Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:34
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240221-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4644 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3880 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 1968 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 564 1968 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral2/memory/4108-13-0x0000000000520000-0x0000000000652000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nursultan nexgen fix.exeWScript.exeContainerruntime.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Containerruntime.exe -
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.exedwm.exepid process 4108 Containerruntime.exe 3536 dwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 5 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files\Internet Explorer\images\lsass.exe Containerruntime.exe File opened for modification C:\Program Files\Internet Explorer\images\lsass.exe Containerruntime.exe File created C:\Program Files\Internet Explorer\images\6203df4a6bafc7 Containerruntime.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991 Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2564 schtasks.exe 2316 schtasks.exe 3520 schtasks.exe 628 schtasks.exe 696 schtasks.exe 1388 schtasks.exe 3068 schtasks.exe 4644 schtasks.exe 4188 schtasks.exe 1584 schtasks.exe 2296 schtasks.exe 4552 schtasks.exe 3880 schtasks.exe 556 schtasks.exe 5052 schtasks.exe 1552 schtasks.exe 564 schtasks.exe 1996 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 1 IoCs
Processes:
nursultan nexgen fix.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings nursultan nexgen fix.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Containerruntime.exedwm.exechrome.exepid process 4108 Containerruntime.exe 4108 Containerruntime.exe 4108 Containerruntime.exe 4108 Containerruntime.exe 4108 Containerruntime.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 3536 dwm.exe 2476 chrome.exe 2476 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwm.exepid process 3536 dwm.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Containerruntime.exedwm.exechrome.exedescription pid process Token: SeDebugPrivilege 4108 Containerruntime.exe Token: SeDebugPrivilege 3536 dwm.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeCreatePagefilePrivilege 2476 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.exechrome.exedescription pid process target process PID 4940 wrote to memory of 1560 4940 nursultan nexgen fix.exe WScript.exe PID 4940 wrote to memory of 1560 4940 nursultan nexgen fix.exe WScript.exe PID 4940 wrote to memory of 1560 4940 nursultan nexgen fix.exe WScript.exe PID 1560 wrote to memory of 4204 1560 WScript.exe cmd.exe PID 1560 wrote to memory of 4204 1560 WScript.exe cmd.exe PID 1560 wrote to memory of 4204 1560 WScript.exe cmd.exe PID 4204 wrote to memory of 4108 4204 cmd.exe Containerruntime.exe PID 4204 wrote to memory of 4108 4204 cmd.exe Containerruntime.exe PID 4108 wrote to memory of 3536 4108 Containerruntime.exe dwm.exe PID 4108 wrote to memory of 3536 4108 Containerruntime.exe dwm.exe PID 4204 wrote to memory of 5036 4204 cmd.exe reg.exe PID 4204 wrote to memory of 5036 4204 cmd.exe reg.exe PID 4204 wrote to memory of 5036 4204 cmd.exe reg.exe PID 2476 wrote to memory of 4584 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4584 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 2964 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 448 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 448 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe PID 2476 wrote to memory of 4512 2476 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Users\All Users\SoftwareDistribution\dwm.exe"C:\Users\All Users\SoftwareDistribution\dwm.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3536 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:5036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\portagentbrowserweb\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\SoftwareDistribution\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\SoftwareDistribution\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff96db3ab58,0x7ff96db3ab68,0x7ff96db3ab782⤵PID:4584
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1972,i,1860838894579277561,6265972624126001939,131072 /prefetch:22⤵PID:2964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1972,i,1860838894579277561,6265972624126001939,131072 /prefetch:82⤵PID:448
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1972,i,1860838894579277561,6265972624126001939,131072 /prefetch:82⤵PID:4512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1972,i,1860838894579277561,6265972624126001939,131072 /prefetch:12⤵PID:872
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1972,i,1860838894579277561,6265972624126001939,131072 /prefetch:12⤵PID:1884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1972,i,1860838894579277561,6265972624126001939,131072 /prefetch:12⤵PID:2556
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1972,i,1860838894579277561,6265972624126001939,131072 /prefetch:82⤵PID:3008
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1972,i,1860838894579277561,6265972624126001939,131072 /prefetch:82⤵PID:2956
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
\??\pipe\crashpad_2476_SVVMGAUKPDGOCOEUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4108-12-0x00007FF95DC93000-0x00007FF95DC95000-memory.dmpFilesize
8KB
-
memory/4108-13-0x0000000000520000-0x0000000000652000-memory.dmpFilesize
1.2MB
-
memory/4108-14-0x0000000000F70000-0x0000000000F8C000-memory.dmpFilesize
112KB
-
memory/4108-15-0x000000001B230000-0x000000001B280000-memory.dmpFilesize
320KB
-
memory/4108-16-0x0000000002880000-0x0000000002896000-memory.dmpFilesize
88KB
-
memory/4108-17-0x00000000028A0000-0x00000000028AC000-memory.dmpFilesize
48KB