Analysis Overview
SHA256
d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae
Threat Level: Known bad
The file BuildR.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
DCRat payload
Dcrat family
DCRat payload
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of WriteProcessMemory
NTFS ADS
Uses Task Scheduler COM API
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 17:45
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 17:45
Reported
2024-06-01 17:48
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Uninstall Information\conhost.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\Uninstall Information\088424020bedd6 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ebf1f9fa8afd6d | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\Windows Media Player\conhost.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\Windows Media Player\088424020bedd6 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\it-IT\Comcommon.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\ja-JP\0a1fd5f707cd16 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\it-IT\1dd742f3bd626e | C:\portServercrt\Comcommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\explorer.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Windows\Logs\CBS\7a0fd90576e088 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Windows\de-DE\audiodg.exe | C:\portServercrt\Comcommon.exe | N/A |
| File opened for modification | C:\Windows\de-DE\audiodg.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Windows\de-DE\42af1c969fbb7b | C:\portServercrt\Comcommon.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BuildR.exe
"C:\Users\Admin\AppData\Local\Temp\BuildR.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\de-DE\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComcommonC" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Comcommon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comcommon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Comcommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComcommonC" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\Comcommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\CBS\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\CBS\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComcommonC" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Comcommon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Comcommon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Comcommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComcommonC" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\Comcommon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\portServercrt\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\portServercrt\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\portServercrt\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\portServercrt\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\portServercrt\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\portServercrt\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\portServercrt\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\portServercrt\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\portServercrt\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\portServercrt\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\portServercrt\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\portServercrt\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | naratnik888.whf.bz | udp |
| US | 198.45.114.194:80 | naratnik888.whf.bz | tcp |
Files
C:\portServercrt\DwNQE.vbe
| MD5 | 588844585deebaa15919f153bc9447f0 |
| SHA1 | 6e067e41f4abea125c891cf1672d9062d771d209 |
| SHA256 | 7070398fff90d278d0f5681fa9a7923eea74811856972eaf0adaa1d738a7fcd1 |
| SHA512 | dfe8093be45de5f5b9df7310b270e3e7fc26cebcb94e5146bfab85dcc954eeb8a5d8a35d9286015493df6e087b34400df92b117390816464e1698e8f9ad4635d |
C:\portServercrt\ZHAklq6LBoJU.bat
| MD5 | db82c18bb79cfc990b4cde2874b61c10 |
| SHA1 | 183605f521813b881e1a5847e569b831232c0fd1 |
| SHA256 | 943267a241c1e345f7e010e95299b1af5b5cade19faddbbf46784282dbc50f13 |
| SHA512 | 7cef1f08019c7bd5ed13acb8d960352acc014e88b3d2ac0708478889d117bf826346ce080e4a68bfebe10d6ffee634cd1672903ab187c60a3643f3871e72c471 |
C:\portServercrt\Comcommon.exe
| MD5 | 1c3c6b206b20d18d049ed7586e330929 |
| SHA1 | aa9e8e3adb308b5a1a7d1c0495febd3ab72aacc2 |
| SHA256 | b670fb654e4d987a06482ce19145d0a487245da4e67b90175d81233e3529424e |
| SHA512 | a81ccdfb60c92d8bd4e718fff38bae956eed71009b829d007db3975c60c361a198d94349256d558221cc90dad8215e58aa7197ae1d5c449a0c6417d027cabc53 |
memory/2796-13-0x00000000002E0000-0x00000000003E0000-memory.dmp
memory/2796-14-0x0000000000140000-0x000000000014E000-memory.dmp
memory/2796-15-0x0000000000150000-0x000000000015C000-memory.dmp
memory/2796-16-0x0000000000160000-0x000000000016C000-memory.dmp
memory/2504-59-0x0000000000A60000-0x0000000000B60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 17:45
Reported
2024-06-01 17:48
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\portServercrt\Comcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BuildR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\portServercrt\Comcommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\Windows\Prefetch\ReadyBoot\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
| N/A | N/A | C:\Users\Default\Desktop\sppsvc.exe | N/A |
| N/A | N/A | C:\portServercrt\Comcommon.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\817c8c8ec737a7 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\Windows Defender\ja-JP\Idle.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\Windows Defender\ja-JP\6ccacd8608530f | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\22eafd247d37c3 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\5b884080fd4f94 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Oracle\5b884080fd4f94 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\e1ef82546f0b02 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\5b884080fd4f94 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\e1ef82546f0b02 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\it-IT\61a52ddc9dd915 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Oracle\fontdrvhost.exe | C:\portServercrt\Comcommon.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Configuration\Registration\69ddcba757bf72 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\wscript.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\it-IT\msedge.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\it-IT\24dbde2999530e | C:\portServercrt\Comcommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Panther\UnattendGC\5b884080fd4f94 | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Windows\Prefetch\ReadyBoot\services.exe | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Windows\Prefetch\ReadyBoot\c5b4cb5e9653cc | C:\portServercrt\Comcommon.exe | N/A |
| File created | C:\Windows\Panther\UnattendGC\fontdrvhost.exe | C:\portServercrt\Comcommon.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\portServercrt\Comcommon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\BuildR.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\Downloads\BuildR (1).exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 38053.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 307997.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Prefetch\ReadyBoot\services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Default\Desktop\sppsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\portServercrt\Comcommon.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BuildR.exe
"C:\Users\Admin\AppData\Local\Temp\BuildR.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\portServercrt\WaaSMedicAgent.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\portServercrt\WaaSMedicAgent.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\portServercrt\WaaSMedicAgent.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\portServercrt\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\portServercrt\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\portServercrt\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Oracle\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Oracle\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\Prefetch\ReadyBoot\services.exe
"C:\Windows\Prefetch\ReadyBoot\services.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d5f846f8,0x7ff9d5f84708,0x7ff9d5f84718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5696 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,8749181121166722709,179500450073748241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:8
C:\Users\Admin\Downloads\BuildR (1).exe
"C:\Users\Admin\Downloads\BuildR (1).exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Users\Admin\Downloads\BuildR (1).exe
"C:\Users\Admin\Downloads\BuildR (1).exe"
C:\Users\Admin\Downloads\BuildR (1).exe
"C:\Users\Admin\Downloads\BuildR (1).exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Users\Admin\Downloads\BuildR (1).exe
"C:\Users\Admin\Downloads\BuildR (1).exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Users\Admin\Downloads\BuildR (1).exe
"C:\Users\Admin\Downloads\BuildR (1).exe"
C:\Users\Admin\Downloads\BuildR (1).exe
"C:\Users\Admin\Downloads\BuildR (1).exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\BuildR (1).exe
"C:\Users\Admin\Downloads\BuildR (1).exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\portServercrt\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\portServercrt\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\portServercrt\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Desktop\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\portServercrt\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\portServercrt\dllhost.exe'" /rl HIGHEST /f
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\portServercrt\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\User\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\User\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\USOShared\Logs\User\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\portServercrt\msedge.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\portServercrt\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\portServercrt\msedge.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe'" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gEhn7uF1RV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
C:\Users\Default\Desktop\sppsvc.exe
"C:\Users\Default\Desktop\sppsvc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "
C:\portServercrt\Comcommon.exe
"C:\portServercrt\Comcommon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | naratnik888.whf.bz | udp |
| US | 198.45.114.194:80 | naratnik888.whf.bz | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.114.45.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | oxy.st | udp |
| RU | 185.178.208.137:80 | oxy.st | tcp |
| RU | 185.178.208.137:80 | oxy.st | tcp |
| RU | 185.178.208.137:443 | oxy.st | tcp |
| US | 8.8.8.8:53 | contextual.media.net | udp |
| BE | 2.21.16.25:443 | contextual.media.net | tcp |
| US | 8.8.8.8:53 | 137.208.178.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.16.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ads.themoneytizer.com | udp |
| US | 8.8.8.8:53 | cdn.adlook.me | udp |
| US | 8.8.8.8:53 | smatr.net | udp |
| NL | 88.208.46.222:443 | smatr.net | tcp |
| US | 8.8.8.8:53 | lg3.media.net | udp |
| US | 104.22.63.227:443 | ads.themoneytizer.com | tcp |
| US | 104.22.63.227:443 | ads.themoneytizer.com | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| SE | 104.73.92.22:443 | lg3.media.net | tcp |
| RU | 193.17.93.93:443 | cdn.adlook.me | tcp |
| US | 8.8.8.8:53 | onetag-sys.com | udp |
| DE | 51.89.9.253:443 | onetag-sys.com | tcp |
| US | 8.8.8.8:53 | ced.sascdn.com | udp |
| BE | 88.221.83.129:443 | ced.sascdn.com | tcp |
| US | 8.8.8.8:53 | gum.criteo.com | udp |
| US | 8.8.8.8:53 | tag.leadplace.fr | udp |
| US | 8.8.8.8:53 | secure.quantserve.com | udp |
| US | 8.8.8.8:53 | p.cpx.to | udp |
| US | 8.8.8.8:53 | boot.pbstck.com | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| FR | 145.239.193.51:443 | tag.leadplace.fr | tcp |
| US | 8.8.8.8:53 | ogffa.net | udp |
| NL | 178.250.1.11:443 | gum.criteo.com | tcp |
| US | 8.8.8.8:53 | adtrack.adleadevent.com | udp |
| DE | 91.228.74.166:443 | secure.quantserve.com | tcp |
| US | 8.8.8.8:53 | system-notify.app | udp |
| IE | 54.77.250.4:443 | adtrack.adleadevent.com | tcp |
| RU | 88.212.201.198:443 | counter.yadro.ru | tcp |
| US | 104.22.0.93:443 | boot.pbstck.com | tcp |
| DE | 178.63.248.57:443 | system-notify.app | tcp |
| NL | 88.208.46.222:443 | ogffa.net | tcp |
| IE | 63.32.182.32:443 | p.cpx.to | tcp |
| US | 8.8.8.8:53 | ads.adlook.me | udp |
| US | 8.8.8.8:53 | cdn.id5-sync.com | udp |
| US | 8.8.8.8:53 | 222.46.208.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.63.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.131.154.178.in-addr.arpa | udp |
| US | 104.22.52.86:443 | cdn.id5-sync.com | tcp |
| RU | 78.140.242.103:443 | ads.adlook.me | tcp |
| US | 8.8.8.8:53 | 22.92.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.93.17.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.9.89.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.193.239.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.74.228.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.152:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | rules.quantcount.com | udp |
| GB | 18.245.187.38:443 | rules.quantcount.com | tcp |
| US | 8.8.8.8:53 | csm.nl3.eu.criteo.net | udp |
| US | 8.8.8.8:53 | cdn.pbstck.com | udp |
| NL | 178.250.1.25:443 | csm.nl3.eu.criteo.net | tcp |
| US | 8.8.8.8:53 | pixel.quantserve.com | udp |
| US | 104.22.0.93:443 | cdn.pbstck.com | tcp |
| US | 104.22.0.93:443 | cdn.pbstck.com | tcp |
| US | 8.8.8.8:53 | uidsync.net | udp |
| DE | 157.90.33.121:443 | uidsync.net | tcp |
| DE | 157.90.33.121:443 | uidsync.net | tcp |
| US | 8.8.8.8:53 | intake.pbstck.com | udp |
| US | 8.8.8.8:53 | match.adsrvr.org | udp |
| US | 8.8.8.8:53 | ib.adnxs.com | udp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| NL | 185.89.210.82:443 | ib.adnxs.com | tcp |
| US | 8.8.8.8:53 | s.cpx.to | udp |
| IE | 54.76.45.34:443 | s.cpx.to | tcp |
| US | 8.8.8.8:53 | 4.250.77.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.0.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.182.32.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.248.63.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.201.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.52.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.242.140.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.187.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.1.250.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.33.90.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.89.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.45.76.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dnacdn.net | udp |
| US | 8.8.8.8:53 | ag.gbc.criteo.com | udp |
| US | 8.8.8.8:53 | gem.gbc.criteo.com | udp |
| NL | 185.235.87.180:443 | ag.gbc.criteo.com | tcp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| FR | 185.235.86.191:443 | gem.gbc.criteo.com | tcp |
| US | 8.8.8.8:53 | lb.eu-1-id5-sync.com | udp |
| US | 8.8.8.8:53 | id5-sync.com | udp |
| DE | 162.19.138.120:443 | id5-sync.com | tcp |
| DE | 141.95.33.120:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | 180.87.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.86.235.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.138.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.33.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tmzr.themoneytizer.fr | udp |
| US | 172.67.174.127:443 | tmzr.themoneytizer.fr | tcp |
| DE | 141.95.33.120:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | lexicon.33across.com | udp |
| US | 8.8.8.8:53 | id.crwdcntrl.net | udp |
| US | 35.244.193.51:443 | lexicon.33across.com | tcp |
| FR | 149.202.238.96:443 | ww1097.smartadserver.com | tcp |
| IE | 52.49.45.15:443 | id.crwdcntrl.net | tcp |
| DE | 162.19.138.120:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | 127.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.238.202.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.193.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.45.49.52.in-addr.arpa | udp |
| NL | 88.208.46.222:443 | ogffa.net | tcp |
| US | 8.8.8.8:53 | download.oxy.st | udp |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| RU | 185.178.208.137:443 | download.oxy.st | tcp |
| NL | 178.250.1.25:443 | csm.nl3.eu.criteo.net | tcp |
| DE | 51.89.9.253:443 | onetag-sys.com | udp |
| DE | 178.63.248.57:443 | uidsync.net | tcp |
| NL | 185.89.210.82:443 | ib.adnxs.com | tcp |
| DE | 157.90.33.121:443 | uidsync.net | tcp |
| DE | 157.90.33.121:443 | uidsync.net | tcp |
| NL | 178.250.1.11:443 | dnacdn.net | tcp |
| NL | 185.235.87.180:443 | ag.gbc.criteo.com | tcp |
| FR | 185.235.86.191:443 | gem.gbc.criteo.com | tcp |
| US | 8.8.8.8:53 | s1.oxy.st | udp |
| US | 104.21.234.183:443 | s1.oxy.st | tcp |
| US | 8.8.8.8:53 | 183.234.21.104.in-addr.arpa | udp |
| DE | 141.95.33.120:443 | id5-sync.com | tcp |
| FR | 149.202.238.96:443 | ww1097.smartadserver.com | tcp |
| US | 35.244.193.51:443 | lexicon.33across.com | udp |
| DE | 162.19.138.120:443 | id5-sync.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| FR | 149.202.238.96:443 | ww1097.smartadserver.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ww1097.smartadserver.com | udp |
| US | 8.8.8.8:53 | metrics.biddertmz.com | udp |
| FR | 149.202.238.97:443 | ww1097.smartadserver.com | tcp |
| IE | 34.248.22.168:443 | metrics.biddertmz.com | tcp |
| US | 8.8.8.8:53 | 168.22.248.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.238.202.149.in-addr.arpa | udp |
| FR | 149.202.238.97:443 | ww1097.smartadserver.com | tcp |
Files
C:\portServercrt\DwNQE.vbe
| MD5 | 588844585deebaa15919f153bc9447f0 |
| SHA1 | 6e067e41f4abea125c891cf1672d9062d771d209 |
| SHA256 | 7070398fff90d278d0f5681fa9a7923eea74811856972eaf0adaa1d738a7fcd1 |
| SHA512 | dfe8093be45de5f5b9df7310b270e3e7fc26cebcb94e5146bfab85dcc954eeb8a5d8a35d9286015493df6e087b34400df92b117390816464e1698e8f9ad4635d |
C:\portServercrt\ZHAklq6LBoJU.bat
| MD5 | db82c18bb79cfc990b4cde2874b61c10 |
| SHA1 | 183605f521813b881e1a5847e569b831232c0fd1 |
| SHA256 | 943267a241c1e345f7e010e95299b1af5b5cade19faddbbf46784282dbc50f13 |
| SHA512 | 7cef1f08019c7bd5ed13acb8d960352acc014e88b3d2ac0708478889d117bf826346ce080e4a68bfebe10d6ffee634cd1672903ab187c60a3643f3871e72c471 |
C:\portServercrt\Comcommon.exe
| MD5 | 1c3c6b206b20d18d049ed7586e330929 |
| SHA1 | aa9e8e3adb308b5a1a7d1c0495febd3ab72aacc2 |
| SHA256 | b670fb654e4d987a06482ce19145d0a487245da4e67b90175d81233e3529424e |
| SHA512 | a81ccdfb60c92d8bd4e718fff38bae956eed71009b829d007db3975c60c361a198d94349256d558221cc90dad8215e58aa7197ae1d5c449a0c6417d027cabc53 |
memory/2288-12-0x00007FF9D5543000-0x00007FF9D5545000-memory.dmp
memory/2288-13-0x0000000000430000-0x0000000000530000-memory.dmp
memory/2288-14-0x0000000000D40000-0x0000000000D4E000-memory.dmp
memory/2288-15-0x0000000000D60000-0x0000000000D6C000-memory.dmp
memory/2288-16-0x000000001B040000-0x000000001B04C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | eaa3db555ab5bc0cb364826204aad3f0 |
| SHA1 | a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca |
| SHA256 | ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b |
| SHA512 | e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4 |
\??\pipe\LOCAL\crashpad_876_DDCSGLCDREMWXJBY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4b4f91fa1b362ba5341ecb2836438dea |
| SHA1 | 9561f5aabed742404d455da735259a2c6781fa07 |
| SHA256 | d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c |
| SHA512 | fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2d95d75e-071c-4673-a731-60142d8622fc.tmp
| MD5 | 09943d56200a98daaef1b07833b1c0e0 |
| SHA1 | 4f93e7c8e80be99958e9ed67fbd0f9ec5d338543 |
| SHA256 | 8e4202cfe1367a16571a7501ecf0a9f481131e82717b0e7b1c78a31f00af4da3 |
| SHA512 | 656911ddb3c74f04406308ea1db358b4830436bec3a0fc9844ccdd1f875a3d18b9884f0a92b9db275ce5b21045c65613f42b0bbc56145d24ad06f939f6513d73 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 302c6b3d9ffd0d9ed7f9bbaa78a2fbbf |
| SHA1 | 303e2e41087340e4590f80bdad7bd82353a76efe |
| SHA256 | 90e9fc1471c48cd810f391e17ecfaaf91b32e971d8a83833e91ae1da28b3d063 |
| SHA512 | 954dcb10dcceef52ac9567795ca8a7999d6ae2f6a6ce49c76940e410c5f69734597d88453594ee139edbda47b424d95d711a771120af297b1ed1f1efc691960d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7b1a6b2211358db4a61fd54d216932e9 |
| SHA1 | f833ecc6509c9b0e089ba17c69d813736635de79 |
| SHA256 | c9e673e81ccfbee707120a88747b16ea3aa92f108fce09de26400d0c69f0831b |
| SHA512 | c10aaae70539bc4b76d5454d66d67c4a179604b6d1939636be205e40c2472b086572c7bee7d85acc861e868372613070529081d102190f4a3a34f099b2e70205 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | c544c4b4130ebae789277720aa9be3fc |
| SHA1 | 933680e316e9b50d649d616a1e81d8286675cfc2 |
| SHA256 | c21431368abe29ffc26883f74e0be40f53048aa34cb496a736ad2ec59be7d5ed |
| SHA512 | e6b8b2ef5e7510bdd78770fc38cd32e0c23cb1a5fe0c9cfcc0ea3a49fedfd4fd367513915241568615044248ae41bf4542209eb3fa938859f025837c7a14d0ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD
| MD5 | 285ec909c4ab0d2d57f5086b225799aa |
| SHA1 | d89e3bd43d5d909b47a18977aa9d5ce36cee184c |
| SHA256 | 68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b |
| SHA512 | 4cf305b95f94c7a9504c53c7f2dc8068e647a326d95976b7f4d80433b2284506fc5e3bb9a80a4e9a9889540bbf92908dd39ee4eb25f2566fe9ab37b4dc9a7c09 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD
| MD5 | cbca9b3093f89765d27edb3df02f9c9b |
| SHA1 | a8eadf1b789c3babcbc230710d3646313a2aff48 |
| SHA256 | 3f3b8963b8c60c9ad1bae4c32a04905925b921afd124bc38f0069ff89ef3b17d |
| SHA512 | 2cc59a7626e48e9e40877e89f2eed492acc0b7209d5b9740cebc7503131f065501eae8c45a3d268f7f1d717b77427c724ee32ca7ab851d3ce0c3babfd1cd8bf0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6e7c4365cd1c370c9c82be44af0e2b81 |
| SHA1 | a99b6882b425ef510a80b37e30fdbf2a7723df11 |
| SHA256 | 1b332c0507c7071722351f392c3ca5d53d80bfb27f437111946171207c73e3bf |
| SHA512 | 3c2cb16f1014a69212a7faaa9511ea907325ff7d76a2df5b34f2b655f208cde279df05e453327da17f0a6f82eac013cbc161bd8539ae4262698afea96d2b9df1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 83b36ef2c8fc130e8825804b27add56a |
| SHA1 | ef2ce60033ff50d2fbeb24445ab8e9f3c87f1931 |
| SHA256 | 538df3b6a1e96bf71c89c3849d28db098181a3455c9911e97ecde80d2182da89 |
| SHA512 | 5efa267ba6c5902b72e2e546dffdee052aa1a799d6a17a7ea92e199d5aeaac6bc4e342dae92149bf592dfce1d44ed0886977122e3576333c6982f9ad522b0e31 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2651ebc28f8c1afb12240fb14184de66 |
| SHA1 | c8b91f2aa470105cb0a02b9a86ca2ffd66ec9b33 |
| SHA256 | 2d224be882fceff71325cba1e83db6f8e987c8793728df9b82ab12038d7beab1 |
| SHA512 | 8e2891793598490cd229790db4c61918ef70e2e51b147eb68970aa8c546c5e7cf812abd273b4dec4f2748cb4fc17990f86c621a2319ad73358421448ad7558e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584040.TMP
| MD5 | e5264114dca456d99940551493f038fa |
| SHA1 | 22fa979b563ddb85e5ec537189561a1c8b5757ce |
| SHA256 | 6e11d988f73c806a94921f4eec4003bedf34b2546c527d1eb79f162e0501ef12 |
| SHA512 | 76a330b0599140bdac3c08b6a7d79e73f8bc3406fb8c9ac82016f52a780d62e01a362e72c75e7ba9eaa4e73b6639fa509eff9d1ac9a3356d378f8492cca0c1c9 |
C:\Users\Admin\Downloads\Unconfirmed 38053.crdownload
| MD5 | 6386c6bc5c2e9e6ea345b370f67868b6 |
| SHA1 | 534e13f301e9816d6df34ac36d31bfc1b03c1a39 |
| SHA256 | d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae |
| SHA512 | 85004597a30f91b42b857e66d2a186c0b359a884981f3ace452e270f618776233d2ed489e66b06aa8e6c0f25dedc76c827480c2bcb608bf6b17408c7d62712dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f5709188-83de-43f9-97fa-58c1b6d1f9da.tmp
| MD5 | 467b9d252c6fbe7d2389ea198d7b3325 |
| SHA1 | 20b0328ff196bb329edcd461b0219fe7be5c76c9 |
| SHA256 | ea71b0e44d0c608af69eb90f3f88a98428e47f61059296947b212ed72429c519 |
| SHA512 | ba7d903d98eda1d56db6a00c1cfe547d94102eeee8ca8b733961daec0dfc5dd9eef475ef37d976ae16d73dac40fac329522a5315d2c2f5071b39188286b269f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b41eadd991729ccffdd08c12402e921e |
| SHA1 | a8ab2b906222e9f4dcb69a5f009e99e0bfbd23af |
| SHA256 | 3d9955186faa8e4f873b9bd709872a44f07c8f4bce78d40abce7b5d760c041a5 |
| SHA512 | 27e103030a3b26654749769b6df171c7d8a75ee8bd8eaadc3758e1a62a976aa20ce9e2cd2797583bd497aba7c71e4b6028fb1da7b3aa8b174f2c10033be30692 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e0f829f55cbc05e40d6ffe82fba89772 |
| SHA1 | acea68d60b6f1d3d3e5337ff904cd784e0193df0 |
| SHA256 | 5837941af97daa020e9d4a2a144f884ff936ea2870ffdcb2a6c3d77b96e697e1 |
| SHA512 | 180221cc3b4dfed41eedc871735e658e2f4e00b861fe2c11bbfd0f664d454be1eea8883d05382f77dc16f3693a5b2fed26599b16753395caf54e3d591b2190d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0974078df73a8c3766a0f198ddf8ad3d |
| SHA1 | 10412665ff5207a7ac682cb34d26c3503d6f9609 |
| SHA256 | 2f51c6d3cfe4c842e894c024ed1d33fc3f710539e1bf4763381f31ad4a81da0c |
| SHA512 | 5358a2e1e0d7bf2f87c0c7e2f0434f88ea2f8b3044660e7247b292ab56a5bb37584ec24a5c9124f23e2c1ee7432ea04085ece00aef260628eeba44287feb9515 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Comcommon.exe.log
| MD5 | 7f3c0ae41f0d9ae10a8985a2c327b8fb |
| SHA1 | d58622bf6b5071beacf3b35bb505bde2000983e3 |
| SHA256 | 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900 |
| SHA512 | 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125 |
C:\Users\Admin\AppData\Local\Temp\gEhn7uF1RV.bat
| MD5 | a23a4ae9a8231467587d4e8af6496cec |
| SHA1 | c895007d09cfe841741050b7a49888f998983a6e |
| SHA256 | a580eeccd954dbb0bd4b1f78a7caeb642ccc7a8620862264875e80f48351c0ab |
| SHA512 | 9d988fd5080f7d49a4eff1d89efdfe0e1ec584bd81836356943f8edc96ae78e49be68da13dcadbd4fff4f4039f4c6a7e6cc157346f6dcaf8326e245c434da758 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f8536ec3cbf5051f0e46f0b14d1e54d6 |
| SHA1 | 1a83f342a62870cfa03c38c41f1371263f39c5f5 |
| SHA256 | ae80e4ade0015fde36e44f508689f43058e899c9658ded74af6e2d4c9c03ac82 |
| SHA512 | d820a4aeb249575f07baa75216e8fe8e700a4148564a701b28fc57c73844e1d3fd1aa821e7b0dd98463fa9bea5de54111f6168e8ff18595bc594bde88442255f |