Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:34
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240221-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3608 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1028 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5004 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3820 1424 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4980 1424 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral2/memory/5112-13-0x0000000000960000-0x0000000000A92000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeContainerruntime.exenursultan nexgen fix.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Containerruntime.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe -
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.exefontdrvhost.exepid process 5112 Containerruntime.exe 4228 fontdrvhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 10 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RuntimeBroker.exe Containerruntime.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Program Files (x86)\Windows Mail\conhost.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Mail\088424020bedd6 Containerruntime.exe File created C:\Program Files\Mozilla Firefox\fonts\System.exe Containerruntime.exe File created C:\Program Files\Common Files\TextInputHost.exe Containerruntime.exe File created C:\Program Files\Common Files\22eafd247d37c3 Containerruntime.exe File created C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe Containerruntime.exe File created C:\Program Files\Mozilla Firefox\fonts\27d1bcfc3c54e0 Containerruntime.exe File created C:\Program Files\Reference Assemblies\Microsoft\9e8d7a4ca61bd9 Containerruntime.exe -
Drops file in Windows directory 5 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\Panther\actionqueue\RuntimeBroker.exe Containerruntime.exe File created C:\Windows\Panther\actionqueue\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Windows\Logs\DISM\RuntimeBroker.exe Containerruntime.exe File created C:\Windows\Logs\DISM\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Windows\CSC\services.exe Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3608 schtasks.exe 2792 schtasks.exe 1268 schtasks.exe 908 schtasks.exe 4668 schtasks.exe 1516 schtasks.exe 3852 schtasks.exe 2536 schtasks.exe 3372 schtasks.exe 4704 schtasks.exe 404 schtasks.exe 384 schtasks.exe 3184 schtasks.exe 3060 schtasks.exe 4076 schtasks.exe 3604 schtasks.exe 864 schtasks.exe 2032 schtasks.exe 748 schtasks.exe 3820 schtasks.exe 4980 schtasks.exe 3472 schtasks.exe 3988 schtasks.exe 1028 schtasks.exe 3332 schtasks.exe 1156 schtasks.exe 5076 schtasks.exe 1524 schtasks.exe 1044 schtasks.exe 536 schtasks.exe 3780 schtasks.exe 1364 schtasks.exe 228 schtasks.exe 5004 schtasks.exe 2468 schtasks.exe 2756 schtasks.exe 4888 schtasks.exe 3144 schtasks.exe 4500 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133616433689554703" chrome.exe -
Modifies registry class 3 IoCs
Processes:
chrome.exenursultan nexgen fix.exeContainerruntime.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018855536-2201274732-320770143-1000\{D148C876-8B57-4D0B-B80F-28CF85C6FD43} chrome.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings nursultan nexgen fix.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings Containerruntime.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Containerruntime.exefontdrvhost.exechrome.exepid process 5112 Containerruntime.exe 5112 Containerruntime.exe 5112 Containerruntime.exe 5112 Containerruntime.exe 5112 Containerruntime.exe 5112 Containerruntime.exe 5112 Containerruntime.exe 5112 Containerruntime.exe 5112 Containerruntime.exe 5112 Containerruntime.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4228 fontdrvhost.exe 4520 chrome.exe 4520 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
fontdrvhost.exepid process 4228 fontdrvhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid process 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Containerruntime.exefontdrvhost.exechrome.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 5112 Containerruntime.exe Token: SeDebugPrivilege 4228 fontdrvhost.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: 33 5092 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5092 AUDIODG.EXE Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe Token: SeShutdownPrivilege 4520 chrome.exe Token: SeCreatePagefilePrivilege 4520 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe 4520 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exechrome.exedescription pid process target process PID 1648 wrote to memory of 3452 1648 nursultan nexgen fix.exe WScript.exe PID 1648 wrote to memory of 3452 1648 nursultan nexgen fix.exe WScript.exe PID 1648 wrote to memory of 3452 1648 nursultan nexgen fix.exe WScript.exe PID 3452 wrote to memory of 4036 3452 WScript.exe cmd.exe PID 3452 wrote to memory of 4036 3452 WScript.exe cmd.exe PID 3452 wrote to memory of 4036 3452 WScript.exe cmd.exe PID 4036 wrote to memory of 5112 4036 cmd.exe Containerruntime.exe PID 4036 wrote to memory of 5112 4036 cmd.exe Containerruntime.exe PID 5112 wrote to memory of 1844 5112 Containerruntime.exe cmd.exe PID 5112 wrote to memory of 1844 5112 Containerruntime.exe cmd.exe PID 4036 wrote to memory of 2440 4036 cmd.exe reg.exe PID 4036 wrote to memory of 2440 4036 cmd.exe reg.exe PID 4036 wrote to memory of 2440 4036 cmd.exe reg.exe PID 1844 wrote to memory of 3564 1844 cmd.exe w32tm.exe PID 1844 wrote to memory of 3564 1844 cmd.exe w32tm.exe PID 1844 wrote to memory of 4228 1844 cmd.exe fontdrvhost.exe PID 1844 wrote to memory of 4228 1844 cmd.exe fontdrvhost.exe PID 4520 wrote to memory of 3184 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3184 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 3796 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4408 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4408 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe PID 4520 wrote to memory of 4048 4520 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EJw9Wgz0Nc.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3564
-
C:\Users\Public\Desktop\fontdrvhost.exe"C:\Users\Public\Desktop\fontdrvhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4228 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\DISM\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DISM\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\portagentbrowserweb\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\portagentbrowserweb\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\actionqueue\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffff75dab58,0x7ffff75dab68,0x7ffff75dab782⤵PID:3184
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:22⤵PID:3796
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:4408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:4048
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:12⤵PID:2344
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:12⤵PID:532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4444 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:12⤵PID:2212
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:4480
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:3988
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:3608
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:4904
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:3916
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4604 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:12⤵PID:5032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4172 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:12⤵PID:3860
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4804 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:4728
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3112 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:5104
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵
- Modifies registry class
PID:2868 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1932,i,10493878173490385753,2790694115700871235,131072 /prefetch:82⤵PID:376
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4592
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x320 0x3081⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
720B
MD574a0197f853d3734488f136c6d082f3a
SHA1a4032e5b5ea02ccc7137ecce6fbcaab59e40bcae
SHA2563b815c49931b2f8569986218fe3fda784ae2b18d44856112786e9be74cb33f56
SHA512d4fccecccd1b41c9a766797bb1cfe02be015b1cc285f1000d337b9687f82e97befdfb824d9665938f4ae30946239ead13a2553d1516e0581f19ca8e8dd7628b1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\80e55cff-e03e-4abd-9591-7bb97bb746ce.tmpFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5d381812f029f85d4a82be0161b343cbc
SHA138b98048ccdacc945bc918ace94d97d173baa3ec
SHA25655cc0de4bcf24a25a3e9700c73001a0de7a6427281f33779e9d74ebebebcadc2
SHA5121a0e0c3f9550f7eb85380de9c597e1c08df1e1b8fc6373aa70949da2094a960d7b89079253d5dba485be908002f40fab3e2b16d4495309ee10dee1060bae0e52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
692B
MD5bcf02199b95907258a3192f319f30535
SHA1314e6d08347f16c8047e44fc3807db82bd5e793a
SHA2563d8baf73ebfc91c8c65ec779b56046b63945489083bcbb63e4e80392a5301d60
SHA5121128292c690ec46252bfdf784e6b817050d032b32c132086c7a57a3edd1a7dac03a33c86332f948c4c8c0d7d567d8969e2c64b083a4ccb6493093e0611d235c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
859B
MD56c2558e900bc47f5d4fa9c4d5a09202a
SHA119c8e918d3df9ae02697c615201b6498feb972a1
SHA2564598197de0e9b837497211d0c3ec56dc543c46b1ce0735c263dadd051a151b38
SHA51264b4aff01bd8025a9aecb67f3d30431df6437263ad7faddcbf9761500021a37dc5d788d84081f8cced6756ee83ca635c68311112cab9f5101b0faa0272ef8270
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d9ad88c7-788f-43d2-95d8-5ad17563cbad.tmpFilesize
4KB
MD55903c024a28d8ae91e2ae6a92821b537
SHA174f1a212965d8e4350aeafa14f9009cafa7e93d8
SHA2566a809f77fae02767114c9c719b99935a6ff0b490c37978555641383d63ad264f
SHA512af0094c380173ecfaa5e8d0735f13cdd4a1fd8227c21da81ec36f3c6e561e3086df9228ad239d80db494e02d7c656da700caf68304bb22bb3f79505cd0c67eeb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5a616483afa3c99b9580753de2f1daabc
SHA1d85091f8f4c5a058ce440473bc78457ba7b9c92b
SHA2569d65fb2f0a26cc8349d5c805f6c750b0c9884a1c3bd02b1941ea6685448ebc7e
SHA512822300cf1a448496af72d2a28541555260a70e532a1b730536547e706adc0cfc762dafa0e9b9e8f771b986151b6ff1d76775f8e56ab92a0b5f3fda678acb60bb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5c3bd54b8a2b8b3a7ed21a43bd4bac9dc
SHA13394f1913d30d5873b140f9d4321fa63394d1983
SHA2564ef7c6ee765c0bc3d36c9551f5f566c823358bf33cddccc56c44eeba5f4b5745
SHA5122475636288d938b6b545d942fcaa4a12e461e9cc8605321da45b5e17b928e62ee50052ab3a3efbb207da4fc5ad0cb71750056e7444090295eef80eb6e4f52240
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD53840675bd41b26cdfecb6546ed9f87ec
SHA1b4ef57ea9d4c2aa613cb38fb6faadca352793ffd
SHA25667a7e83b581a11e29350d7fe4801f11b799bea229ed5abeddd20fda63e562e7b
SHA512c77ef72e54fc08d279051b52b601885598f23f66ef606911b1f15261a75ea642553d0c6d070d2431bf442c4a8f6ec3ebde78cace4a6d881325299fe8484d451a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD583a32e3ee0e368aa94a0afbfd43762e2
SHA13f9545af2bdce39af622d48f2ffc0d3c271dbe4a
SHA256f70bb9a5ebb43ae614d61ec3ff53439d45dd835d3ff9fbd87729ae37843e0994
SHA51283832de519bc7aab45cad392dc608c7393e63f33a55cc92a6b06a21fe0d66388d43619aed7d84677a625a41ff38045e92505148913b5f1d932a0d2575b5ca95a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7b6981e3-5851-433a-978b-bb220df6f291\d40dda17c15dd1b3_0Filesize
2KB
MD5a02d9854af41305d9d379b7da2e430ea
SHA13bc1d37722be54a982eb0ec9a947695b0ae99864
SHA2562725e19b127b6adea4c98b2f347215ba590d9ec3761fc02ceb884117912e7848
SHA512fcd8b58d03931b7f2f85f2cb2347b64eacda5743d3113baf7aeacd9b4a03f0a4f07de7db0e4b86e37bdfe22426cf9a73df13d7ae7be53c5034abf1413d904a0a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7b6981e3-5851-433a-978b-bb220df6f291\index-dir\the-real-indexFilesize
624B
MD5794d28a3eee7910101f8b9d3f18e7c4d
SHA1ab7e574742f4feb53e826cda5902c87e1229d1a0
SHA256cb2c6f77cbcbaa6600f670f81dac7a9638de09fb7d8e82eff8e25b96e64a2de4
SHA512794c73b5fc130f1837e31a9d1954f1698387d11e17f81bf896bbf67ed94612906579e9e1d36d5c363f2aee7d15afd993c9af15f2e2012351f14a86880df3f6aa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\7b6981e3-5851-433a-978b-bb220df6f291\index-dir\the-real-index~RFe58ec01.TMPFilesize
48B
MD584062a83280cb3d2c074b4c6638a05bb
SHA10c0c63c08a33cbc6086a4fb69416f80b62e0f5fe
SHA256de256d2825c5a4637a6e75206402787e03991e98abd98712a65c67bbbdce1801
SHA5123d98c189d7a435dd61e5aee1b1154a6eba723a112ff3594e172a1b3d607bf78cdb293e7a9f97ee0743cf762ce048acad38d6e5745ae4f77d6ee213365e5381c6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fec6ad1b-348a-4103-b789-66e8c8eeb78e\index-dir\the-real-indexFilesize
2KB
MD5912516eb07fa80105b7ce054a4cd7bed
SHA1326eb3519aabcfa244d9d17f658c62c1034fda08
SHA256cef137a4fcbac3e349b2b0cf684ad4ea43b3f4e7dad11b9f439d3b55ead00ede
SHA512937f5e4c5e5a1a8f65b230fcd8b69ba28ce18ab65913a4b175a5a4e872ab8bc24393f5d0518cf2da610bc00dbf422662823fd7115f27f73c9978afef3b2ef6c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\fec6ad1b-348a-4103-b789-66e8c8eeb78e\index-dir\the-real-index~RFe58fefc.TMPFilesize
48B
MD576f8b09a32aeab56d403557eeff61de4
SHA1d9b3dc33709a22e3501f5318435bdf37fbcfea68
SHA2561c8695448485d6f6c3f5a55de77a98045b26d9e162cbf5e2580d643a612656fa
SHA51231f8474996e2897cdee25b7143dc295d1f83652b74128d1482927fe144e39d019c7f8ae8588f0a4a1c6080454a3f4444c4e40e04d45852978c06ab2779f1e607
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
176B
MD5402523bdf85bf38d13d620b7c99781d1
SHA1c0eaa450fa84f8264f0d26378fbba26937dee854
SHA2569b69698e1af8337e1d74444ff6527bcf577c3daa001920668cb7e9b3e7c46159
SHA512d9be56296f8e662142ac9fa0cc5e41ef02f606cb38088a98102372b8d3488d411ae9376fb1fffea7dd59357a5025ff1c3edfb5e7292b53d93b437f252d73a3f2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
112B
MD5d6dcb12a9ee26a75f3fb9df43a4acd0c
SHA19130f62989e904f2fa466513b8ddacd73192247f
SHA256dbc396e1bf48a8c34e329e02af57cc61430403fd239d4f3c539893c10ab423f5
SHA5128f3b339d2c8983b93ce4653f412fb9ffc917fe1e57be83807ac1e263f37835c053f93787852ae1150b33dd0c1eed88a766e2fbfc980fdf50c24322a7b700011f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
183B
MD59b6dd1a537100411d4d386fdc0505ee6
SHA1aa02c3d6e4f2c4a1258bee0166fcb4b57a94ef9c
SHA256145d41b39ceab598d3addcd74e9a40e4ab6011ee630a6f51eef8a513f0ac0d66
SHA512eb6f54b8ab83a660a88c92f95cd42b6b6242382a38a88939c98d17af18fc738b3a2a9a928c445309cd35f53b40cd42ac818d8e44f7c8d62defd92688b5588408
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
186B
MD5ae1c64c93a85a20bfb7c1857f907caf3
SHA15291772e3da8ff0dcbd5b8d9894c28e6c40d82ae
SHA2562c3a1ded2282b45528c027b2b685c4146de7be596ea80eab84783c34fcb34ef0
SHA512f2991a135a6deba3e676ddeb06155f2021529f801b94e2b099348b96ff3345b08ebfd0fb13ced738a773195fee7cd33b18807440e83c43575283f492a3663b7e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe589381.TMPFilesize
119B
MD5cf863f6d94c58018c4be239a82e22264
SHA1afa127305662b553f83a324e13212e6bbaedceba
SHA256a46edf39b3ffc8f7b6c167c45460ce9826219ffed5444f05a406381405eda226
SHA512459dd333652f54595a51118d01e7d0509850532b8522a47c9a4c9eeef7f4df9cdfb11db2a399b2cb1aec8cd7a1348996847461fbceaba89400174185e71bc431
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
120B
MD574877c27d8b21ca04693b879fce91c6f
SHA141c227a7d1be20a5e5b97e4821b7b42297b33c48
SHA2567a6456af83ffc6a3910b8a1563c0759c17a83b7ddb7df9492b86586298f73622
SHA5128c50e9ab1c095d653419f494c1f7dad9ba508ef433c2d212888525f25f75d25a74d042098ed995ae01ff5fbee1272ee323c78aafdcfac92faf5bfadc0c8bcc7e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4520_1240002705\Shortcuts Menu Icons\Monochrome\0\512.pngFilesize
2KB
MD512a429f9782bcff446dc1089b68d44ee
SHA1e41e5a1a4f2950a7f2da8be77ca26a66da7093b9
SHA256e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37
SHA5121da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4520_1240002705\Shortcuts Menu Icons\Monochrome\1\512.pngFilesize
10KB
MD57f57c509f12aaae2c269646db7fde6e8
SHA1969d8c0e3d9140f843f36ccf2974b112ad7afc07
SHA2561d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f
SHA5123503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4520_304493042\Icons Monochrome\16.pngFilesize
216B
MD5a4fd4f5953721f7f3a5b4bfd58922efe
SHA1f3abed41d764efbd26bacf84c42bd8098a14c5cb
SHA256c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3
SHA5127fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
261KB
MD50fb7a209b4879926a2fc47d28b8ab206
SHA1b3879883d4001d0cbeb5c0e384be2d7596bbf16c
SHA256482e2743b5be4ef58e9f3e104e00624474030111dc0a53932cabae0affb3f5f9
SHA512bb2e5d56de688986d0280ed4d55a1c0792a40f11229b95d1bce24f690f4b7e5287c95f19fd6964a1ae51622b8a2858159ea6486e3edbc8d1806a905235feea51
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
90KB
MD582689d804638968b3691274dd3b72063
SHA1d730399d95a16e33669f765c1c4cf87930f92422
SHA2561a8db9c9b19910694436a50a61378afe8e4cc1e3e28863abbf8e16f72f337800
SHA51202dbf35f8da148cf5697b8d67e76caa615d72e44393a301976c2f6b3d998edff9e8a91d37435135eae43d8b19a38a80abd630149bd4aa3d3fe94d891b6133757
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe595bf1.TMPFilesize
89KB
MD546516e4c9016b77af2f73b46a56ecc14
SHA16ba6ce8bfe440620c32825533a2909fb7dd9219b
SHA256a83fed4bf348c2df9008508a3928688df85b5007e44f8cd9fe2df750e2fb5b10
SHA51229a245916a634dc6afae148ec33123347879bd9f885ebfd5cffca0871f0d28a93f90f3a6b6a0a43fdd6f55d95d5edd666842e96db47b24b9c81ac746975c36b5
-
C:\Users\Admin\AppData\Local\Temp\EJw9Wgz0Nc.batFilesize
204B
MD589115e5f83155cc6cbb08538cdcc2343
SHA17c836125949f06fb0c7b107b14212f9a01968eae
SHA256e619dc8c7b68c8841815370f544acb834a11b8907a8543895ccfefb658de1c3c
SHA5122a500deee7ad1c3fb213240461277967a521717abb267c38cd328fc962b140f36d85673909f61f88ca49c83907121258fe9e99a443d811302e10cdbfce132fcd
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
\??\pipe\crashpad_4520_LIKIKYIAJXBXWHJVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/5112-15-0x000000001BD80000-0x000000001BDD0000-memory.dmpFilesize
320KB
-
memory/5112-12-0x00007FFFFC943000-0x00007FFFFC945000-memory.dmpFilesize
8KB
-
memory/5112-13-0x0000000000960000-0x0000000000A92000-memory.dmpFilesize
1.2MB
-
memory/5112-17-0x000000001B6E0000-0x000000001B6EC000-memory.dmpFilesize
48KB
-
memory/5112-16-0x000000001B6C0000-0x000000001B6D6000-memory.dmpFilesize
88KB
-
memory/5112-14-0x0000000002B20000-0x0000000002B3C000-memory.dmpFilesize
112KB