ee9c5e2790
SHA1 611ad999dc1284acbe51ea78d6ed262f745b1709
SHA256 041becf7d4481b3019bb82573bad17deff3c3ad2c09a81ec8c7d08fe8bbdb076
SHA512 0bc1a4bf20519f115f159cbcd50662703573b8831b88a708ca32ade364d5ed043442f6883964e28bf939ac10951c1f32b46551454895484a2babf2eb828cf3e7

C:\Users\Admin\Downloads\DcRat.7z.crdownload

MD5 836c2ae55c1baec789b83fa3d79d23b3
SHA1 359a091da48369e1e8cea6e004826ee25a93b3db
SHA256 68115c6e039363be3b80e416ed462d97f8c763af800237b1fa183cca1180bac5
SHA512 e12f7438545f6615f84e37b81837127aacc79b4aadd3b212702bb662b0f752778ed15d646e8d657b318dfde57d2f893c18831bfb686a0ae1b7d62137c63080be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 85161c3c62da25cfe31019ee3303a436
SHA1 3a272b755d34672e6598343391f40908eaba7cd9
SHA256 f9352f5c6be53ed563cb3c4c0da085c23748ed7e231e8eb0d4881b58d1202a9d
SHA512 fae142acd47850e1fc6d193b44a77c35463fdff1edbf9da83aa6bf9bf0272147c337cd7399e99a213b4bb2adb3569ebd2635afcd7a64fe73f60415abc4071c4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57b3ee.TMP

MD5 3f27c4a3ded6880b7f09f44c9d937e15
SHA1 539f90d66afa03c48f11439264a5e49c232505c3
SHA256 d40a225a77572dd5cd39ce45df81cd45d36125c2b1416306a594d4069f58494f
SHA512 ba763113eb0617981a4f1ddaabebc4ef972d741b31b08447f610c97271a18601a32c2f70a9cf6182522b1269531c3f328634bb5b8318358473cf7f492b836deb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f003a9a7329373c58e71b9bb7e976672
SHA1 77211f9973a2740da1aa3c43af81911d4b9593b9
SHA256 b63d56b3e9c74a14c8501a7c5a53f3e66599123672e8386bd58ead4f8f9d272f
SHA512 d0a641e71533dc759ee29e95e15d7f0d819bd48ccaf65f12f84fddafa862cce358d49b6a10402c77f367c976f419703340781c27fedb7e21df45a15a994e963e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ceb1c0fef5f41ee02d9be5e0619eaa81
SHA1 a0b29d73af79d4fe134d3f5c5a4746cb6282d9fb
SHA256 e385ff47538f59bdd66c6c28ebbeb3b1b2998a2a7d9ca34c788fd708bce9093f
SHA512 f07e14f803dbbc860dbd83c50575e61f6cca19f2823f0cf2010de55c94397d3a4e3e60327ce2a53ca9d10795e2520fe99163a49882ee364a4293f82f81f6668d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e5304992bc4c321303b88ac19f55816b
SHA1 55144bd9ce73d03aaef582b3976618db68544a3f
SHA256 6c59a64ea45629c48c75956fda26c3d2723c79cf7e3d4fd6ce94607e530cb95e
SHA512 7b47158241caa0da1492f656e41f857e8870ebb9649567319f141cb8a62320070a81f7ca3f392f6ec25a89562ef525da06f5ae9a55d11cded6bb545ceb5338a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 2526b36284e79ea84d89ad8961a86bde
SHA1 c192a940419f0c08f7e568b983973db097c392ff
SHA256 adb4d4b1dd0a878109b4d17197528079b1c57c48d90e02a8b4c341bf6d6d9543
SHA512 4f3ba3954224de551340378662c3c69ebe70d4d2319580573df3724441f37303e6b8c2a6e6bda683d6c53afa1b8f7aa0810531f7d96d0ef8c9079c953cb0c2c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8718b2ec9b52bcf8fe1b375145923fea
SHA1 4908436971e4d396af490303f669c164e7dc23b0
SHA256 2dd6831b402e9272f904b68902fb06838afde28711a034af4e11142fd8ed7746
SHA512 19c5779ded0df7204c0b4b8221594080bc8570d41d810f8d7ab4e80b8423a17e9080f34abf087834075637a1571ffe0c72b634b0618fea0d56b2e7572b314a3c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 059c52031ba2b1f2a012a2c2f380585e
SHA1 ece149a1499f27977a982febdc268c14e2e88fd0
SHA256 51877757aab37818ae2187661f4e112148f39ffa94a026068616a771c5b7c380
SHA512 fd16f5b5ffb57946d70beb7a77415d4db1c5287911f78b13c4eac1878f4d63df4def0e51ff9c5abdf62b57e0475c5cb636480ce76fcea4cf871fa3a1088c87ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

MD5 f5bfbc15e0c2d1aa44f5b438f3698e38
SHA1 9536ee68d7714d6bbbf68988db13e2809f6b2ef2
SHA256 22eca03436903b505bfa9fc3e2aa977e694a14bebb7b6d3663f24afea5db45b6
SHA512 9e5436324a01aeb98c948ed26ad31c5e68a056bf4f002d4b15bf46d24310201ae8685e1f110c34474c156ffd48fd5e88ce59dfd85ca04ef96902e82da8288da6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

MD5 bd2bf506d44d71a0917875e68c084080
SHA1 7aa47986879cf9848f979909a48b1e64d92df8f6
SHA256 01ac076f9552e3a7e5ffd49c2b3c6220bf9a93bd454d89cc3831f3b0039949de
SHA512 b40cdb6028b9841884cc3423de005c9562fb0df0897131b6f0f76275750772852e866684ae3453dcd3ca3e38136364d156af4780bc58d025a0c2a77e109b5912

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 c4ed9bbe1ea4394c1d4362f8c0d02a8b
SHA1 d5740d0a42686c8318beabab923e54ad084ca219
SHA256 23606047031a2c104f7a1b4553553efe1811767f56edd15fe42910172c5616c8
SHA512 f6119f89a9d724e120e62048e6e070e30bb1123d8c7839bd6a9cf6d7aa0be0080e2cdb752f0a0b43668f5fb510b5cc1ba4a8d74a6f99c296cefc9442b72e6a0e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 c1909fe68747a55514296ed0cd4b6371
SHA1 bda0990c4086f9c7d15608212b7f15cb88d988a4
SHA256 ae24d1401f8520f662429408bd3cb74cea8c0c1853a876acdff45a49380ae992
SHA512 6c411728adb7662d9547d4a9c6b94e5b205a9d0ff7166aac247e468cc9af6a8fc95fb5cd0ef6d041a7942850c01217f550448e761c87a3590041b19f95865b18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

MD5 54e3387e40dded66e03b442665d18ca2
SHA1 6b810f5a683bb5d2743a9349e3ca09ef5588e74d
SHA256 2c40d1607a5a9764ed173a147ac5eb3512f362eb3342b421aa2e98ce50c9888d
SHA512 f01111ca7edfec819b6cafcaabf9b98d02bf3a5b679890dddccbd18d112503fe11be3b848d64d65563a09f9dbb7ee36d0ab6c3857b8767bd2d295afe14fa31cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

MD5 cffdae3a6e1fd3998d30568422541713
SHA1 fe69afc424ccc59d13799aa2f30e3379b63a76d5
SHA256 23cec31ec166fd1e875f55a397cfba2756f2d64bb2ec35003afc985766a682d2
SHA512 903c502264fdc989db486691a7303597ac7b75c7ee3844681329305183a39737fe9c407c4dfe108e5fd347d2d6ba94453847213a843fdab5f4967697cc2241a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 c522ef0ba342f01213da7d8fbf19dbd6
SHA1 d18a012db219c8608567916bad410b899c8e09e7
SHA256 6b4f6fa5a12d3fb4e3b7974ddad9ac4bfae73d926b948edd4e609c40126c2702
SHA512 d161cf2000100a16d73cb3f4b0571d9cfd574a0f07430ada3b3402b48f00f851cee87c1e37b123f96e334d931c4abedbfcc64e64528b08e53208823c0a115ddb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

MD5 50cd9b4287f7a69ef3365a143b3512ee
SHA1 7f964d3aabd8d47e70d7a6ee69f49cf26ee3a773
SHA256 f7df4c60592f54efa53ab18e9b51515acac1e655a88c18a54276c213543c5324
SHA512 e8e4f5a192f9cd28dcebe5ca0e5fb31d74c52978bf643d1b2e96564a789bc39c3830b08ac3d3bd3d76bd9ef36b4f7efb010d2c9cd65bf319689b47243fa8c122

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json

MD5 256c40bace492c4e28451ce149d2f9ac
SHA1 b48b0eaf986b9efc91d5c8dd394dccb6d82e2adc
SHA256 f9e4da319fe1f5a7d497c452421f4648a24ec7588f309ebea0f0cd61a6251eef
SHA512 33b38d1ced015798722180fc8c8ce6daedb18cd5d0e4b3db27d6176c13cf3ccb1bd79f2e68ca390d6eb43ac508c29067e8f1a3ee9f0167cabe37ebbddf6b0ec0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 ff9030ea963edef2a514d9ca4edaba28
SHA1 8a5909b239a6cfa5b48a6e51d52895c1ec203f15
SHA256 8c5cefd28f63226a0544ad9a4f18d39e052bb6558402c2d6af5381a13c417e8a
SHA512 b2a0d2866fbce13d2e683a10afaf63aba4da5f489885c28cfefe09e59015736c33c7992da73da20c3cb53cd7f54b851be5ab9a954d90004de0009543044c14a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase

MD5 51dfc6170450d52f180ede8e985857d3
SHA1 0242adea1b1cf40fba19eee027e59b1fe6453f44
SHA256 ff6e3bc0d4a208275a5826d46801b36814397753eae3f0321c87275e665a6fd2
SHA512 a1593c92ee4cf0e4b8936bcd3907c47e0afeeb25d4827097e8e2bfb5b6ee0660fa3419c7733c9838cc99738331ae8faef3424412ce05459104cb4ea3b7f81d6e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma

MD5 cfab81b800edabacbf6cb61aa78d5258
SHA1 2730d4da1be7238d701dc84eb708a064b8d1cf27
SHA256 452a5479b9a2e03612576c30d30e6f51f51274cd30ef576ea1e71d20c657376f
SHA512 ec188b0ee4d3daabc26799b34ee471bee988bdd7ceb011ed7df3d4cf26f98932bbbb4b70dc2b7fd4df9a3981b3ce22f4b5be4a0db97514d526e521575efb2ec6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 0e404d10a87673d0b4dc2822422c3257
SHA1 ca0724449d8834e02fd3b715e6d673b5fc66acc7
SHA256 9f8f945742fd10cbb7fa25b2cdbf9acbc532eb3d0ddf8b2febbb57665920da71
SHA512 1998dbf2bc45dd86f44304aac9e9ff2b71ea2dffc942af8650ab074f3404573c29de2d1a132713724135ad78422891c94b6ab39d0971101c5dba7a8b436b64a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 ef25c8280d454555fe9f1ac668bde1ae
SHA1 72db10f060a9ab48bf465c2cad66a8e486e7e9af
SHA256 8ecc92dafde74b8db2ea80365fe5eb799fb71f4b1920cf869a6935a4189e152a
SHA512 3d6167e3b138b68b8f6c68604b6dbce632ed6ffc437529148ee570e96752ae1a769feb4099167a749d8ecc6fd3fa65e1750be863c3a7e746d6fd993260ec72cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 f1578dd9a1ef7ff87b0712ec80328c03
SHA1 dca654d2c14105af5fb67c61d8f6f88478a47de8
SHA256 07bee29d57ebfce1e519d3e9e52f0d834ade3de40e6bf61e9a1d9c66b541f748
SHA512 82ed0b4e746208752137b3f8c74baa71b96a0e9a342537c24c6b7c9c19bb859c3d5843b1af961ad44d0dec02d16883be4c0ec89bf308593a3420ecef3c590bc0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 255a34f58934e653da29a9574a5f010f
SHA1 70444eb8212f3a359a56ab65b772a13c54628683
SHA256 29a546156b59a43dc085369843c8c5f8625b88a8922c6d8c3f4a3de07d1fea44
SHA512 fcc2aa0dff25b78e49408941314759c3524cfa539b37b5064ad10107fdec5b89c3442f7f19fe5a6f50510e94845b76af92adc13baa7fef201bb8f144d86716fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

MD5 0c693a6897912041fe50dd868428d71a
SHA1 4a811421c47fa036575233fe3dd92e62ca9b948c
SHA256 820a844d93f23870bbd6c828452cb72c8c1ffa9f332ddfa3517498599933a105
SHA512 989c463320388834e7eeee8ec90687244d2e3fc0d4f1b063dcfcf5a4e42abc466fc0ecf8dac2bd07840757a71cc93dfa0cf922aff2443c8f90ba749862cf201b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

MD5 5a5f3cd25a3cc37422b5b1263433293c
SHA1 c585eeb905bfdb82e807e5b8e3e60c7955bd87d0
SHA256 0d9cac97810b2fce10dfad806ddbfe2ce26e7d0b1774e3b438a3ecf403af0428
SHA512 a6648c2f1e4a7d066e22ce20676d3ac59ae61aed4be8c82b930081c2523e120f9737621415ad313cf155fbc2e5092ec39b40e08a13548198b937f60304c6fbe9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000070

MD5 0ac62fbab3c332dc659c07cdc4ff5092
SHA1 be0fe7b9786de25de3218d8eb7402564a64edf72
SHA256 16f64784da286df41dbfc82234c471eada5a25d3066297a0e842ca2b98299c91
SHA512 ec8da8c0265f46ee753befa8cc39e39fda2994edacc8134fd4f151d9b239e1172a229f8a32f780eb9c4bf5f1550135f5a1b735c83aaf0c6229e346b6c84ade9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f

MD5 a2e53ee908dc616b23256e82e73343f2
SHA1 c40b4ad46f6433a900536b7abe1d6544d4ee8ec9
SHA256 dd1a1e2058a992fda5828a86ac635b5efdb488e2aa45daf66f180ed95ef0a857
SHA512 3ef3cb8b808e747928df27d5d931ae7a68ec09c05106880680089d4e356bb06acdf6d87cc1a3529c9a6d19e1eb991e563bd6392e8197f6716c1c44dc5b444d6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006e

MD5 2c5d93f83e9c4810d3fd8257c06f3b56
SHA1 a33a8a4c75381a0e83e31ff46a2e57dccef1db3e
SHA256 82eebff2d35e1abd48d48b7ff1908e33059281734c7827b006093fed49e5fee9
SHA512 0a03771731876243893af94c7cdb64517647a72830a08ef79055005be8b652b47e0ca1066e3898cdab310f6be18e51901da1c5ec822440f6e69d6b2f5a2aefa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006d

MD5 17c697496abaa786bb85b036bf480bf5
SHA1 4985b2ec44d4baacd34f33203d094c1a2640fbda
SHA256 38dd822204389527ddd196d536e10131689ca362c63ca959b6557837bc5d33af
SHA512 ba2c64053040e0979ed3933cb3153b56f16ea99423d332f3a649eb92e2cc5b850e5c3cd54706105220fe8d51bc0d0ba61743aaad914d2705e9d43cbe5eae3fe2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006c

MD5 60c6efabb021c8eec4ba448974887f11
SHA1 1df8405943257b9356bae8467615d45151931aa2
SHA256 709d97f82663324b2c441d42258d4aa6d8a0334f03c1935b0b43c9cad3ae4305
SHA512 714c8fcc3343ad259b3b9681c53063dbd99c0023bcbae51f0f607dcff8cde51cc926d6cfe93be8eb6e2e159ae0405bfc9236df984b47083449130a4c0d7f44de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006b

MD5 a1dcd778b8c06c4299a307532ecd6a40
SHA1 722771bfa67e4bb8d614a33bdd1e49b55f79c47f
SHA256 a5f807ccdc864cbed778010004bcf2b3510776ff7963c91fb94daa85aceb8986
SHA512 7849c1641343912c3cd4f1f312fc9eeccd4a0030735973cb56b308b204250ee5209c726628ce17926bd84748f26df200993355440b90455c3cca7b71a3fcf740

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006a

MD5 7633f17faf3860581e63f3ecd2e80007
SHA1 cc4f08b6be64d862f5d3b2f8ce37633ead6f34d2
SHA256 8dc80090b24abdb7dc37d39fc0e4f808d97326e24bdd837cc56b2881baa7ef50
SHA512 59ebfc1a2ead14cb56ba6430ea9e7f159a7d212fa9ddd24df6133158aad7bec1b333e2bb1e3ce50fe293dccfc57185ca90a1726158d637914c6729ae7e831f3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000069

MD5 dd9f92d1a1ee662c1472c992ebbe36fd
SHA1 8b21e6a4915b02bbd247d8846c6a742c120ed880
SHA256 fb67845b981f637821eb9e809b9fa1c62d41b1bdb0f84247a5a1297dd6b4e154
SHA512 e5ea698d8345800a7edfbbf0ac800a6368dedfff9df79d4cf13f507f561312ed6ff68268038be7e7e2ed6d0009ce20ed7d7662eb304e49fe7b6cd741ec9091d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000068

MD5 f813ad92abc739744e185e3990efc308
SHA1 6391306a6bfe3f30fae3611151c848277c33c31b
SHA256 28aea16c149f5ee078b34c03cbb8c0eee86663923fc384324cef00f451af764a
SHA512 3ac8cbb479063ce2ceb339684f86dc87d0a444face209e55de9c68c17c81642fbeec4b64ccea7f424e18b77add3c0caa4bf5d00e5d6f39728d4d61c74120244a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000067

MD5 06683093428834519c100588d3bbbcef
SHA1 d36355db08f9186fc9f502735a5dbb966d139e92
SHA256 a976b59f11b8e9bfa80d88e3b53e8d2073c3f039a0544066e73f4b58f4ba38a9
SHA512 06cca8f8cd9bcf4ed5c972358aa9bd683213f1d58f6a76a5bd3201592ea30803fe56b5fbc7047607111301a67ed1a332be9549578cf73dc04a7f7698c40e4181

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000066

MD5 83acad71f5f83f2cc7fad08fc45e3f62
SHA1 0b33d8bda44898fc9e692dedb3c684a14329b32f
SHA256 b78d32e935d4ec3a4803bd01651f7c03b07cfb8ac1ba88fddaa04ff22aa303da
SHA512 31d09c59e94ba33045028d0d1e3fb142399ea8ca90027fbd77a894293ed14e8099c581bdbe5c8a846aa7beb9834266b40f847fdbbf16a0a8286b9abd44670540

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000065

MD5 7defd708966faefe5c610f256994fb99
SHA1 12cbe5e32a480c679457f2738e75aee2618a946b
SHA256 f7a1e98ef42e92cadc8f6232f107ecc0c1507ad11b4e242c05db82ff0ff4c3f6
SHA512 25e62926be17e22d979cda3f5214bc4911bbf190bcc7e73f264cb9f97707139fc4779359c1712abddaf3c9adb30f21c006473eec2dd4f9f387281826e247ce40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000064

MD5 08bb3ecd4cc910d5500a9e389441a3da
SHA1 92117d3f779be41e091381b027ed880b59bb2d91
SHA256 408816fdce9f5329c6649efb56a142eb7074ef6e8fef5c70ea72a789f07aa132
SHA512 d159eb54f1fa15221302ba65d08494d12b6b2303fe6e80bda9b049be5d71d805a42147ec038c7341b5570e08a077a0a1f17402ae93f7743c9aa8b2164f40bf80

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000063

MD5 f1fe5f7765a314f313e9d00ea67b3817
SHA1 a18f5401e60be42fa31326dc7285bb8ccb413c7a
SHA256 cf6f68e9cafded119eb35ce6fad9f80a6b6c64cc0e4cb84e408892f92b3b394a
SHA512 f8f388a1f843748f094f9f97344f221f5afdb1aff8d0be715c1c8b61439c2310e2a9aff9d70ab966cf5d674ceba1bdaadd2ed88ae4da50d12a0b8c4b36b7c977

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

MD5 04071ea5131d42b928818f5217400c9f
SHA1 44492c1ba6af6dd75f0ac845b671d801506268ef
SHA256 8e27b9579bd60098d5cd67a40f4c9fc886a5a8ec136a9c53d4f73a4653ad1154
SHA512 6f5bf06cb713642972ecefb5506f458fa5ea7392dfda9a132f40a2973ded8dbe33cabdf2cde18b2c30bcad914fc756f9466656a143e1b7373c86affb5d956950

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

MD5 d457e20774d95726a7570de335ae1b09
SHA1 4488e0e14631077221c2dbebd5f3084d06907e04
SHA256 819e964aa2c43d19bb1613fa203511e17032e231ddc0ed48a4519b21b628ce8e
SHA512 1269beb11f83d027caa475489914c9d552e22a7bf9ebd3d29429520cee220aebd11f27db1ffde5ebe96b0c8195f81b1a4b368b0332707cc5482107822023fcb7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

MD5 e261cacc202ddec202f16910ce701155
SHA1 cff6f0242647494f7b285d1659e12c10684db850
SHA256 afa47fe803c6e8aa96703e7ea1333ef4b4575e0b0f44c41a9528fd71ea69233f
SHA512 aa0aebc673c975b08489483995f63f48d7ece04628907100eefba605401224e0bd03dd486b95cd852d13465d13410fe77041bfcdd59f4f0b8787b8dbe2c41441

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

MD5 c5d1beade6cb07298f9288ae999d2cb5
SHA1 baff2b74bf6abe3595861b1a00a33b04a3102b91
SHA256 aee53a9ff60c2b9fb0256ce46b8ec03556818ed6ba529e6b8893fab2e8d626f0
SHA512 6881aa0728c45b9ffd465350668d846d96cf2fc705f61d3881ad4f527d9d020b5d7893204ff78e31c34183787f1385cc2fb08f05608e022f2588d0bdad9a295d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 3e45022839c8def44fd96e24f29a9f4b
SHA1 c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA256 01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA512 2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

memory/2108-805-0x0000027B9F0A0000-0x0000027B9FCEA000-memory.dmp

memory/2108-815-0x0000027BBAF20000-0x0000027BBAF2A000-memory.dmp

memory/2108-816-0x0000027BBD560000-0x0000027BBD572000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9b455db4af3a09ae703fd52dbd82d540
SHA1 757f38c28e129c118dd6ffbcc172d5b037cf8b6a
SHA256 f9b8b3d89151afee63bb93cb4996caeb63dcb9100b62ab0891d0848c892f6e17
SHA512 ed44d9573d51ecd3a218c9360637623249e867710df0f74f345c775bd3d2504ea4fa631d36a87fd880361d97db92c86327cc9cb1d9272114bf874641d691661c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 4046d1547058ffd88db3f9a91241533c
SHA1 af91a18842aa687ba3652a8d5308b1e8d823c3ee
SHA256 c11c25fd43e4ed7c9d7efcbab527d9da9b00a684a97de7f4cdd1e73dcb02d2dc
SHA512 e9da78273b4e5e1c6d3a0b1442265ed9f2b92425edcc0ec38b428d9f65663f733ed1bb0cfdb9690e7093d67f9f0b5e10d03b32e5928dd34212136737189cdb56

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4264_1133434118\LICENSE

MD5 ee002cb9e51bb8dfa89640a406a1090a
SHA1 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA256 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512 d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

C:\Users\Admin\Desktop\DcRat\Release\ServerCertificate.p12

MD5 e5d252a03d84e50b8ba03027c0e1038a
SHA1 7c6ab96792d9f9f70937e6e039cc7d6a7d3c8708
SHA256 458f32cb83bbf5949e5dcc5cf04b3e7433167a77b53ea146e6a1100c2fda3e90
SHA512 63c934fffc9a4a254a4595157fee092e3cc7be7d170d450df369eea5a84263f90be6a57b030c55c8b1d7e122d3f103124b6abd72071d075a73dd300211c312cf

C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_nzptexryieaskvtv2305jtgersripj4o\1.0.7.0\user.config

MD5 0c6e4f57ebaba0cc4acfc8bb65c589f8
SHA1 8c021c2371b87f2570d226b419c64c3102b8d434
SHA256 a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c
SHA512 c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

C:\Users\Admin\AppData\Local\Server\DcRat.exe_Url_nzptexryieaskvtv2305jtgersripj4o\1.0.7.0\user.config

MD5 36979ae44f7fef37e74a41d7ecf37588
SHA1 2b836ffa7e561c94e5011bfbd870551d19fa1027
SHA256 c10c856973fe4599d8f98db1629d9d53230c094b275980d7a4f3e83c98f5f2cd
SHA512 b9bbb40b7b0bb449b394f47a6def4c9527ce3aac02157e2121c42bb7f8eca700115d187330c1fcfcf9ff04f2f5e6abaa4e58c56730f0560356e23e306a9fb2d1

memory/3076-955-0x0000000000580000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Rizzler.exe

MD5 dfc1a646326a2b5f365f68e3e377e790
SHA1 8f1ee85e92ea499799e4f673220df313da8ad1b2
SHA256 1893cac4ca324830686eb78513b667bb230be10990ec9b7d8002526054295625
SHA512 3ae12d090318262200ba51797d4341533c4b80e867c7e3af7a57106ffd392c863f19cd51c4265e71201915497aa874b1351675e1facb55f9985657bf09962bc7

memory/4724-993-0x000000001BD00000-0x000000001BD76000-memory.dmp

memory/4724-994-0x0000000002620000-0x0000000002630000-memory.dmp

memory/4724-995-0x000000001BCA0000-0x000000001BCBE000-memory.dmp

memory/4724-1022-0x00000000025D0000-0x00000000025DE000-memory.dmp