Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:41
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240419-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3204 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 624 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 332 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3424 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4424 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2116 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral2/memory/412-13-0x0000000000920000-0x0000000000A52000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nursultan nexgen fix.exeWScript.exeContainerruntime.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Containerruntime.exe -
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.execsrss.exepid process 412 Containerruntime.exe 1136 csrss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ipinfo.io 34 ipinfo.io -
Drops file in Program Files directory 6 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\c5b4cb5e9653cc Containerruntime.exe File created C:\Program Files\Google\Chrome\Application\sysmon.exe Containerruntime.exe File created C:\Program Files\Google\Chrome\Application\121e5b5079f7c0 Containerruntime.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RuntimeBroker.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Program Files (x86)\Google\Temp\services.exe Containerruntime.exe -
Drops file in Windows directory 7 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\SystemResources\ShellComponents.DragDrop\pris\22eafd247d37c3 Containerruntime.exe File created C:\Windows\WinSxS\sppsvc.exe Containerruntime.exe File created C:\Windows\tracing\upfc.exe Containerruntime.exe File created C:\Windows\tracing\ea1d8f6d871115 Containerruntime.exe File created C:\Windows\Downloaded Program Files\csrss.exe Containerruntime.exe File created C:\Windows\Downloaded Program Files\886983d96e3d3e Containerruntime.exe File created C:\Windows\SystemResources\ShellComponents.DragDrop\pris\TextInputHost.exe Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2852 schtasks.exe 4800 schtasks.exe 3688 schtasks.exe 1600 schtasks.exe 2152 schtasks.exe 3212 schtasks.exe 392 schtasks.exe 3916 schtasks.exe 3368 schtasks.exe 868 schtasks.exe 2128 schtasks.exe 556 schtasks.exe 4536 schtasks.exe 3204 schtasks.exe 2736 schtasks.exe 3424 schtasks.exe 1144 schtasks.exe 2072 schtasks.exe 1580 schtasks.exe 4276 schtasks.exe 332 schtasks.exe 2180 schtasks.exe 3472 schtasks.exe 1220 schtasks.exe 3860 schtasks.exe 4448 schtasks.exe 796 schtasks.exe 4304 schtasks.exe 1424 schtasks.exe 2988 schtasks.exe 3936 schtasks.exe 4424 schtasks.exe 5048 schtasks.exe 4888 schtasks.exe 4496 schtasks.exe 4608 schtasks.exe 4060 schtasks.exe 1052 schtasks.exe 4604 schtasks.exe 1984 schtasks.exe 4724 schtasks.exe 5036 schtasks.exe 1972 schtasks.exe 4780 schtasks.exe 4092 schtasks.exe 2008 schtasks.exe 2644 schtasks.exe 4508 schtasks.exe 4336 schtasks.exe 2604 schtasks.exe 624 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616437459437874" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 2 IoCs
Processes:
nursultan nexgen fix.exeContainerruntime.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings nursultan nexgen fix.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings Containerruntime.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
Containerruntime.execsrss.exechrome.exepid process 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 412 Containerruntime.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 1136 csrss.exe 4276 chrome.exe 4276 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 1136 csrss.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Containerruntime.execsrss.exechrome.exedescription pid process Token: SeDebugPrivilege 412 Containerruntime.exe Token: SeDebugPrivilege 1136 csrss.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe Token: SeShutdownPrivilege 4276 chrome.exe Token: SeCreatePagefilePrivilege 4276 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe 4276 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exechrome.exedescription pid process target process PID 2180 wrote to memory of 2972 2180 nursultan nexgen fix.exe WScript.exe PID 2180 wrote to memory of 2972 2180 nursultan nexgen fix.exe WScript.exe PID 2180 wrote to memory of 2972 2180 nursultan nexgen fix.exe WScript.exe PID 2972 wrote to memory of 2836 2972 WScript.exe cmd.exe PID 2972 wrote to memory of 2836 2972 WScript.exe cmd.exe PID 2972 wrote to memory of 2836 2972 WScript.exe cmd.exe PID 2836 wrote to memory of 412 2836 cmd.exe Containerruntime.exe PID 2836 wrote to memory of 412 2836 cmd.exe Containerruntime.exe PID 412 wrote to memory of 3632 412 Containerruntime.exe cmd.exe PID 412 wrote to memory of 3632 412 Containerruntime.exe cmd.exe PID 2836 wrote to memory of 2740 2836 cmd.exe reg.exe PID 2836 wrote to memory of 2740 2836 cmd.exe reg.exe PID 2836 wrote to memory of 2740 2836 cmd.exe reg.exe PID 3632 wrote to memory of 184 3632 cmd.exe w32tm.exe PID 3632 wrote to memory of 184 3632 cmd.exe w32tm.exe PID 3632 wrote to memory of 1136 3632 cmd.exe csrss.exe PID 3632 wrote to memory of 1136 3632 cmd.exe csrss.exe PID 4276 wrote to memory of 332 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 332 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 1144 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 628 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 628 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe PID 4276 wrote to memory of 4204 4276 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dj4L498I5I.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:184
-
C:\Recovery\WindowsRE\csrss.exe"C:\Recovery\WindowsRE\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Recent\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemResources\ShellComponents.DragDrop\pris\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\portagentbrowserweb\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\portagentbrowserweb\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\portagentbrowserweb\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\portagentbrowserweb\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\tracing\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xc0,0x128,0x7ffb00c8ab58,0x7ffb00c8ab68,0x7ffb00c8ab782⤵PID:332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:22⤵PID:1144
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:82⤵PID:628
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:82⤵PID:4204
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:12⤵PID:5000
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:12⤵PID:2364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:12⤵PID:472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3660 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:82⤵PID:3472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:82⤵PID:856
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:82⤵PID:4156
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:82⤵PID:2600
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1944,i,9627963815998990271,7608793866864675073,131072 /prefetch:82⤵PID:2280
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5cb04588f03776752651b46cd77d67a8a
SHA123ad054e6f59e48313af2b258d446373628d07fb
SHA256aaf062e96120dd404d9cbf8420e0c5d7f1659b1e8121fe4f397fd328f23517af
SHA51206583c996fb5cc25ebd571c1380e95b1c04c610445730db13dfd9df5bde8296ebb83898338e18719941b06eef72b5ad9e2afa3dd948e9ff69f0cbc5aeab59fb0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
354B
MD53fa71cafb40f7c1feff5435009b41cca
SHA1e69abf3b3ffb5d54486abca05038c443f3f2086b
SHA25692f5365f8ed476244c9228dda4a24193f1fd12df077e29372c61caa9de7d82d1
SHA512ff0fa76a07502843eba080d8dc62994a16300f5452e11854752a3876c784c359768e0320fd84bbdac504ed86ec99ec87ed9b0bd2fda13575e7a36846423976fe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5d30bbde726aeeb7ebe7f3e24c8361699
SHA1e5faf1c6d55597ffefc5b402567abd2afc6fbcfe
SHA2564c640f8a32c213f32908c5aa9038cca0221897b5d225e70dea30fa3075b0643f
SHA512b153b5f8b70760704c9072706d94e7356984a9ba957be448abed69e02bb45d3af34fda859c911a44ae34feb4df87a18f92a3c3ec917aad37fda398dcf2d160ec
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD52a6ce4c1a4df82cde1be211e5fbd52e6
SHA1c7e15c8bc7d3c19e17726b3540b76bc12da73122
SHA2566a937dba7a76794aa5a4d5f56df7accd73023252043998daa800f2a6835883d2
SHA512d8dc3e95d130669e369281c975dfcb0541426ee2d12c034b35cc6b9ee6c4945382a9e1093572a1f9e41573c2aa70965e96bd54e67f78df61a728e8124b95101b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
261KB
MD5eee350daa3550464d707a55b379b3be2
SHA10b6f1bffa11f7efc2a8f009153de37caaacdc721
SHA256e6d02855c3ec4cd507ccaaf35378db2556a1235e279e6e0b01678c8f145df19e
SHA5129f11f32c8983a06074a8b136e3e52259d878845403b1c8758f8013917b225028b1461d6a556e9461c76f936e5371ce414937f2c2ffdbc42fb8fa0ea9f307918f
-
C:\Users\Admin\AppData\Local\Temp\Dj4L498I5I.batFilesize
196B
MD56def73d60af9fde7acc65c4ef7883a04
SHA10bb9586a3631bb25a81d5910c6a755906f89dfe7
SHA2567680058c42e27ee45f2cb9dd7c79594b42bbb0b0e7a506a11e0e1b89d7bf2d0d
SHA512ab15a82e68fc8e7b5167149252936bcb964e6c3d381544734a8aa1f989b02d440d9605d918cf72e4fda9abe034f022000865dd32b41ecd919e0a676c77d5b9e2
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
\??\pipe\crashpad_4276_XJLHPDOAQPJKFUUAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/412-13-0x0000000000920000-0x0000000000A52000-memory.dmpFilesize
1.2MB
-
memory/412-17-0x0000000001330000-0x000000000133C000-memory.dmpFilesize
48KB
-
memory/412-16-0x000000001B6A0000-0x000000001B6B6000-memory.dmpFilesize
88KB
-
memory/412-15-0x000000001B6F0000-0x000000001B740000-memory.dmpFilesize
320KB
-
memory/412-14-0x0000000002C40000-0x0000000002C5C000-memory.dmpFilesize
112KB
-
memory/412-12-0x00007FFB05E53000-0x00007FFB05E55000-memory.dmpFilesize
8KB