Analysis
-
max time kernel
299s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:19
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat 31 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exenursultan nexgen fix.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1336 schtasks.exe 4932 schtasks.exe 4344 schtasks.exe 1500 schtasks.exe 4532 schtasks.exe 3872 schtasks.exe 4500 schtasks.exe 4196 schtasks.exe 5080 schtasks.exe 2900 schtasks.exe 1016 schtasks.exe 3844 schtasks.exe 3492 schtasks.exe 1616 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe 4276 schtasks.exe 2604 schtasks.exe 2188 schtasks.exe 3444 schtasks.exe 5096 schtasks.exe 2196 schtasks.exe 3212 schtasks.exe 2128 schtasks.exe 5076 schtasks.exe 4168 schtasks.exe 4008 schtasks.exe 872 schtasks.exe 4236 schtasks.exe 3548 schtasks.exe 3048 schtasks.exe 704 schtasks.exe -
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4008 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4236 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 2884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2884 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/4916-49-0x0000000000120000-0x0000000000252000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nursultan nexgen fix.exeWScript.exeContainerruntime.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation Containerruntime.exe -
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.exeWmiPrvSE.exepid process 4916 Containerruntime.exe 4548 WmiPrvSE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 6 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files (x86)\Internet Explorer\it-IT\886983d96e3d3e Containerruntime.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe Containerruntime.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\cc11b995f2a76d Containerruntime.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe Containerruntime.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\6203df4a6bafc7 Containerruntime.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe Containerruntime.exe -
Drops file in Windows directory 4 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\Globalization\ICU\OfficeClickToRun.exe Containerruntime.exe File created C:\Windows\Globalization\ICU\e6c9b481da804f Containerruntime.exe File created C:\Windows\security\StartMenuExperienceHost.exe Containerruntime.exe File created C:\Windows\security\55b276f4edf653 Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4168 schtasks.exe 2604 schtasks.exe 4500 schtasks.exe 2196 schtasks.exe 2900 schtasks.exe 3212 schtasks.exe 4008 schtasks.exe 4932 schtasks.exe 4236 schtasks.exe 3444 schtasks.exe 1500 schtasks.exe 3872 schtasks.exe 2128 schtasks.exe 2188 schtasks.exe 4344 schtasks.exe 3048 schtasks.exe 4276 schtasks.exe 4532 schtasks.exe 1336 schtasks.exe 1616 schtasks.exe 3492 schtasks.exe 4196 schtasks.exe 3548 schtasks.exe 5080 schtasks.exe 704 schtasks.exe 1016 schtasks.exe 5096 schtasks.exe 5076 schtasks.exe 872 schtasks.exe 3844 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616424021859167" chrome.exe -
Modifies registry class 2 IoCs
Processes:
nursultan nexgen fix.exechrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings nursultan nexgen fix.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{99D2C303-1DE7-47A0-94A1-178F8CF0AA63} chrome.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
chrome.exeContainerruntime.exeWmiPrvSE.exechrome.exepid process 2424 chrome.exe 2424 chrome.exe 4916 Containerruntime.exe 4916 Containerruntime.exe 4916 Containerruntime.exe 4916 Containerruntime.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 4548 WmiPrvSE.exe 5068 chrome.exe 5068 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WmiPrvSE.exepid process 4548 WmiPrvSE.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exeContainerruntime.exeWmiPrvSE.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeDebugPrivilege 4916 Containerruntime.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeDebugPrivilege 4548 WmiPrvSE.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: 33 1420 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1420 AUDIODG.EXE Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe Token: SeShutdownPrivilege 2424 chrome.exe Token: SeCreatePagefilePrivilege 2424 chrome.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
Processes:
chrome.exepid process 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
chrome.exepid process 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe 2424 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exechrome.exedescription pid process target process PID 4532 wrote to memory of 4820 4532 nursultan nexgen fix.exe WScript.exe PID 4532 wrote to memory of 4820 4532 nursultan nexgen fix.exe WScript.exe PID 4532 wrote to memory of 4820 4532 nursultan nexgen fix.exe WScript.exe PID 2424 wrote to memory of 4816 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 4816 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 1744 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 4220 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 4220 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe PID 2424 wrote to memory of 3920 2424 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵PID:1052
-
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916 -
C:\Recovery\WindowsRE\WmiPrvSE.exe"C:\Recovery\WindowsRE\WmiPrvSE.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1976
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff933ceab58,0x7ff933ceab68,0x7ff933ceab782⤵PID:4816
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:22⤵PID:1744
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:4220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:3920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:12⤵PID:3404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:12⤵PID:4556
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:12⤵PID:4348
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:4720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:4216
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:2144
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:3420
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:3012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4604 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:12⤵PID:448
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5036 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:12⤵PID:3684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4720 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:12⤵PID:4432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5140 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:5100
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵
- Modifies registry class
PID:872 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3204 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:4564
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:82⤵PID:2920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5920 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001aFilesize
46KB
MD5f871dd44ae8c9e11c5c85c961f8b2ab1
SHA17618910822a0f2639b405e3c0b13faff0431140a
SHA2562ae2564f74716a4e44850d845f0cca255c6c0c3a7dc0c8ee6bfca0212cc394ec
SHA5123b9638f705f83e37c3e0c9db1205b2ac76b96ba72ac56013a6aca6f34a7a9ff3548e8fc67d2b85c9f23f8337f696baa8fab01523fb04b5fd618b130501eed47c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
792B
MD53ee60ecbf8cf8054ca266ec5635a840e
SHA1463e1490dc0279e347d83c17468e0aeff829bbc4
SHA256702349ba1dde16aa723745bf0d0f242433ff18dfc12e9ac551b319d6e403f7c2
SHA512f0cc116c11bcd140efa1d38cbbd2dd47256cedecc743a4c7acefe704514b268b1fd174b98ce4949141f62de957b85cefc85c21a5b61a08ba28fd5e4d52504614
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
768B
MD58274152245bbc8dd66df14f54a1e2259
SHA1d7d25dbbe8ca5968ebe4288fd7302ff35d57c329
SHA25689225402398f0bcff4236cbf81ef22d4b2df243efbddedf8187f2a8ca7ea6527
SHA51284660c8d20327afc5f0bdd45a58294ec600b876d81ad98740175b42be58b4b637805987dca1ceac1707daa86999dce6b3145a55f919d1f8dd77f869685be52ec
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journalFilesize
56KB
MD56d080b73ecfca0c0cbf0d4cb0da9096c
SHA1743aa5fafa82bb39d374c75d42748623e9a0102b
SHA2566c376026a1c71bdb947ca931b15cb6c27550be946c38c4b8f232943bc9948e11
SHA512eadfa65223b40dc7b27e170875f1b07e21ff6732807ef947c139b8848964d24f9d7eb5f18363d6856deb7022144b2932fe7201a2bb483239e6bdd9f3bde8b822
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
5KB
MD5666a390b0db5b78387095901f1b2e4a9
SHA13774aa57209adc89d14d16f5be2ab6f4418b47e0
SHA2568502c8b3e008d0115e031e54f9ae6e758fcf1695f2cf6288a25961ba5ed9f6ce
SHA51228daf2609cbb57f09ca983f662b97aa04d062c3b6b90495cc7d8ed201ef50d85c31072610490865ae5d7d8d2a875f4736590a6e38b87c858c40d72bb923ae3e3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5388f26386cb2e8f96e6baeff50f4403a
SHA1311973e4158e23e1e63877282b0e66f5a4f0eacc
SHA2569dec07ff019a2347ddf4a912584e6e11ed19b8196d01128587842178aa913710
SHA51285d127cc6c7840926db83cf71922f0d3aca1349a92df78a993319a50ae24b937427602dfed9b6047c561ce0072cc48c90ef6379983080270b72d64710ef0b724
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
5KB
MD51166ba6bbf7080ad3b3d52d459fe3989
SHA167051ebd06f137bd94c27c51e821e2835866d25f
SHA256bf0a589c5b6fe4d267501d1b86a506d57a3b80931ba4163dc6c86717bcb6d5a3
SHA5121ff9aa54062f05610c7083c953a2e088e77766d304809db8a3c8c1b6c9ab13dc3486a729b9d9d005be9f5de2146342f7c600891ab928219511c9a09e7c3892f9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5379457ee051f1e32a2c19db2c3582876
SHA1ecf4f5156cb0f594d89798528594a1fa88191007
SHA256c6264f0e3c2296b2c88f6a6442f803e06b7313a06deea728637b80c6dd9b46fb
SHA5125bc5ddb5b5242df815eb3a649b415178abbf9c1b4f8949c5db2ce79fbf1a280e63aef975049332b317efba1e39c95898009f2d02915edc70198639a2cd39572c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
692B
MD505fb10f4e36268bc59f60c22953cde39
SHA165852687f33588bef8d8612cdd0db596ed832499
SHA256b432db1045e120b6a0c88d1fd34714d1817d78d881c068bcdd69958c4ee4a738
SHA5128579901fc3ed579bd9bb8898501ddaf3d2eac73b49138808220d17b37199847b991128a0258ef1da92f6551a8229cd74b22c7b825ac90b1a9a488deb11683f0f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
859B
MD5c4a13300220541e306702641f4aa2505
SHA1cf755ed796844b43eec1662a9abb71c2ede88a53
SHA2567a9804c1844ada56eacb407d41532fa6624580ea0397be90f1a0b05d6213c1e9
SHA512bda165404c2b18b33fb7a364bc0827f6e4829e607bc9fe6f7dc3db0491cc0a9a4dc896a4b812a162a1ceafc94d7555e9b685d447f9e032165d41bfb22bb08418
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5641f51177d614d3657f85886c69f873e
SHA1ddd943e7561182d9ac4275562379ecd36cdcaae6
SHA2561e31acb2fd7160ac882429fe8148ac7a3a9d3e9e4cbe2afe247dd9ca46228cb9
SHA512def0a5f2f151e6a9bda34acfae1c36178ed15abb21d0c1e6792cf203ee132d269f40c33a0f1a04743dc7195b26ba03055c0f6516fb498b34fec9d6db28d29b1f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD51d037e521d420e36b077fa5f7ac994dc
SHA1a2fe4d0a144568844fa5d12cec4dd39d527d539f
SHA256c0f60d332070e6fb652980c1dec86b3b9578da0245753494a71c94b7092b2a47
SHA51290c1246260b50d254c4b09d64e35ff8fd89dab755c5c6d122353dd64d3aae24d77b6c8a85e85ae23b5e4667dd9e2f96f31bebed90c7255b27656c092efcd81db
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD517f66d7a6e477b2465bdebc55ead42a5
SHA1c00e01d5bb36ce15fe9b653bd05f4f4a7b4fb68e
SHA256d74ebc2f40e140b4a32d8c91b0a52210d9f8d12714b1460492013511ba46c2f4
SHA512871c121ef67cc65a5d0690c0724012b4c587ead7c234101de3835832982f4898f6c484251f10e1c129c5ac7c533101be7e7e02b70579d5a70ddc5985b83f5d2b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5e525096c9ae91f70ac61d0b55b7a0979
SHA1b3f18f3e89f0108b7b733392d83c6aec27ebd871
SHA256a87ad1e647e09d118f1916a7baed58f63066003d2346f43cc8ad7670630dbb15
SHA5127464a867da4ae235141e780721ee56b310ac1be6141fef178f63d0170c16d9ae7d6713b56c7365942ef5c644e1b487838bc3c39b86dd98d5a2127376c1bde9c6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5a987003-06cd-4566-ab63-1541aedd5647\index-dir\the-real-indexFilesize
624B
MD57cd771fee7c72d6c1ac92ecd532e340d
SHA15dc52f44245546ff2c08886d38a787ef13935c71
SHA256388ed54c153f2bcb43b63af2d9e4456b3e4a9c81334bda246886658716a6d69f
SHA512693e938a80adeba6988e7ef2440257b882f983384be537b136875dbff06fe2bb577c731c337a91bb98898db8521e56b437a802dcb1ec44882e5576bfeffb124b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5a987003-06cd-4566-ab63-1541aedd5647\index-dir\the-real-index~RFe57cc1a.TMPFilesize
48B
MD5b6500159f7870c9dfc4bd63f3b5b1f6d
SHA123d8a9f6a9f2a494f233ace7e039f73fcdb60e51
SHA256b1ae4fd10af432e0339dae4e4a3f639bb07e84ad1e39a34af00e8cb10383d990
SHA512f65a7e420089da3fa044092145baccd2bc9135fca762b2380784bff04adfd0945353861fe9e8d0fa1d779d18e7f5890169387648b992e0bc20007948a8cff67d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-indexFilesize
2KB
MD5846b669add039b573f084a002de2593d
SHA1ab6a10912dcbc75fea9c7540d67bb5c94fc8825e
SHA256fd5602bc70dcb048564783f6d71a87b3090374a7cdba42a970eba46d433d750a
SHA512faabe1bb6775f54997c2982d8b6a4f4c72fea04d451a8f7cdfd3dd8fbdbc1a763abdbe12f98074a18b46a2c4a96a3cb2bc16932a8b5c9b9ad0f19aa14920416a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-indexFilesize
2KB
MD54c0ba36805161300d6f0979ff7f4c086
SHA12a6293c1c847dd02076a0d53a0ecf7b7aa4599df
SHA2565ff4de8f8c5a5c1a7c97ed9b7d8033ec9112eec0d167e03d731fd87201b4b7f4
SHA51200a22bea224cbae802a2d6dfbf73846682855b67b5e0d5c93ce55789766951c7bfda8426876004a6abf156561e011016b42e07341a6c32f8fc5ed60a7f01728e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-index~RFe58293e.TMPFilesize
48B
MD5780d227e8a9f61e6ebe5d37fc49e9efa
SHA1abb2758e143c47929fce96a067a9897a8ea2376f
SHA2565a28ee459a2eac6b8f230a2a1d63201d5273d87db31cccc42efa2e0a4fd91b2a
SHA51281b5adae297d4864360e348c254667eda8855ce72d429488ee65f596c0ddc6dd68d4d360ff36d5abde70a8a676775be045eb4ae2744d23929064401bbbd71609
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
176B
MD543566a139a0de458c95ca39b248aaa2e
SHA1117b740ea8455b83a2e320610590fd8d78b0a0df
SHA25643eddc37766f6caa2898f628ed0f528788fed53b506d19c403462a8bb20b32e2
SHA512a88b75a205cfe2ecabae28d6e0bf4601b0886566f41dcfe2d9b974fb68fdb4beaf09fc5c88432c15d1cda528a9f37d119544352e4def4dd1f3ba7e840762748a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
112B
MD515972af4671bd1381abf4513b6ec4fd4
SHA19f4acf4654551e9e8b75e9f5ddeb56b5ff73a354
SHA2564ec61b6c0070f57d45d6bf4b2735cfd465c84aaa09da768b38c27b25d0166157
SHA5125fa6afb8bc5f4d8c808e672fa3d0ee425519287ba9efafdfca6bb98a7ff460f40e996e7abd0e8020853e2d6d00cda50d37ec1ca9f59d02b5781cc899b69a0c51
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
183B
MD52864b09c98eb61ab538092b505c200ea
SHA1398488758a8a66d32aa73905374429059a981197
SHA256da5d0bd86dfc0327b2bdf6615a48659265c60dd2714eb6d9f0d0178bb7389089
SHA5122a1736ed0e10e9348fd0c016c8c045125d575aa39193ad41459d2bf2f6349d2759871465d84a8522c2c647a98d99d89c74f8682af06d4526d8017077d1fa6b49
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
185B
MD59d111fc7e1dfeb6e83eb5bb2a9e45459
SHA11fbdad03da080abbd144d054bc40a49c3135db83
SHA256c46e58627a16febd6091ac77d411c0b56d06791e112163fb256f13671eb8fa1c
SHA51297b03eb7886141b0b4123a6b517ff10732ae343bb9c1c82ef5654c9165ae46d4d4f62b43514039e44e6b61989b60f491540676513d4878894a002d8fa91cf083
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
183B
MD510151b9e881831e60210645365359e22
SHA135c0e6e4bac99a2740c0e8bee3f07d4dde07ea5d
SHA256247dae2e1b8240b8891f71acf115034621764e461a65e57b2858a6a84481e495
SHA512e3cf2e183e6f18a4e07a279bf73ebf3b3974a926427a9bfdc264b851628ed2f4194604107a1b080f1a0fc9c6140ae5710686d588b27d4351a76ad8a1a5ebce44
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5772de.TMPFilesize
119B
MD5f9718e239462f101b67d2e88763898fb
SHA14b0bc58f121a9e4769b9c16681c3519903f0a021
SHA2560b90b5e414f6a54a79b0dfde2f312d40a1dc9e84ef0f241db49fcf4c621ca808
SHA5129a2c9466462dc13a8d82ea75b9e1d24cf9961322355654193c0ddbe62d119ce058790d933688d70a226b663775bdebff6a6692d6c48b4851dbe1c96576ffe9de
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
120B
MD51223234f9627fefac311c1bda5bd299f
SHA150cf7cad15d2b10215087e5fd84094de16461130
SHA256b8f80f64ebc50a323d2a84128df9addd6abad3143f79748486b0041ef988193b
SHA5122c19bbd4d30b071314364829f81bf7f019e9e61d4566b59a8c103384c4b6e7142956f1abaa7dd2e3743e2d3a02be678ec9fd7c96ad56c8d7bad567ba17b96df0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_641273150\Shortcuts Menu Icons\Monochrome\0\512.pngFilesize
2KB
MD512a429f9782bcff446dc1089b68d44ee
SHA1e41e5a1a4f2950a7f2da8be77ca26a66da7093b9
SHA256e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37
SHA5121da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_641273150\Shortcuts Menu Icons\Monochrome\1\512.pngFilesize
10KB
MD57f57c509f12aaae2c269646db7fde6e8
SHA1969d8c0e3d9140f843f36ccf2974b112ad7afc07
SHA2561d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f
SHA5123503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_991812122\Icons Monochrome\16.pngFilesize
216B
MD5a4fd4f5953721f7f3a5b4bfd58922efe
SHA1f3abed41d764efbd26bacf84c42bd8098a14c5cb
SHA256c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3
SHA5127fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web DataFilesize
100KB
MD5e05fbc2a4ec4fbbd4b758c74061ddefc
SHA12e65e320ac06e38610e3edb5a288adacec826beb
SHA2564bc7fbf8fb0e7095b0d503e37861fd236482fba7511ec2e14a36a0f6b0534f9a
SHA512098fe9ab821368f592635639f4e68799dfd035587da4bd964f52da2246b26bb78b264b32cb9679a2f08225e089d84a950917310e304d502c685714a8d0cf9ab7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
261KB
MD51de8c09269f43bf27533a34b055b3c29
SHA12ca0dcd4c87de8f84c3e654e412218bef173ddb6
SHA256b863b1b1645709f6d540629e1a184e4a308eb5a7fbb75be3c5e23ed0927119d4
SHA51253a40a1ff23f0d8b5b2486190fec6cc7740428d50849447db4c839b49ec46f3a7bc21ccaf68f1c8c773c869eff1295055b4f19912ea5a188eccaec6e145ff110
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
89KB
MD5babfe16023fce343027f3c2aae7aacaf
SHA16f27c9b14f7f098d1c35cbde65f19530e2606c2b
SHA256f455308c53bd58558380eed3d06882179449e80bc9ac3d86f1e83752ea4e887c
SHA5125b40965b381a974de817821570ad6840432c180a645399c98b6a466336d6d41d42f004df26ebaec276158abe08cd5482c3cb2eb00e911391e74241b14e25d05f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57fdb9.TMPFilesize
87KB
MD5bddfc85a03e81a0e15d3374b0071be1c
SHA1bd22cf0b57afb39492ad97d1ebdaba753d2d4371
SHA256aa647236ec86c63ebc8335961815c38d4c5ec5de5fe9c0a18e6638a78a9ea9c3
SHA512dc4478bad09d9069b7086c3006932570938ee747aae21029e113c79c279aa553c3b2d41dc0731f141767159f2a7bd3e7a8443858dd73b766f0e806bc6a39608a
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
\??\pipe\crashpad_2424_VGKZXFIPEYGXBRZRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4916-53-0x000000001ADE0000-0x000000001AE30000-memory.dmpFilesize
320KB
-
memory/4916-54-0x000000001AD90000-0x000000001ADA6000-memory.dmpFilesize
88KB
-
memory/4916-55-0x0000000002380000-0x000000000238C000-memory.dmpFilesize
48KB
-
memory/4916-52-0x0000000002360000-0x000000000237C000-memory.dmpFilesize
112KB
-
memory/4916-49-0x0000000000120000-0x0000000000252000-memory.dmpFilesize
1.2MB