Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 05:04
Behavioral task
behavioral1
Sample
Venom.exe
Resource
win7-20240708-en
General
-
Target
Venom.exe
-
Size
3.1MB
-
MD5
1348632fc2ede08cab5db1cb174ff0d3
-
SHA1
2a1966291aa0e7aee1b039a1a75fa4879489a2be
-
SHA256
900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf
-
SHA512
52f68303d71f1293b02784539ef3250a95cf9ef4cb868e26e381a86667ab4f5cfc5a36d462ff746dc021bc0420cf8f0b31b050ec4142fb1be4b8f626fae39edb
-
SSDEEP
49152:avht62XlaSFNWPjljiFa2RoUYItFW7Bxn+oGdzTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYIrW2
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.246:4782
1e9de725-2f46-4350-b6c8-78b3b776a085
-
encryption_key
ACF3D3BDCC7612495B863F26348AD4EE3B96458B
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
venom
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4272-1-0x0000000000390000-0x00000000006B4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 5080 Client.exe -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1408 schtasks.exe 2264 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
chrome.exechrome.exepid process 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 3380 chrome.exe 3380 chrome.exe 3380 chrome.exe 3380 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Client.exepid process 5080 Client.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
chrome.exepid process 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Venom.exeClient.exechrome.exedescription pid process Token: SeDebugPrivilege 4272 Venom.exe Token: SeDebugPrivilege 5080 Client.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe Token: SeShutdownPrivilege 1564 chrome.exe Token: SeCreatePagefilePrivilege 1564 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
Client.exechrome.exepid process 5080 Client.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
Client.exechrome.exepid process 5080 Client.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe 1564 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 5080 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Venom.exeClient.exechrome.exedescription pid process target process PID 4272 wrote to memory of 2264 4272 Venom.exe schtasks.exe PID 4272 wrote to memory of 2264 4272 Venom.exe schtasks.exe PID 4272 wrote to memory of 5080 4272 Venom.exe Client.exe PID 4272 wrote to memory of 5080 4272 Venom.exe Client.exe PID 5080 wrote to memory of 1408 5080 Client.exe schtasks.exe PID 5080 wrote to memory of 1408 5080 Client.exe schtasks.exe PID 1564 wrote to memory of 4212 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 4212 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1036 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 2436 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 2436 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe PID 1564 wrote to memory of 1172 1564 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom.exe"C:\Users\Admin\AppData\Local\Temp\Venom.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "venom" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2264 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "venom" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffccfbdcc40,0x7ffccfbdcc4c,0x7ffccfbdcc582⤵PID:4212
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:1036
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2396 /prefetch:32⤵PID:2436
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:82⤵PID:1172
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:12⤵PID:4544
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:4704
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4344,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4492 /prefetch:12⤵PID:2284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4624,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:82⤵PID:568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:82⤵PID:2440
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5076,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3672 /prefetch:12⤵PID:4788
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3296,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4380 /prefetch:12⤵PID:4956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3104,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:3624
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3388,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5088 /prefetch:82⤵PID:2136
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5008,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1148 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3380 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3292,i,14814256830759992817,649048372045922398,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:2716
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1292
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c8 0x4701⤵PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768B
MD5b3a15c908217a7e202eb62c8fc1d20b2
SHA193990ede81a453149d55b1c9bdd200441925f8ff
SHA256994a18fb24a55c81c51cbf4a54a867d59d6b857eafdf286764099f624b1244ce
SHA51294cc3d566aa8e21843a27c54993f06293dfefbac724070db0c746614cde970805ed02a38f1daaa25aad0a7799f1c088c84a75b0a7a127534883dac95c1f87eb8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
2KB
MD5f498bcf06d672f95d68da21b96b49e8e
SHA169482c9dec33294af256dd4c5847561bf4ccabd0
SHA256d8a708d237b329db04681c20efbdadeadc164c909c53a209b44764f824fffd4f
SHA512dadc23e920fb2d492bab4f0b9d22f3653ebf34f289be4be60e3c1a8e5e59fd8941a9394e52928896c74a8bd07363e6f42f2b2418a3f86129e086f880238bbd17
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD51589524b0f4a9a24ea73fcb41bfb9aaf
SHA1aca34a8128ca075d25c38a40379f3034e5b194e1
SHA256db44a873bf770d0637fa088f5db8b21c928245afafaff9245a90fd8cef93a4e3
SHA51295597927c853df02fb8a7bf786d17d7a8edfb390bb7481176f724d54700c818ce153bd883254bacd1d8e9b7a163965857bbca7bcf16d7f14f1d1af2ac26c6851
-
Filesize
691B
MD568501d443c86fcd40e4593e6a3ed83a5
SHA11cff5c4a514db80e2c86b25a466ae8579727fce9
SHA25626bbf154e4321d344642afd11f5bd8806098d032c9114d45f4327a6a412c7c0e
SHA5124872a48e9cbc29180b6955c2dcf6ca3e823136003dc54180329ef554a0d0d6d7e39b717625e1f69f9c9adef12dbda9f68768781ef4e1b6fff9bf6d0123b1b15a
-
Filesize
691B
MD5180f88a324b8dbe51c63e180e8520a6b
SHA13093b2d814ee50e6d907ef5e214b32dd513a8d52
SHA256af37fee3594815d501bf4387cddbfc21c9a1063875e86b0b8b7af8e4dce109b8
SHA5121a83bb74c8833a5338937f6de06e0261bb997023930fff047d08d54e2f0c2b597a8a6f1f1d951b590b10971de858253b13f275005f30b9e5d94b49887b4c59e7
-
Filesize
8KB
MD500674178bcf69e1c107fd97da661a0b4
SHA1dc495113a1a7d5d22e3c063c1e94998343ffa662
SHA256ffaf596efdb838189786830a16c93e028b7831236e5b5cc7c54be8cde2b1b88e
SHA512fd4b3dba4dc67df70e77dad9efb328dae571689c0ad5591055f5a0292eb4e47bda388896882984af0583781901a9b5b500319b91862242aa139135313e421ede
-
Filesize
7KB
MD58fb660722308101678e69fa7dffd7a7c
SHA1afa639fff23f2cfc49e4c95fb48022907526a86b
SHA25689d2792bffa9f8129b1f577fb5dd4aef964e641e34c4605500779ee347146efe
SHA5126a0261737c1d1a01393cab951c95cfdfd6c6d9d09f18e214db6c19bf939209101546eaec81dcdb5482ed938fa4dfd30cdf4ec6338c1215cd5c75d318f00c34a0
-
Filesize
8KB
MD53f65b6230925a9bce11384552a6b6d7f
SHA1f24f8052254ced7f133f2a6020994111d472a756
SHA2562ea559139e61c2b2b3f4c5555ff6b3e3d44c5d1a329c4654dce4a0cf3c002469
SHA512b8a86bbb65cf2beffbbe3a9513fbfd4fa99e92c0ca97f919e38f55cdb241e0bee8e895e51fa5850c3bb1063ff5f948100e4e4e72048c56dc766aae13d6685f1b
-
Filesize
8KB
MD5a7dc62176696f8db54ece9527507d1da
SHA14baad830da35fe01bf5b97fff437fdb7fe1598ea
SHA256f15b9f64852e8b88980055ebd2a5e3d3cf2a4e32304151fa46733d3d0d221295
SHA512e1c05ecfbab507273c7bf6ac34dce0bf6b90dc3308aa1a5fc790c95ab45b965d8fb61f78c8f7ad703889497e3762923726fd3bca2c29fb6228f70924f05d1ade
-
Filesize
9KB
MD519962cb5bf2ac813efd5f042bc9e84ac
SHA137fb8a613760f82e2f8656da590872a283df3529
SHA256e50ce657d48e0bcc260a2401701426f74d2801ac77fae992b607ea1306b96ffb
SHA51201245f7d6897f28f69e53da9b0d0dbc8c55fc6603d011773708cc54a9178cc32aaae1ce6b42e274ef47742213f3c4931c5442a451180cc8ac8742517623055be
-
Filesize
9KB
MD520a91c1ea8a1783cfaa5589296fcb245
SHA15622cc5572656102ade8df91c62e86474ac092b6
SHA2568dab78cc73472833e5ec9b3447c1fc6b8b1b0b8180ff375a92172dc1746d88f7
SHA5120630311458f03e2f8cefc4ada0b182e8b534fbc1b7389604dcad990cae79d01cc1b1d0e62efa8eedae04908877ee532e90cd21658b02497b7b01ecb6b26661d0
-
Filesize
9KB
MD5d2ca4f79c3cdb1149ce5a395d1815d20
SHA18a838e5c65504c468caad4191737af35f4c46e53
SHA256b19375778e459a025f6835e72904defba83689605a7e86e2eb78b00be4ca89be
SHA512ed87091c18ee426da32f555d6cf22ed9669fa3a55f0df7452f12580843083f7bb19877bb3d1276ffbea94781a89cead1a9e678a45b0322aac557397f9c92463e
-
Filesize
9KB
MD5d2e248ac82653dc62c1e8c935a3082f3
SHA1dbc82bd26d06a1a4f2fc4cbdf14f0b6a86609162
SHA256cacdb8d2ab27850b83de0e905368f934fa121ab07543e44c17685f6bee146dea
SHA512bdb37c0564b3360ca08949efa0fe10c9852ef461a5f500c2018ec070100a46b8642ad01ac6dff324c0f3fce707f4d82bed5d983e7e3e31f4cbd452a2e5c78491
-
Filesize
9KB
MD586f4d1144007c64094977f8df168bb02
SHA1ff04782e7ced238819f9e667e01a391b189dc39d
SHA256a321eee6af6a21d1a79bb9d6553e24372aad5f4dcec9572522ee8ce4bdc56880
SHA5121ad33e98e661cdea850a24fa47edbd9d70b2b323ace875b14310ebfa92360ec42c589415b45817c293870afc141328172aaf22d8c5c80cfa284cba836d7a858d
-
Filesize
9KB
MD5074a483c070f09a94dd2a3d394cee801
SHA1789fcb6e45b0cde084d4adcdf5281858bc594c1c
SHA25650c189a9211eb7d3725dddd899f0754c5d279dbbb0c8dcc07580477650c9b824
SHA512a7d77dbd9acf7e1e39e4650b115464ed17d0c92a2b850e94ca2ad7f0a7c405a0575a55d44350996ca178b30a181fcf534a58708973998d2da6a81c44fe7fbb8b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD55a7392d11c96363a58789052ded75232
SHA14cd5f7d260bb8818f7d17065e174ff1e3c10b5ea
SHA256ae2fda05674468a076272d4948525f7dee17a4fb6fa1ec03b66bb59735edc11a
SHA5124fa5b5ff0c6af0563f9fa2c36ec9ca94e92c80d8b1af28878ea1613a61ea6cbf0ae47c87647f9a6b945d12e76fb324e703216eff74284f039b4c2c091fe93bd1
-
Filesize
195KB
MD5d737cadaa0238a4b041eed9c701143e0
SHA14c03ac15179d4593c6b0bc7985b29c5003de17a9
SHA256a4f052014773bc0272aacea5745f2dd92295ce6c711cc1b6830cf4598de0e2f2
SHA512b3dbf8057ea1048f51d4a50b757633da658430fc227e07c2b3b0993904e61692f62751008af8ca9bdd0d63155c83685de43dc7daf3f17e7e4fc7456c5a23e1bf
-
Filesize
195KB
MD5c1441db979e668d84826a5ddd34190af
SHA1a20e782d98195a0f50609ce34655431f01424200
SHA2560e896a6963ff4b8449730d43ccbdaba9a5b29e68895e09369a8613b81481aec5
SHA512a97cc0d5726ac127b9de3fc3560d6af0da7d52e9d38b56ef73198d7aa44d383db663c0315830c21406f30e032f130f908bb7cc760b68b6bff5378b341875d360
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
3.1MB
MD51348632fc2ede08cab5db1cb174ff0d3
SHA12a1966291aa0e7aee1b039a1a75fa4879489a2be
SHA256900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf
SHA51252f68303d71f1293b02784539ef3250a95cf9ef4cb868e26e381a86667ab4f5cfc5a36d462ff746dc021bc0420cf8f0b31b050ec4142fb1be4b8f626fae39edb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e