Analysis
-
max time kernel
299s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:23
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3216 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4512 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3104 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 116 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 752 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/4044-51-0x0000000000FB0000-0x00000000010E2000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nursultan nexgen fix.exeWScript.exeContainerruntime.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Containerruntime.exe -
Executes dropped EXE 3 IoCs
Processes:
Containerruntime.execsrss.exefontdrvhost.exepid process 4044 Containerruntime.exe 3460 csrss.exe 436 fontdrvhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 10 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe Containerruntime.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe Containerruntime.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe Containerruntime.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\886983d96e3d3e Containerruntime.exe File created C:\Program Files\WindowsPowerShell\Configuration\Registration\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Defender\uk-UA\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e088 Containerruntime.exe -
Drops file in Windows directory 7 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\Microsoft.NET\TrustedInstaller.exe Containerruntime.exe File created C:\Windows\Microsoft.NET\04c1e7795967e4 Containerruntime.exe File created C:\Windows\Tasks\RuntimeBroker.exe Containerruntime.exe File opened for modification C:\Windows\Tasks\RuntimeBroker.exe Containerruntime.exe File created C:\Windows\Tasks\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Windows\servicing\Editions\fontdrvhost.exe Containerruntime.exe File created C:\Windows\servicing\Editions\5b884080fd4f94 Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2292 schtasks.exe 2388 schtasks.exe 3588 schtasks.exe 1732 schtasks.exe 4512 schtasks.exe 2224 schtasks.exe 4208 schtasks.exe 2000 schtasks.exe 2940 schtasks.exe 4208 schtasks.exe 776 schtasks.exe 1724 schtasks.exe 3612 schtasks.exe 2320 schtasks.exe 4808 schtasks.exe 4924 schtasks.exe 1680 schtasks.exe 3244 schtasks.exe 2380 schtasks.exe 732 schtasks.exe 4692 schtasks.exe 2120 schtasks.exe 2940 schtasks.exe 2200 schtasks.exe 2904 schtasks.exe 3216 schtasks.exe 4612 schtasks.exe 3104 schtasks.exe 4276 schtasks.exe 2644 schtasks.exe 4368 schtasks.exe 2036 schtasks.exe 4920 schtasks.exe 116 schtasks.exe 4112 schtasks.exe 3912 schtasks.exe 2472 schtasks.exe 4112 schtasks.exe 5004 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616426331143635" chrome.exe -
Modifies registry class 35 IoCs
Processes:
chrome.exenursultan nexgen fix.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings nursultan nexgen fix.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 chrome.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
chrome.exeContainerruntime.execsrss.exechrome.exepid process 3872 chrome.exe 3872 chrome.exe 4044 Containerruntime.exe 4044 Containerruntime.exe 4044 Containerruntime.exe 4044 Containerruntime.exe 4044 Containerruntime.exe 4044 Containerruntime.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 3460 csrss.exe 4104 chrome.exe 4104 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 3460 csrss.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exeContainerruntime.execsrss.exedescription pid process Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeDebugPrivilege 4044 Containerruntime.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeDebugPrivilege 3460 csrss.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe Token: SeShutdownPrivilege 3872 chrome.exe Token: SeCreatePagefilePrivilege 3872 chrome.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
chrome.exepid process 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe 3872 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chrome.exepid process 3936 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exechrome.exedescription pid process target process PID 4488 wrote to memory of 3908 4488 nursultan nexgen fix.exe WScript.exe PID 4488 wrote to memory of 3908 4488 nursultan nexgen fix.exe WScript.exe PID 4488 wrote to memory of 3908 4488 nursultan nexgen fix.exe WScript.exe PID 3872 wrote to memory of 3568 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3568 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 3524 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 1148 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 1148 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe PID 3872 wrote to memory of 2596 3872 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
PID:3908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵PID:3224
-
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044 -
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:4056
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83decab58,0x7ff83decab68,0x7ff83decab782⤵PID:3568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:22⤵PID:3524
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:1148
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:2596
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:12⤵PID:3176
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:12⤵PID:3860
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:12⤵PID:4688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3964 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:1248
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:2120
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:1440
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:3644
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:4960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4836 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:12⤵PID:2200
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4908 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:12⤵PID:3716
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3100 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3936 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:5032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:82⤵PID:4360
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2380 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1660 --field-trial-handle=1848,i,7246767317731037946,5414358530738114008,131072 /prefetch:12⤵PID:3292
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Tasks\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\portagentbrowserweb\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\chrome.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\chrome.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\servicing\Editions\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\servicing\Editions\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112
-
C:\Users\Public\Desktop\fontdrvhost.exe"C:\Users\Public\Desktop\fontdrvhost.exe"1⤵
- Executes dropped EXE
PID:436
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1720
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000eFilesize
40KB
MD5aa12ea792026e66caab5841d4d0b9bab
SHA147beeba1239050999e8c98ded40f02ce82a78d3f
SHA25665fe153a832452e97f5d484440a7047e314d3a83cb61ad2508fed48a820e1de1
SHA5120b2b1bb8851c60c9d4ab1d039b990a4de5799c97c50b45f64e36a21849c14e785f69196f674ac225b1419d7f501338054074cab6203d041361a4fa1ed8802b27
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5e2fa70124a5aa4f7457b9db8e2631c5f
SHA1581a1c9636f66494edd623803d51f956c8ae8567
SHA256f8b0b4bbd238151d0d9da376800cb305afb7d2f319bd1f585edf51316474c67d
SHA512f5bdbdb99544707b85290a0e1ed2c1eccf58e0ce9afd62842710794b25f07b49a742bb75f5ce34053b633c7365421a75ed4f57bb85b785b316c5694f7b6c1d37
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
816B
MD5fe7adae3647be48d7343732852b4d8c5
SHA18289c4fcf045ed3b8c9c4e77eba96e88a536ffdb
SHA2567d5378c9bb8a6ca65bfa54e6a95a80b109966713cf1383f191061ba1ba2cdd33
SHA51282e6d8552a8ff15df63ccc579d6998e4fc3c18281fed299c4a38378aa09897f78fe27afb1f051aeee91d58eedca76cb45a33bd0ff5e6342eaa0580ae359c3c0a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5c3f94405d34693936d888aeeb5f068a8
SHA16cdbe4f730103dbaed864c4c2e695ab14423534a
SHA2566bf124158e0b910fb2202365c1e0f770037db3f0b7b30ebe704f83fabc642e4c
SHA5129913e4bf7f63ad2c569d05f0bee85bdc703ffe0881dc9def51a0b443971bcc0ecded00c4fdf405b321adba8ff27ec6e8707c1b35f62b083f8e183a3d1c7e820a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD53fc88e7edabd07ef6d6533bfc5d5db61
SHA147d6e9943c358e67d6c2a9cac6569e07ba2edb1b
SHA256661e2f07fb779b2cfddb5f86f04f9859de2363c4c502b8c5b73cbe9820c2babf
SHA512699e75e0a63f0ea5d7ccfedcd3f3f8782a819e89bf69628e0020e853ba1fc8895cd18dca209a7dc411b6dc9a0d35facf75f8631143f91619578eb403f8a89816
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5d268c2174e2e49459cdc2f78dde724ca
SHA1126fbd4ec4026d4d4dcc1b72dea1f8b2d61f523b
SHA256259b9632bc1f6f66f0210db710a7895984ec2080e6affeec8e24b4513114ff1a
SHA51211abcbd3f9d4d046b5da3b1d9b18aaf2dd813e0aa69413196235ba09e7be0afc6d1f7a44d48cb757504a241fcd45cf9060aee088050ce8673ef2c4e1b8ced3bc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
4KB
MD5434a271b25e7a4a1fbba1fbe06e7cc13
SHA1f4e0339578dfe0ceaaaabbe6adcae8c72918674c
SHA256f44cf9dba0bc1f0cd765ce23280f5cac2746d2302e45a014d7dab524175b1b03
SHA512823dc315ecc8abbb496078af7e6ad3ec5aab2edab56a258307ef93a0811ed39eff0054bb2701de27d41f1eb8b0e85a6946a47691538312c5e9ce23aa288ff25b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD5c218ece61c4fcf8c1710f9021b5895f5
SHA11ef1a6399086cfcf8a452a2c2ac535bc398cf65c
SHA256ea7a4562213ab17f75b4ef96611fb24f8d4782325e1b55ab5ccebb4a7c6de011
SHA5123422eb859399550bdcdf7ad2ac233c5240066ec5bdc8ccdf9dc6059d19c52463f1bb09411836af70e894556b6423964a59b7447c8985a0e8dabe791aa9a345d1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
354B
MD525b9dfbeef3216df437cc5ee283dca5a
SHA1637cca343dd743b3266dadc0ee5733512851adc0
SHA2568104064a9d6ca65122dace2c6b9ece599fbf3012201ef4161710fb927f6a31d4
SHA512c78ba6d01059d1d5bf640d4d2cf80ec17d59e6e857bc10981a4e5de34f6c53b75f8846437e3ba129bd5261ba528c4f5e1a9c424bdc79deed994e8e5ada17e788
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f3f03314-7af9-42bb-b726-0733657f058b.tmpFilesize
520B
MD58b266b99431252dfc899b9b71af3372f
SHA18235d9a94c77ad1f22c722b78b76b3143181fa0f
SHA256126d41fe71a369dfa02f2d44883b18908cd65385518c88ca0c63e549f3767e26
SHA512c5a14cedb2b3a24b49daa49c0dd6dd04ee5356f381e9cae2814763ba667eedaacb4de4ddbb996ec580aad10d9d149de474a94546f38b1920e2cf6a1007284a75
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD580048611a0bf0a92c840a61fb6ebbfd2
SHA1f9e62e62e065a3fa49ecf8d1f2a38e6f74a5ada5
SHA2563d9a61f7d207dcba6f2b648948f1e637f52db92bdce29382b22eb87dc4046307
SHA512cca9abd43ac542a96f5dbeb4bcca7778cd47857d7a91f1e41226fcfaf0df50b3ee9a06c54807d0ba42131d0683dd967970f27d78c9b8b0d3668e805d40869021
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD53d1acbcde1610f6dc0b46ed961b50c7b
SHA12e71d66838308648dd8697d64d8d1bca404e61ad
SHA2560d44b66b723623b94fd4994bf793b84a98df9255ca3d6bb449a33a39d06e4646
SHA51203799dff4a6495b83c8caf6978a980418c2527bb1f91c98e902f77c36be0c8414711cbcb2be8d982f120b55f7a22b78025266fb58bb6208a5278d1542e83737c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5f157764a5f479bcd69c465a2b86d630e
SHA14dee93d0501e4c709599747ed213fb720a4e548c
SHA256a61039ba09a071ae764afd7c2cbf068c1b05b8ef527bc1d43bac78ea9bb1e421
SHA5126c11db8c0c103b5644cf501b8e2d82fae4a70c2ee5216cd15320d29c883ba7b1e9ac0afefcfb5346b077c51aa40ffdd466220c915685be9fc7c5a859a0883f3d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD508f3ab37ec31a486dd1411124e365f71
SHA1573f7c4795ac5cacf49bf3a1890ffd2c1a2c4915
SHA2563e375da07e8ee0c082f38bc9b721d5105e799c3764dda63878c40f8cf4e422ab
SHA5120ee29180feb82ec20f58b3292a07d78d6b1b4c3c38d3b48461f9359e0cce4145d005f89e9f682c3db0a03c5e0fe8803b77baf3cec770506e08daadf76a4e79eb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD516ea8b94ca40a5db6fc9c9050dcf826d
SHA1422a687637f0b1e82e5dbbf3498c3fc4f4b2a77f
SHA25649d1cee38d074047e328673394e8f55833e725f95039746edd42f0fb3e698968
SHA512cf7afbc1d41ad830bf4324233051f1a13423a47e04950011b32ccbf894bc363555cd7094e1ed04c6021eccef79c759b9eca3663095b0164af4cee0edddd828fd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
120B
MD56ae86f1f861291d664719a277ba2f256
SHA160ac7088bcba5c5e95ceb8aaf62cfb00704d7eb9
SHA256bc2832f1f14d0fa9d2efe67becd2bbab3ea0cb0da026e4a6e75bd1cd301da2d6
SHA5124342dde6a121f0b905d573300b57d2c31fa4a4cd6b87f437ba9551231afd366f72dba73c036332bca2d7ed08c9fc232aed50f60cdcafe7abce68a0f01434288a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
120B
MD513cef9591e173da28c2f662d2bfc23f7
SHA104038ae73cab96adec1a61b2fdc5c30813fc563d
SHA256bc7e8209d3aec6cf8a8f95203e48ade5875a53944db50ac7b6d07456e19bdfde
SHA5124f5ea5e60f8c5822fee41fa00d057609a96fd48fc69f18422cc2e432ff294db0fb9f2f811ddaa6a4aeef22fc7f8076460474c6c2fa49471c9420cd4241754361
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
56B
MD594275bde03760c160b707ba8806ef545
SHA1aad8d87b0796de7baca00ab000b2b12a26427859
SHA256c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968
SHA5122aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fe9f94be-428d-415f-a07c-3230f93c3230.tmpFilesize
7KB
MD55964e99e2d40501720cbbab9291d6850
SHA1da238b2fef393f139153da6e80ed535365002058
SHA2566673949f8a6f3d637b282ae7f805d8b4dda32ab660e96253d3281fe4c2b1410f
SHA5127fc2568dd31c4ef1a09b0c2ca1f3cc439bd7644ae8c35ace63fe157bea53e653908d5f5261d6af945c16a12c3bb985c5d1e24aab58e345c0030fc4ddda3d570d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
261KB
MD5c1dbf74737c1880c9397a8d595fd126d
SHA15fce05fb288281e8c525232fd594955f795f6f53
SHA25640476e3e0f31f294de8618f8a2b245af99a9266f696d8b995668b8a2bdb6e89c
SHA5120726c3b954d1dcc32422a98a405e647b801ab0d5ed8fb10a7230b04d6b36d682aa8613b98f0eff412b4da1b8c7b2cc6b5f974e2b1757fd10fc807aad123ae983
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
93KB
MD541989bb54cc789ead00d257a8bd19f55
SHA11ee99f46e02ed742c62ba121380ac523ee94660b
SHA2566989cacfff9bb1398d2ee1625262ea38e04a2b056d6f5ac776c6e9e71aa2095e
SHA51208d94cccea6cfc0bf6d143b048ea57589ca1d48f714add75e0a6b4cb4f33b0373eb7788c4a8edd4eed489ecf2053a4ef4cd0c15f85a1da9f322ab20ad30ff41d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c217.TMPFilesize
87KB
MD5bddfc85a03e81a0e15d3374b0071be1c
SHA1bd22cf0b57afb39492ad97d1ebdaba753d2d4371
SHA256aa647236ec86c63ebc8335961815c38d4c5ec5de5fe9c0a18e6638a78a9ea9c3
SHA512dc4478bad09d9069b7086c3006932570938ee747aae21029e113c79c279aa553c3b2d41dc0731f141767159f2a7bd3e7a8443858dd73b766f0e806bc6a39608a
-
C:\Users\Admin\Downloads\0c7d6c48-6ab9-418f-92aa-ae9b66d5b2d7.tmpFilesize
800KB
MD51fd745385626f7a36064a8ab23642c9b
SHA14a5c67d1fbf6a31a90a421469bf0f93b3a8b5109
SHA25634233b15b7dbf53119ec4334e7d3fb99826bd593a00c439ac99379af874890fa
SHA512f628e6048c02862984f28a1f9ce2391d6985e42253e0c13b4e395e3263609e388480bea7088eb6103a24d2612e359adcf5a0efc006eabd34a92620bc25ad19f5
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
\??\pipe\crashpad_3872_WSTAOFEJGCWGZTDHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4044-52-0x0000000003320000-0x000000000333C000-memory.dmpFilesize
112KB
-
memory/4044-53-0x000000001C3C0000-0x000000001C410000-memory.dmpFilesize
320KB
-
memory/4044-54-0x0000000003340000-0x0000000003356000-memory.dmpFilesize
88KB
-
memory/4044-55-0x00000000031C0000-0x00000000031CC000-memory.dmpFilesize
48KB
-
memory/4044-51-0x0000000000FB0000-0x00000000010E2000-memory.dmpFilesize
1.2MB