Malware Analysis Report

2024-10-10 12:55

Sample ID 240531-sqkeasda49
Target nursultan nexgen fix.exe
SHA256 16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
Tags
rat dcrat evasion infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

Threat Level: Known bad

The file nursultan nexgen fix.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer spyware stealer

Process spawned unexpected child process

DCRat payload

DcRat

Dcrat family

DCRat payload

Disables Task Manager via registry modification

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 15:19

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 15:19

Reported

2024-05-31 15:24

Platform

win10v2004-20240426-en

Max time kernel

299s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\portagentbrowserweb\Containerruntime.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\portagentbrowserweb\Containerruntime.exe N/A
N/A N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\it-IT\886983d96e3d3e C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\cc11b995f2a76d C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\6203df4a6bafc7 C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe C:\portagentbrowserweb\Containerruntime.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Globalization\ICU\OfficeClickToRun.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Windows\Globalization\ICU\e6c9b481da804f C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Windows\security\StartMenuExperienceHost.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Windows\security\55b276f4edf653 C:\portagentbrowserweb\Containerruntime.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616424021859167" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{99D2C303-1DE7-47A0-94A1-178F8CF0AA63} C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\portagentbrowserweb\Containerruntime.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\WmiPrvSE.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe C:\Windows\SysWOW64\WScript.exe
PID 4532 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe C:\Windows\SysWOW64\WScript.exe
PID 4532 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe C:\Windows\SysWOW64\WScript.exe
PID 2424 wrote to memory of 4816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 4816 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 1744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 4220 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 4220 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2424 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe

"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff933ceab58,0x7ff933ceab68,0x7ff933ceab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4856 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "

C:\portagentbrowserweb\Containerruntime.exe

"C:\portagentbrowserweb\Containerruntime.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\ICU\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\security\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Recovery\WindowsRE\WmiPrvSE.exe

"C:\Recovery\WindowsRE\WmiPrvSE.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4604 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5036 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4720 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5140 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x508 0x518

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3204 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5920 --field-trial-handle=1920,i,12996805465370457621,1097129295887794191,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 id.google.com udp
GB 142.250.180.3:443 id.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
GB 216.58.212.214:443 i.ytimg.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.212.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
US 8.8.8.8:53 a0987415.xsph.ru udp
GB 216.58.212.214:443 i.ytimg.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 214.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 26.192.8.141.in-addr.arpa udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.234:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 194.212.58.216.in-addr.arpa udp
GB 216.58.212.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.179.234:443 jnn-pa.googleapis.com tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.213.58.216.in-addr.arpa udp
GB 142.250.179.234:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 suggestqueries-clients6.youtube.com udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com tcp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
GB 142.250.180.1:443 yt3.ggpht.com tcp
GB 142.250.180.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 rr3---sn-5hnekn76.googlevideo.com udp
NL 209.85.226.8:443 rr3---sn-5hnekn76.googlevideo.com tcp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 8.226.85.209.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 209.85.226.8:443 rr3---sn-5hnekn76.googlevideo.com udp
GB 142.250.180.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 rr5---sn-5hne6nzy.googlevideo.com udp
NL 172.217.132.170:443 rr5---sn-5hne6nzy.googlevideo.com udp
US 8.8.8.8:53 170.132.217.172.in-addr.arpa udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 142.250.179.238:443 www.youtube.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
NL 142.250.27.84:443 accounts.google.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.212.214:443 i.ytimg.com udp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:443 google.com tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
GB 142.250.180.1:443 yt3.ggpht.com udp
GB 216.58.212.194:443 googleads.g.doubleclick.net udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
NL 142.250.27.84:443 accounts.google.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
NL 172.217.132.170:443 rr5---sn-5hne6nzy.googlevideo.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 google.com udp
GB 142.250.178.14:443 google.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 beacons.gvt2.com udp
US 192.178.49.163:443 beacons.gvt2.com tcp
US 192.178.49.163:443 beacons.gvt2.com udp
US 8.8.8.8:53 163.49.178.192.in-addr.arpa udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 beacons2.gvt2.com udp
US 108.177.8.94:443 beacons2.gvt2.com tcp
US 108.177.8.94:443 beacons2.gvt2.com udp
US 8.8.8.8:53 94.8.177.108.in-addr.arpa udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp

Files

C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe

MD5 61a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1 e695b0c2b43c786453bf3f6ae504f0626951d281
SHA256 5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA512 8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

\??\pipe\crashpad_2424_VGKZXFIPEYGXBRZR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat

MD5 c8f8a078dace2ff4cb106803c9199643
SHA1 a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA256 1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512 efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

C:\portagentbrowserweb\Containerruntime.exe

MD5 5887a563351ca99247b7e2c448bd9f2e
SHA1 b24695e88143863297535989900bb7521ea86d67
SHA256 e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512 b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

memory/4916-49-0x0000000000120000-0x0000000000252000-memory.dmp

memory/4916-52-0x0000000002360000-0x000000000237C000-memory.dmp

memory/4916-55-0x0000000002380000-0x000000000238C000-memory.dmp

memory/4916-54-0x000000001AD90000-0x000000001ADA6000-memory.dmp

memory/4916-53-0x000000001ADE0000-0x000000001AE30000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1de8c09269f43bf27533a34b055b3c29
SHA1 2ca0dcd4c87de8f84c3e654e412218bef173ddb6
SHA256 b863b1b1645709f6d540629e1a184e4a308eb5a7fbb75be3c5e23ed0927119d4
SHA512 53a40a1ff23f0d8b5b2486190fec6cc7740428d50849447db4c839b49ec46f3a7bc21ccaf68f1c8c773c869eff1295055b4f19912ea5a188eccaec6e145ff110

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 641f51177d614d3657f85886c69f873e
SHA1 ddd943e7561182d9ac4275562379ecd36cdcaae6
SHA256 1e31acb2fd7160ac882429fe8148ac7a3a9d3e9e4cbe2afe247dd9ca46228cb9
SHA512 def0a5f2f151e6a9bda34acfae1c36178ed15abb21d0c1e6792cf203ee132d269f40c33a0f1a04743dc7195b26ba03055c0f6516fb498b34fec9d6db28d29b1f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 43566a139a0de458c95ca39b248aaa2e
SHA1 117b740ea8455b83a2e320610590fd8d78b0a0df
SHA256 43eddc37766f6caa2898f628ed0f528788fed53b506d19c403462a8bb20b32e2
SHA512 a88b75a205cfe2ecabae28d6e0bf4601b0886566f41dcfe2d9b974fb68fdb4beaf09fc5c88432c15d1cda528a9f37d119544352e4def4dd1f3ba7e840762748a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5772de.TMP

MD5 f9718e239462f101b67d2e88763898fb
SHA1 4b0bc58f121a9e4769b9c16681c3519903f0a021
SHA256 0b90b5e414f6a54a79b0dfde2f312d40a1dc9e84ef0f241db49fcf4c621ca808
SHA512 9a2c9466462dc13a8d82ea75b9e1d24cf9961322355654193c0ddbe62d119ce058790d933688d70a226b663775bdebff6a6692d6c48b4851dbe1c96576ffe9de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 15972af4671bd1381abf4513b6ec4fd4
SHA1 9f4acf4654551e9e8b75e9f5ddeb56b5ff73a354
SHA256 4ec61b6c0070f57d45d6bf4b2735cfd465c84aaa09da768b38c27b25d0166157
SHA512 5fa6afb8bc5f4d8c808e672fa3d0ee425519287ba9efafdfca6bb98a7ff460f40e996e7abd0e8020853e2d6d00cda50d37ec1ca9f59d02b5781cc899b69a0c51

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 9d111fc7e1dfeb6e83eb5bb2a9e45459
SHA1 1fbdad03da080abbd144d054bc40a49c3135db83
SHA256 c46e58627a16febd6091ac77d411c0b56d06791e112163fb256f13671eb8fa1c
SHA512 97b03eb7886141b0b4123a6b517ff10732ae343bb9c1c82ef5654c9165ae46d4d4f62b43514039e44e6b61989b60f491540676513d4878894a002d8fa91cf083

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_991812122\Icons Monochrome\16.png

MD5 a4fd4f5953721f7f3a5b4bfd58922efe
SHA1 f3abed41d764efbd26bacf84c42bd8098a14c5cb
SHA256 c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3
SHA512 7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_641273150\Shortcuts Menu Icons\Monochrome\0\512.png

MD5 12a429f9782bcff446dc1089b68d44ee
SHA1 e41e5a1a4f2950a7f2da8be77ca26a66da7093b9
SHA256 e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37
SHA512 1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2424_641273150\Shortcuts Menu Icons\Monochrome\1\512.png

MD5 7f57c509f12aaae2c269646db7fde6e8
SHA1 969d8c0e3d9140f843f36ccf2974b112ad7afc07
SHA256 1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f
SHA512 3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 e525096c9ae91f70ac61d0b55b7a0979
SHA1 b3f18f3e89f0108b7b733392d83c6aec27ebd871
SHA256 a87ad1e647e09d118f1916a7baed58f63066003d2346f43cc8ad7670630dbb15
SHA512 7464a867da4ae235141e780721ee56b310ac1be6141fef178f63d0170c16d9ae7d6713b56c7365942ef5c644e1b487838bc3c39b86dd98d5a2127376c1bde9c6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 05fb10f4e36268bc59f60c22953cde39
SHA1 65852687f33588bef8d8612cdd0db596ed832499
SHA256 b432db1045e120b6a0c88d1fd34714d1817d78d881c068bcdd69958c4ee4a738
SHA512 8579901fc3ed579bd9bb8898501ddaf3d2eac73b49138808220d17b37199847b991128a0258ef1da92f6551a8229cd74b22c7b825ac90b1a9a488deb11683f0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

MD5 f871dd44ae8c9e11c5c85c961f8b2ab1
SHA1 7618910822a0f2639b405e3c0b13faff0431140a
SHA256 2ae2564f74716a4e44850d845f0cca255c6c0c3a7dc0c8ee6bfca0212cc394ec
SHA512 3b9638f705f83e37c3e0c9db1205b2ac76b96ba72ac56013a6aca6f34a7a9ff3548e8fc67d2b85c9f23f8337f696baa8fab01523fb04b5fd618b130501eed47c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

MD5 e05fbc2a4ec4fbbd4b758c74061ddefc
SHA1 2e65e320ac06e38610e3edb5a288adacec826beb
SHA256 4bc7fbf8fb0e7095b0d503e37861fd236482fba7511ec2e14a36a0f6b0534f9a
SHA512 098fe9ab821368f592635639f4e68799dfd035587da4bd964f52da2246b26bb78b264b32cb9679a2f08225e089d84a950917310e304d502c685714a8d0cf9ab7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journal

MD5 6d080b73ecfca0c0cbf0d4cb0da9096c
SHA1 743aa5fafa82bb39d374c75d42748623e9a0102b
SHA256 6c376026a1c71bdb947ca931b15cb6c27550be946c38c4b8f232943bc9948e11
SHA512 eadfa65223b40dc7b27e170875f1b07e21ff6732807ef947c139b8848964d24f9d7eb5f18363d6856deb7022144b2932fe7201a2bb483239e6bdd9f3bde8b822

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1d037e521d420e36b077fa5f7ac994dc
SHA1 a2fe4d0a144568844fa5d12cec4dd39d527d539f
SHA256 c0f60d332070e6fb652980c1dec86b3b9578da0245753494a71c94b7092b2a47
SHA512 90c1246260b50d254c4b09d64e35ff8fd89dab755c5c6d122353dd64d3aae24d77b6c8a85e85ae23b5e4667dd9e2f96f31bebed90c7255b27656c092efcd81db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c4a13300220541e306702641f4aa2505
SHA1 cf755ed796844b43eec1662a9abb71c2ede88a53
SHA256 7a9804c1844ada56eacb407d41532fa6624580ea0397be90f1a0b05d6213c1e9
SHA512 bda165404c2b18b33fb7a364bc0827f6e4829e607bc9fe6f7dc3db0491cc0a9a4dc896a4b812a162a1ceafc94d7555e9b685d447f9e032165d41bfb22bb08418

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 1223234f9627fefac311c1bda5bd299f
SHA1 50cf7cad15d2b10215087e5fd84094de16461130
SHA256 b8f80f64ebc50a323d2a84128df9addd6abad3143f79748486b0041ef988193b
SHA512 2c19bbd4d30b071314364829f81bf7f019e9e61d4566b59a8c103384c4b6e7142956f1abaa7dd2e3743e2d3a02be678ec9fd7c96ad56c8d7bad567ba17b96df0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8274152245bbc8dd66df14f54a1e2259
SHA1 d7d25dbbe8ca5968ebe4288fd7302ff35d57c329
SHA256 89225402398f0bcff4236cbf81ef22d4b2df243efbddedf8187f2a8ca7ea6527
SHA512 84660c8d20327afc5f0bdd45a58294ec600b876d81ad98740175b42be58b4b637805987dca1ceac1707daa86999dce6b3145a55f919d1f8dd77f869685be52ec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5a987003-06cd-4566-ab63-1541aedd5647\index-dir\the-real-index~RFe57cc1a.TMP

MD5 b6500159f7870c9dfc4bd63f3b5b1f6d
SHA1 23d8a9f6a9f2a494f233ace7e039f73fcdb60e51
SHA256 b1ae4fd10af432e0339dae4e4a3f639bb07e84ad1e39a34af00e8cb10383d990
SHA512 f65a7e420089da3fa044092145baccd2bc9135fca762b2380784bff04adfd0945353861fe9e8d0fa1d779d18e7f5890169387648b992e0bc20007948a8cff67d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5a987003-06cd-4566-ab63-1541aedd5647\index-dir\the-real-index

MD5 7cd771fee7c72d6c1ac92ecd532e340d
SHA1 5dc52f44245546ff2c08886d38a787ef13935c71
SHA256 388ed54c153f2bcb43b63af2d9e4456b3e4a9c81334bda246886658716a6d69f
SHA512 693e938a80adeba6988e7ef2440257b882f983384be537b136875dbff06fe2bb577c731c337a91bb98898db8521e56b437a802dcb1ec44882e5576bfeffb124b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 babfe16023fce343027f3c2aae7aacaf
SHA1 6f27c9b14f7f098d1c35cbde65f19530e2606c2b
SHA256 f455308c53bd58558380eed3d06882179449e80bc9ac3d86f1e83752ea4e887c
SHA512 5b40965b381a974de817821570ad6840432c180a645399c98b6a466336d6d41d42f004df26ebaec276158abe08cd5482c3cb2eb00e911391e74241b14e25d05f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57fdb9.TMP

MD5 bddfc85a03e81a0e15d3374b0071be1c
SHA1 bd22cf0b57afb39492ad97d1ebdaba753d2d4371
SHA256 aa647236ec86c63ebc8335961815c38d4c5ec5de5fe9c0a18e6638a78a9ea9c3
SHA512 dc4478bad09d9069b7086c3006932570938ee747aae21029e113c79c279aa553c3b2d41dc0731f141767159f2a7bd3e7a8443858dd73b766f0e806bc6a39608a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3ee60ecbf8cf8054ca266ec5635a840e
SHA1 463e1490dc0279e347d83c17468e0aeff829bbc4
SHA256 702349ba1dde16aa723745bf0d0f242433ff18dfc12e9ac551b319d6e403f7c2
SHA512 f0cc116c11bcd140efa1d38cbbd2dd47256cedecc743a4c7acefe704514b268b1fd174b98ce4949141f62de957b85cefc85c21a5b61a08ba28fd5e4d52504614

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-index~RFe58293e.TMP

MD5 780d227e8a9f61e6ebe5d37fc49e9efa
SHA1 abb2758e143c47929fce96a067a9897a8ea2376f
SHA256 5a28ee459a2eac6b8f230a2a1d63201d5273d87db31cccc42efa2e0a4fd91b2a
SHA512 81b5adae297d4864360e348c254667eda8855ce72d429488ee65f596c0ddc6dd68d4d360ff36d5abde70a8a676775be045eb4ae2744d23929064401bbbd71609

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-index

MD5 4c0ba36805161300d6f0979ff7f4c086
SHA1 2a6293c1c847dd02076a0d53a0ecf7b7aa4599df
SHA256 5ff4de8f8c5a5c1a7c97ed9b7d8033ec9112eec0d167e03d731fd87201b4b7f4
SHA512 00a22bea224cbae802a2d6dfbf73846682855b67b5e0d5c93ce55789766951c7bfda8426876004a6abf156561e011016b42e07341a6c32f8fc5ed60a7f01728e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2864b09c98eb61ab538092b505c200ea
SHA1 398488758a8a66d32aa73905374429059a981197
SHA256 da5d0bd86dfc0327b2bdf6615a48659265c60dd2714eb6d9f0d0178bb7389089
SHA512 2a1736ed0e10e9348fd0c016c8c045125d575aa39193ad41459d2bf2f6349d2759871465d84a8522c2c647a98d99d89c74f8682af06d4526d8017077d1fa6b49

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 388f26386cb2e8f96e6baeff50f4403a
SHA1 311973e4158e23e1e63877282b0e66f5a4f0eacc
SHA256 9dec07ff019a2347ddf4a912584e6e11ed19b8196d01128587842178aa913710
SHA512 85d127cc6c7840926db83cf71922f0d3aca1349a92df78a993319a50ae24b937427602dfed9b6047c561ce0072cc48c90ef6379983080270b72d64710ef0b724

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 17f66d7a6e477b2465bdebc55ead42a5
SHA1 c00e01d5bb36ce15fe9b653bd05f4f4a7b4fb68e
SHA256 d74ebc2f40e140b4a32d8c91b0a52210d9f8d12714b1460492013511ba46c2f4
SHA512 871c121ef67cc65a5d0690c0724012b4c587ead7c234101de3835832982f4898f6c484251f10e1c129c5ac7c533101be7e7e02b70579d5a70ddc5985b83f5d2b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 379457ee051f1e32a2c19db2c3582876
SHA1 ecf4f5156cb0f594d89798528594a1fa88191007
SHA256 c6264f0e3c2296b2c88f6a6442f803e06b7313a06deea728637b80c6dd9b46fb
SHA512 5bc5ddb5b5242df815eb3a649b415178abbf9c1b4f8949c5db2ce79fbf1a280e63aef975049332b317efba1e39c95898009f2d02915edc70198639a2cd39572c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\80db960c-7b5b-4f3c-a993-fb0b97756291\index-dir\the-real-index

MD5 846b669add039b573f084a002de2593d
SHA1 ab6a10912dcbc75fea9c7540d67bb5c94fc8825e
SHA256 fd5602bc70dcb048564783f6d71a87b3090374a7cdba42a970eba46d433d750a
SHA512 faabe1bb6775f54997c2982d8b6a4f4c72fea04d451a8f7cdfd3dd8fbdbc1a763abdbe12f98074a18b46a2c4a96a3cb2bc16932a8b5c9b9ad0f19aa14920416a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 10151b9e881831e60210645365359e22
SHA1 35c0e6e4bac99a2740c0e8bee3f07d4dde07ea5d
SHA256 247dae2e1b8240b8891f71acf115034621764e461a65e57b2858a6a84481e495
SHA512 e3cf2e183e6f18a4e07a279bf73ebf3b3974a926427a9bfdc264b851628ed2f4194604107a1b080f1a0fc9c6140ae5710686d588b27d4351a76ad8a1a5ebce44

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 666a390b0db5b78387095901f1b2e4a9
SHA1 3774aa57209adc89d14d16f5be2ab6f4418b47e0
SHA256 8502c8b3e008d0115e031e54f9ae6e758fcf1695f2cf6288a25961ba5ed9f6ce
SHA512 28daf2609cbb57f09ca983f662b97aa04d062c3b6b90495cc7d8ed201ef50d85c31072610490865ae5d7d8d2a875f4736590a6e38b87c858c40d72bb923ae3e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 1166ba6bbf7080ad3b3d52d459fe3989
SHA1 67051ebd06f137bd94c27c51e821e2835866d25f
SHA256 bf0a589c5b6fe4d267501d1b86a506d57a3b80931ba4163dc6c86717bcb6d5a3
SHA512 1ff9aa54062f05610c7083c953a2e088e77766d304809db8a3c8c1b6c9ab13dc3486a729b9d9d005be9f5de2146342f7c600891ab928219511c9a09e7c3892f9