Analysis

  • max time kernel
    299s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 15:19

General

  • Target

    nursultan nexgen fix.exe

  • Size

    1.5MB

  • MD5

    a3d07c747770c9a471a44446e46e33d5

  • SHA1

    8340534fb1770bae9660287ddb0496e243efcfe4

  • SHA256

    16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

  • SHA512

    307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99

  • SSDEEP

    24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR

Malware Config

Signatures

  • DcRat 31 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
    "C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
      2⤵
      • Checks computer location settings
      PID:4820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
        3⤵
          PID:1052
          • C:\portagentbrowserweb\Containerruntime.exe
            "C:\portagentbrowserweb\Containerruntime.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4916
            • C:\Recovery\WindowsRE\WmiPrvSE.exe
              "C:\Recovery\WindowsRE\WmiPrvSE.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4548
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:1976
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff933ceab58,0x7ff933ceab68,0x7ff933ceab78
        2⤵
          PID:4816
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:2
          2⤵
            PID:1744
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
            2⤵
              PID:4220
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
              2⤵
                PID:3920
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1
                2⤵
                  PID:3404
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1
                  2⤵
                    PID:4556
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1
                    2⤵
                      PID:4348
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                      2⤵
                        PID:4720
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                        2⤵
                          PID:4216
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                          2⤵
                            PID:2144
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                            2⤵
                              PID:3420
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                              2⤵
                                PID:3012
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4604 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1
                                2⤵
                                  PID:448
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5036 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1
                                  2⤵
                                    PID:3684
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4720 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1
                                    2⤵
                                      PID:4432
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5140 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                                      2⤵
                                        PID:5100
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                                        2⤵
                                        • Modifies registry class
                                        PID:872
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3204 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                                        2⤵
                                          PID:4564
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8
                                          2⤵
                                            PID:2920
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5920 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:2
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5068
                                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                          1⤵
                                            PID:2452
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4008
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5096
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3844
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3492
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5076
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4532
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4500
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3872
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4196
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:872
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2196
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2128
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2900
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1336
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2604
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4168
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3548
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2188
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4344
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4236
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3444
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1500
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:5080
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3212
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • DcRat
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1016
                                          • C:\Windows\system32\AUDIODG.EXE
                                            C:\Windows\system32\AUDIODG.EXE 0x508 0x518
                                            1⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1420

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a
                                            Filesize

                                            46KB

                                            MD5

                                            f871dd44ae8c9e11c5c85c961f8b2ab1

                                            SHA1

                                            7618910822a0f2639b405e3c0b13faff0431140a

                                            SHA256

                                            2ae2564f74716a4e44850d845f0cca255c6c0c3a7dc0c8ee6bfca0212cc394ec

                                            SHA512

                                            3b9638f705f83e37c3e0c9db1205b2ac76b96ba72ac56013a6aca6f34a7a9ff3548e8fc67d2b85c9f23f8337f696baa8fab01523fb04b5fd618b130501eed47c

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                            Filesize

                                            792B

                                            MD5

                                            3ee60ecbf8cf8054ca266ec5635a840e

                                            SHA1

                                            463e1490dc0279e347d83c17468e0aeff829bbc4

                                            SHA256

                                            702349ba1dde16aa723745bf0d0f242433ff18dfc12e9ac551b319d6e403f7c2

                                            SHA512

                                            f0cc116c11bcd140efa1d38cbbd2dd47256cedecc743a4c7acefe704514b268b1fd174b98ce4949141f62de957b85cefc85c21a5b61a08ba28fd5e4d52504614

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                            Filesize

                                            768B

                                            MD5

                                            8274152245bbc8dd66df14f54a1e2259

                                            SHA1

                                            d7d25dbbe8ca5968ebe4288fd7302ff35d57c329

                                            SHA256

                                            89225402398f0bcff4236cbf81ef22d4b2df243efbddedf8187f2a8ca7ea6527

                                            SHA512

                                            84660c8d20327afc5f0bdd45a58294ec600b876d81ad98740175b42be58b4b637805987dca1ceac1707daa86999dce6b3145a55f919d1f8dd77f869685be52ec

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journal
                                            Filesize

                                            56KB

                                            MD5

                                            6d080b73ecfca0c0cbf0d4cb0da9096c

                                            SHA1

                                            743aa5fafa82bb39d374c75d42748623e9a0102b

                                            SHA256

                                            6c376026a1c71bdb947ca931b15cb6c27550be946c38c4b8f232943bc9948e11

                                            SHA512

                                            eadfa65223b40dc7b27e170875f1b07e21ff6732807ef947c139b8848964d24f9d7eb5f18363d6856deb7022144b2932fe7201a2bb483239e6bdd9f3bde8b822

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                            Filesize

                                            5KB

                                            MD5

                                            666a390b0db5b78387095901f1b2e4a9

                                            SHA1

                                            3774aa57209adc89d14d16f5be2ab6f4418b47e0

                                            SHA256

                                            8502c8b3e008d0115e031e54f9ae6e758fcf1695f2cf6288a25961ba5ed9f6ce

                                            SHA512

                                            28daf2609cbb57f09ca983f662b97aa04d062c3b6b90495cc7d8ed201ef50d85c31072610490865ae5d7d8d2a875f4736590a6e38b87c858c40d72bb923ae3e3

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                            Filesize

                                            4KB

                                            MD5

                                            388f26386cb2e8f96e6baeff50f4403a

                                            SHA1

                                            311973e4158e23e1e63877282b0e66f5a4f0eacc

                                            SHA256

                                            9dec07ff019a2347ddf4a912584e6e11ed19b8196d01128587842178aa913710

                                            SHA512

                                            85d127cc6c7840926db83cf71922f0d3aca1349a92df78a993319a50ae24b937427602dfed9b6047c561ce0072cc48c90ef6379983080270b72d64710ef0b724

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                            Filesize

                                            5KB

                                            MD5

                                            1166ba6bbf7080ad3b3d52d459fe3989

                                            SHA1

                                            67051ebd06f137bd94c27c51e821e2835866d25f

                                            SHA256

                                            bf0a589c5b6fe4d267501d1b86a506d57a3b80931ba4163dc6c86717bcb6d5a3

                                            SHA512

                                            1ff9aa54062f05610c7083c953a2e088e77766d304809db8a3c8c1b6c9ab13dc3486a729b9d9d005be9f5de2146342f7c600891ab928219511c9a09e7c3892f9

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                            Filesize

                                            4KB

                                            MD5

                                            379457ee051f1e32a2c19db2c3582876

                                            SHA1

                                            ecf4f5156cb0f594d89798528594a1fa88191007

                                            SHA256

                                            c6264f0e3c2296b2c88f6a6442f803e06b7313a06deea728637b80c6dd9b46fb

                                            SHA512

                                            5bc5ddb5b5242df815eb3a649b415178abbf9c1b4f8949c5db2ce79fbf1a280e63aef975049332b317efba1e39c95898009f2d02915edc70198639a2cd39572c

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                            Filesize

                                            2B

                                            MD5

                                            d751713988987e9331980363e24189ce

                                            SHA1

                                            97d170e1550eee4afc0af065b78cda302a97674c

                                            SHA256

                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                            SHA512

                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                            Filesize

                                            692B

                                            MD5

                                            05fb10f4e36268bc59f60c22953cde39

                                            SHA1

                                            65852687f33588bef8d8612cdd0db596ed832499

                                            SHA256

                                            b432db1045e120b6a0c88d1fd34714d1817d78d881c068bcdd69958c4ee4a738

                                            SHA512

                                            8579901fc3ed579bd9bb8898501ddaf3d2eac73b49138808220d17b37199847b991128a0258ef1da92f6551a8229cd74b22c7b825ac90b1a9a488deb11683f0f

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                            Filesize

                                            859B

                                            MD5

                                            c4a13300220541e306702641f4aa2505

                                            SHA1

                                            cf755ed796844b43eec1662a9abb71c2ede88a53

                                            SHA256

                                            7a9804c1844ada56eacb407d41532fa6624580ea0397be90f1a0b05d6213c1e9

                                            SHA512

                                            bda165404c2b18b33fb7a364bc0827f6e4829e607bc9fe6f7dc3db0491cc0a9a4dc896a4b812a162a1ceafc94d7555e9b685d447f9e032165d41bfb22bb08418

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                            Filesize

                                            7KB

                                            MD5

                                            641f51177d614d3657f85886c69f873e

                                            SHA1

                                            ddd943e7561182d9ac4275562379ecd36cdcaae6

                                            SHA256

                                            1e31acb2fd7160ac882429fe8148ac7a3a9d3e9e4cbe2afe247dd9ca46228cb9

                                            SHA512

                                            def0a5f2f151e6a9bda34acfae1c36178ed15abb21d0c1e6792cf203ee132d269f40c33a0f1a04743dc7195b26ba03055c0f6516fb498b34fec9d6db28d29b1f

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                            Filesize

                                            8KB

                                            MD5

                                            1d037e521d420e36b077fa5f7ac994dc

                                            SHA1

                                            a2fe4d0a144568844fa5d12cec4dd39d527d539f

                                            SHA256

                                            c0f60d332070e6fb652980c1dec86b3b9578da0245753494a71c94b7092b2a47

                                            SHA512

                                            90c1246260b50d254c4b09d64e35ff8fd89dab755c5c6d122353dd64d3aae24d77b6c8a85e85ae23b5e4667dd9e2f96f31bebed90c7255b27656c092efcd81db

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                            Filesize

                                            8KB

                                            MD5

                                            17f66d7a6e477b2465bdebc55ead42a5

                                            SHA1

                                            c00e01d5bb36ce15fe9b653bd05f4f4a7b4fb68e

                                            SHA256

                                            d74ebc2f40e140b4a32d8c91b0a52210d9f8d12714b1460492013511ba46c2f4

                                            SHA512

                                            871c121ef67cc65a5d0690c0724012b4c587ead7c234101de3835832982f4898f6c484251f10e1c129c5ac7c533101be7e7e02b70579d5a70ddc5985b83f5d2b

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                            Filesize

                                            16KB

                                            MD5

                                            e525096c9ae91f70ac61d0b55b7a0979

                                            SHA1

                                            b3f18f3e89f0108b7b733392d83c6aec27ebd871

                                            SHA256

                                            a87ad1e647e09d118f1916a7baed58f63066003d2346f43cc8ad7670630dbb15

                                            SHA512

                                            7464a867da4ae235141e780721ee56b310ac1be6141fef178f63d0170c16d9ae7d6713b56c7365942ef5c644e1b487838bc3c39b86dd98d5a2127376c1bde9c6

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5a987003-06cd-4566-ab63-1541aedd5647\index-dir\the-real-index
                                            Filesize

                                            624B

                                            MD5

                                            7cd771fee7c72d6c1ac92ecd532e340d

                                            SHA1

                                            5dc52f44245546ff2c08886d38a787ef13935c71

                                            SHA256

                                            388ed54c153f2bcb43b63af2d9e4456b3e4a9c81334bda246886658716a6d69f

                                            SHA512

                                            693e938a80adeba6988e7ef2440257b882f983384be537b136875dbff06fe2bb577c731c337a91bb98898db8521e56b437a802dcb1ec44882e5576bfeffb124b

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5a987003-06cd-4566-ab63-1541aedd5647\index-dir\the-real-index~RFe57cc1a.TMP
                                            Filesize

                                            48B

                                            MD5

                                            b6500159f7870c9dfc4bd63f3b5b1f6d

                                            SHA1

                                            23d8a9f6a9f2a494f233ace7e039f73fcdb60e51

                                            SHA256

                                            b1ae4fd10af432e0339dae4e4a3f639bb07e84ad1e39a34af00e8cb10383d990

                                            SHA512

                                            f65a7e420089da3fa044092145baccd2bc9135fca762b2380784bff04adfd0945353861fe9e8d0fa1d779d18e7f5890169387648b992e0bc20007948a8cff67d

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-index
                                            Filesize

                                            2KB

                                            MD5

                                            846b669add039b573f084a002de2593d

                                            SHA1

                                            ab6a10912dcbc75fea9c7540d67bb5c94fc8825e

                                            SHA256

                                            fd5602bc70dcb048564783f6d71a87b3090374a7cdba42a970eba46d433d750a

                                            SHA512

                                            faabe1bb6775f54997c2982d8b6a4f4c72fea04d451a8f7cdfd3dd8fbdbc1a763abdbe12f98074a18b46a2c4a96a3cb2bc16932a8b5c9b9ad0f19aa14920416a

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-index
                                            Filesize

                                            2KB

                                            MD5

                                            4c0ba36805161300d6f0979ff7f4c086

                                            SHA1

                                            2a6293c1c847dd02076a0d53a0ecf7b7aa4599df

                                            SHA256

                                            5ff4de8f8c5a5c1a7c97ed9b7d8033ec9112eec0d167e03d731fd87201b4b7f4

                                            SHA512

                                            00a22bea224cbae802a2d6dfbf73846682855b67b5e0d5c93ce55789766951c7bfda8426876004a6abf156561e011016b42e07341a6c32f8fc5ed60a7f01728e

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-index~RFe58293e.TMP
                                            Filesize

                                            48B

                                            MD5

                                            780d227e8a9f61e6ebe5d37fc49e9efa

                                            SHA1

                                            abb2758e143c47929fce96a067a9897a8ea2376f

                                            SHA256

                                            5a28ee459a2eac6b8f230a2a1d63201d5273d87db31cccc42efa2e0a4fd91b2a

                                            SHA512

                                            81b5adae297d4864360e348c254667eda8855ce72d429488ee65f596c0ddc6dd68d4d360ff36d5abde70a8a676775be045eb4ae2744d23929064401bbbd71609

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                            Filesize

                                            176B

                                            MD5

                                            43566a139a0de458c95ca39b248aaa2e

                                            SHA1

                                            117b740ea8455b83a2e320610590fd8d78b0a0df

                                            SHA256

                                            43eddc37766f6caa2898f628ed0f528788fed53b506d19c403462a8bb20b32e2

                                            SHA512

                                            a88b75a205cfe2ecabae28d6e0bf4601b0886566f41dcfe2d9b974fb68fdb4beaf09fc5c88432c15d1cda528a9f37d119544352e4def4dd1f3ba7e840762748a

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                            Filesize

                                            112B

                                            MD5

                                            15972af4671bd1381abf4513b6ec4fd4

                                            SHA1

                                            9f4acf4654551e9e8b75e9f5ddeb56b5ff73a354

                                            SHA256

                                            4ec61b6c0070f57d45d6bf4b2735cfd465c84aaa09da768b38c27b25d0166157

                                            SHA512

                                            5fa6afb8bc5f4d8c808e672fa3d0ee425519287ba9efafdfca6bb98a7ff460f40e996e7abd0e8020853e2d6d00cda50d37ec1ca9f59d02b5781cc899b69a0c51

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                            Filesize

                                            183B

                                            MD5

                                            2864b09c98eb61ab538092b505c200ea

                                            SHA1

                                            398488758a8a66d32aa73905374429059a981197

                                            SHA256

                                            da5d0bd86dfc0327b2bdf6615a48659265c60dd2714eb6d9f0d0178bb7389089

                                            SHA512

                                            2a1736ed0e10e9348fd0c016c8c045125d575aa39193ad41459d2bf2f6349d2759871465d84a8522c2c647a98d99d89c74f8682af06d4526d8017077d1fa6b49

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                            Filesize

                                            185B

                                            MD5

                                            9d111fc7e1dfeb6e83eb5bb2a9e45459

                                            SHA1

                                            1fbdad03da080abbd144d054bc40a49c3135db83

                                            SHA256

                                            c46e58627a16febd6091ac77d411c0b56d06791e112163fb256f13671eb8fa1c

                                            SHA512

                                            97b03eb7886141b0b4123a6b517ff10732ae343bb9c1c82ef5654c9165ae46d4d4f62b43514039e44e6b61989b60f491540676513d4878894a002d8fa91cf083

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                            Filesize

                                            183B

                                            MD5

                                            10151b9e881831e60210645365359e22

                                            SHA1

                                            35c0e6e4bac99a2740c0e8bee3f07d4dde07ea5d

                                            SHA256

                                            247dae2e1b8240b8891f71acf115034621764e461a65e57b2858a6a84481e495

                                            SHA512

                                            e3cf2e183e6f18a4e07a279bf73ebf3b3974a926427a9bfdc264b851628ed2f4194604107a1b080f1a0fc9c6140ae5710686d588b27d4351a76ad8a1a5ebce44

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5772de.TMP
                                            Filesize

                                            119B

                                            MD5

                                            f9718e239462f101b67d2e88763898fb

                                            SHA1

                                            4b0bc58f121a9e4769b9c16681c3519903f0a021

                                            SHA256

                                            0b90b5e414f6a54a79b0dfde2f312d40a1dc9e84ef0f241db49fcf4c621ca808

                                            SHA512

                                            9a2c9466462dc13a8d82ea75b9e1d24cf9961322355654193c0ddbe62d119ce058790d933688d70a226b663775bdebff6a6692d6c48b4851dbe1c96576ffe9de

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                            Filesize

                                            120B

                                            MD5

                                            1223234f9627fefac311c1bda5bd299f

                                            SHA1

                                            50cf7cad15d2b10215087e5fd84094de16461130

                                            SHA256

                                            b8f80f64ebc50a323d2a84128df9addd6abad3143f79748486b0041ef988193b

                                            SHA512

                                            2c19bbd4d30b071314364829f81bf7f019e9e61d4566b59a8c103384c4b6e7142956f1abaa7dd2e3743e2d3a02be678ec9fd7c96ad56c8d7bad567ba17b96df0

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_641273150\Shortcuts Menu Icons\Monochrome\0\512.png
                                            Filesize

                                            2KB

                                            MD5

                                            12a429f9782bcff446dc1089b68d44ee

                                            SHA1

                                            e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

                                            SHA256

                                            e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

                                            SHA512

                                            1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_641273150\Shortcuts Menu Icons\Monochrome\1\512.png
                                            Filesize

                                            10KB

                                            MD5

                                            7f57c509f12aaae2c269646db7fde6e8

                                            SHA1

                                            969d8c0e3d9140f843f36ccf2974b112ad7afc07

                                            SHA256

                                            1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

                                            SHA512

                                            3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_991812122\Icons Monochrome\16.png
                                            Filesize

                                            216B

                                            MD5

                                            a4fd4f5953721f7f3a5b4bfd58922efe

                                            SHA1

                                            f3abed41d764efbd26bacf84c42bd8098a14c5cb

                                            SHA256

                                            c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

                                            SHA512

                                            7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                            Filesize

                                            100KB

                                            MD5

                                            e05fbc2a4ec4fbbd4b758c74061ddefc

                                            SHA1

                                            2e65e320ac06e38610e3edb5a288adacec826beb

                                            SHA256

                                            4bc7fbf8fb0e7095b0d503e37861fd236482fba7511ec2e14a36a0f6b0534f9a

                                            SHA512

                                            098fe9ab821368f592635639f4e68799dfd035587da4bd964f52da2246b26bb78b264b32cb9679a2f08225e089d84a950917310e304d502c685714a8d0cf9ab7

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                            Filesize

                                            261KB

                                            MD5

                                            1de8c09269f43bf27533a34b055b3c29

                                            SHA1

                                            2ca0dcd4c87de8f84c3e654e412218bef173ddb6

                                            SHA256

                                            b863b1b1645709f6d540629e1a184e4a308eb5a7fbb75be3c5e23ed0927119d4

                                            SHA512

                                            53a40a1ff23f0d8b5b2486190fec6cc7740428d50849447db4c839b49ec46f3a7bc21ccaf68f1c8c773c869eff1295055b4f19912ea5a188eccaec6e145ff110

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
                                            Filesize

                                            89KB

                                            MD5

                                            babfe16023fce343027f3c2aae7aacaf

                                            SHA1

                                            6f27c9b14f7f098d1c35cbde65f19530e2606c2b

                                            SHA256

                                            f455308c53bd58558380eed3d06882179449e80bc9ac3d86f1e83752ea4e887c

                                            SHA512

                                            5b40965b381a974de817821570ad6840432c180a645399c98b6a466336d6d41d42f004df26ebaec276158abe08cd5482c3cb2eb00e911391e74241b14e25d05f

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57fdb9.TMP
                                            Filesize

                                            87KB

                                            MD5

                                            bddfc85a03e81a0e15d3374b0071be1c

                                            SHA1

                                            bd22cf0b57afb39492ad97d1ebdaba753d2d4371

                                            SHA256

                                            aa647236ec86c63ebc8335961815c38d4c5ec5de5fe9c0a18e6638a78a9ea9c3

                                            SHA512

                                            dc4478bad09d9069b7086c3006932570938ee747aae21029e113c79c279aa553c3b2d41dc0731f141767159f2a7bd3e7a8443858dd73b766f0e806bc6a39608a

                                          • C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat
                                            Filesize

                                            157B

                                            MD5

                                            c8f8a078dace2ff4cb106803c9199643

                                            SHA1

                                            a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5

                                            SHA256

                                            1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d

                                            SHA512

                                            efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

                                          • C:\portagentbrowserweb\Containerruntime.exe
                                            Filesize

                                            1.2MB

                                            MD5

                                            5887a563351ca99247b7e2c448bd9f2e

                                            SHA1

                                            b24695e88143863297535989900bb7521ea86d67

                                            SHA256

                                            e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390

                                            SHA512

                                            b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

                                          • C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe
                                            Filesize

                                            220B

                                            MD5

                                            61a07f2f9e8e9b1f5175b2d60c3e3f18

                                            SHA1

                                            e695b0c2b43c786453bf3f6ae504f0626951d281

                                            SHA256

                                            5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1

                                            SHA512

                                            8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

                                          • \??\pipe\crashpad_2424_VGKZXFIPEYGXBRZR
                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                          • memory/4916-53-0x000000001ADE0000-0x000000001AE30000-memory.dmp
                                            Filesize

                                            320KB

                                          • memory/4916-54-0x000000001AD90000-0x000000001ADA6000-memory.dmp
                                            Filesize

                                            88KB

                                          • memory/4916-55-0x0000000002380000-0x000000000238C000-memory.dmp
                                            Filesize

                                            48KB

                                          • memory/4916-52-0x0000000002360000-0x000000000237C000-memory.dmp
                                            Filesize

                                            112KB

                                          • memory/4916-49-0x0000000000120000-0x0000000000252000-memory.dmp
                                            Filesize

                                            1.2MB