Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 15:38
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240221-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 944 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2460 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2460 schtasks.exe -
Processes:
resource yara_rule \portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/2244-13-0x0000000000D90000-0x0000000000EC2000-memory.dmp dcrat behavioral1/memory/1788-55-0x00000000012F0000-0x0000000001422000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.exeaudiodg.exepid process 2244 Containerruntime.exe 1788 audiodg.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2656 cmd.exe 2656 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 13 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files\Windows NT\Accessories\ja-JP\27d1bcfc3c54e0 Containerruntime.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe Containerruntime.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\System.exe Containerruntime.exe File opened for modification C:\Program Files\Windows NT\Accessories\ja-JP\System.exe Containerruntime.exe File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\taskhost.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\42af1c969fbb7b Containerruntime.exe File created C:\Program Files (x86)\Uninstall Information\csrss.exe Containerruntime.exe File created C:\Program Files (x86)\Uninstall Information\886983d96e3d3e Containerruntime.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\6ccacd8608530f Containerruntime.exe File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\b75386f1303e64 Containerruntime.exe File created C:\Program Files\DVD Maker\fr-FR\Containerruntime.exe Containerruntime.exe File created C:\Program Files\DVD Maker\fr-FR\67c2f4240f387c Containerruntime.exe -
Drops file in Windows directory 4 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\Speech\lsass.exe Containerruntime.exe File created C:\Windows\Speech\6203df4a6bafc7 Containerruntime.exe File created C:\Windows\PLA\System\Idle.exe Containerruntime.exe File created C:\Windows\PLA\System\6ccacd8608530f Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2352 schtasks.exe 2072 schtasks.exe 1912 schtasks.exe 2376 schtasks.exe 1236 schtasks.exe 1792 schtasks.exe 944 schtasks.exe 1860 schtasks.exe 1232 schtasks.exe 2160 schtasks.exe 1228 schtasks.exe 2200 schtasks.exe 828 schtasks.exe 896 schtasks.exe 3004 schtasks.exe 2900 schtasks.exe 2504 schtasks.exe 1952 schtasks.exe 1428 schtasks.exe 2236 schtasks.exe 2428 schtasks.exe 832 schtasks.exe 560 schtasks.exe 2864 schtasks.exe 1272 schtasks.exe 1656 schtasks.exe 1736 schtasks.exe 1468 schtasks.exe 1124 schtasks.exe 1768 schtasks.exe 1568 schtasks.exe 1956 schtasks.exe 2060 schtasks.exe 2416 schtasks.exe 1476 schtasks.exe 1764 schtasks.exe 2832 schtasks.exe 2188 schtasks.exe 2740 schtasks.exe 1840 schtasks.exe 384 schtasks.exe 608 schtasks.exe 484 schtasks.exe 2464 schtasks.exe 2356 schtasks.exe 1676 schtasks.exe 2380 schtasks.exe 2024 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Containerruntime.exeaudiodg.exechrome.exepid process 2244 Containerruntime.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 1788 audiodg.exe 2508 chrome.exe 2508 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Containerruntime.exeaudiodg.exechrome.exedescription pid process Token: SeDebugPrivilege 2244 Containerruntime.exe Token: SeDebugPrivilege 1788 audiodg.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe Token: SeShutdownPrivilege 2508 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exepid process 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe 2508 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.exechrome.exedescription pid process target process PID 1908 wrote to memory of 2924 1908 nursultan nexgen fix.exe WScript.exe PID 1908 wrote to memory of 2924 1908 nursultan nexgen fix.exe WScript.exe PID 1908 wrote to memory of 2924 1908 nursultan nexgen fix.exe WScript.exe PID 1908 wrote to memory of 2924 1908 nursultan nexgen fix.exe WScript.exe PID 2924 wrote to memory of 2656 2924 WScript.exe cmd.exe PID 2924 wrote to memory of 2656 2924 WScript.exe cmd.exe PID 2924 wrote to memory of 2656 2924 WScript.exe cmd.exe PID 2924 wrote to memory of 2656 2924 WScript.exe cmd.exe PID 2656 wrote to memory of 2244 2656 cmd.exe Containerruntime.exe PID 2656 wrote to memory of 2244 2656 cmd.exe Containerruntime.exe PID 2656 wrote to memory of 2244 2656 cmd.exe Containerruntime.exe PID 2656 wrote to memory of 2244 2656 cmd.exe Containerruntime.exe PID 2244 wrote to memory of 1788 2244 Containerruntime.exe audiodg.exe PID 2244 wrote to memory of 1788 2244 Containerruntime.exe audiodg.exe PID 2244 wrote to memory of 1788 2244 Containerruntime.exe audiodg.exe PID 2656 wrote to memory of 1596 2656 cmd.exe reg.exe PID 2656 wrote to memory of 1596 2656 cmd.exe reg.exe PID 2656 wrote to memory of 1596 2656 cmd.exe reg.exe PID 2656 wrote to memory of 1596 2656 cmd.exe reg.exe PID 2508 wrote to memory of 1040 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 1040 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 1040 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2320 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2500 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2500 2508 chrome.exe chrome.exe PID 2508 wrote to memory of 2500 2508 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe"C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Speech\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\System\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\System\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Containerruntime.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Containerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Containerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\portagentbrowserweb\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\FreeCell\fr-FR\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\FreeCell\fr-FR\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\portagentbrowserweb\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\fr-FR\Containerruntime.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\Containerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\fr-FR\Containerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef949758,0x7feef949768,0x7feef9497782⤵PID:1040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:22⤵PID:2320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1588 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:82⤵PID:2500
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:82⤵PID:1652
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:12⤵PID:1924
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:12⤵PID:1272
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1164 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:22⤵PID:2828
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2840 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:12⤵PID:2240
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3316 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:82⤵PID:1500
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3640 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:82⤵PID:2812
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 --field-trial-handle=1404,i,6824270666348293487,17523580212099939002,131072 /prefetch:82⤵PID:1736
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmpFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5f7c2d43cc2a44879e8d1b2ad17dd5a75
SHA192f5d8a76405682a7df61886dc183c5a7f9578f7
SHA256729aac64c46d3275f1ae59d4d1b0f2d2af77867b1270f7d3c3ea4f63d262e2d7
SHA5127fe4938beda31d2ccf0675c4bce6db239049671446bbe11509d50a1a75fd85e5d560bef679644a8ccb17639b4c26cf8a3dbd4bcc30c0d17ca6062c7574f56d5e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD577ccd7816593e585d942a67771ffbd76
SHA130522c86d0041a6317c6bc079c97ea1a4d214688
SHA256ec3a5b5e82cb2a0a892ff8864c29d1ca85f669d8269818c0356a41dd5b689fa4
SHA512c5199b04e176befb4e059afcfb2950afbcd4e5cef0630e16d7c2c3067c0cb732809f68dda0245393cb51fb10a283592504468f259ca602ab50f70cc2ba94cf3d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmpFilesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
\??\pipe\crashpad_2508_MTZCXQSPXEIOCQCZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
memory/1788-55-0x00000000012F0000-0x0000000001422000-memory.dmpFilesize
1.2MB
-
memory/2244-13-0x0000000000D90000-0x0000000000EC2000-memory.dmpFilesize
1.2MB
-
memory/2244-16-0x00000000004E0000-0x00000000004EC000-memory.dmpFilesize
48KB
-
memory/2244-15-0x0000000000BC0000-0x0000000000BD6000-memory.dmpFilesize
88KB
-
memory/2244-14-0x00000000004C0000-0x00000000004DC000-memory.dmpFilesize
112KB