hxxps://ftp[.]rnl[.]tecnico[.]ulisboa[.]pt/pub/videolan/vlc/3[.]0[.]20/win32/vlc-3[.]0[.]20-win32[.]exe

Analysis

max time kernel
150s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
24/01/2024, 14:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://ftp.rnl.tecnico.ulisboa.pt/pub/videolan/vlc/3.0.20/win32/vlc-3.0.20-win32.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133505814138689471"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 451340.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
3788	msedge.exe
3788	msedge.exe
3896	msedge.exe
3896	msedge.exe
4260	identity_helper.exe
4260	identity_helper.exe
2156	chrome.exe
2156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe
Token: SeShutdownPrivilege	2156	chrome.exe
Token: SeCreatePagefilePrivilege	2156	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3468	3788	msedge.exe	18
PID 3788 wrote to memory of 3468	3788	msedge.exe	18
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 2508	3788	msedge.exe	79
PID 3788 wrote to memory of 4728	3788	msedge.exe	80
PID 3788 wrote to memory of 4728	3788	msedge.exe	80
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81
PID 3788 wrote to memory of 2040	3788	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ftp.rnl.tecnico.ulisboa.pt/pub/videolan/vlc/3.0.20/win32/vlc-3.0.20-win32.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc26643cb8,0x7ffc26643cc8,0x7ffc26643cd8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11875638598223900758,15681216392916674734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc14bb9758,0x7ffc14bb9768,0x7ffc14bb9778
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3652 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5392 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5252 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1800,i,4316140439975479962,2840517970227700528,131072 /prefetch:8
  2⤵
  PID:3032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4d8f58df1c3755d25dfe71a80f533cf6

SHA1
1552cb470e0ad27ade75a49f2d2c23baf193cc4c

SHA256
fac989707a3bd6e46a1c0bd543585e749ac08f8e473ee2ca7c6be0db5a8d0fc9

SHA512
20315d84fd5d4a45d1186accf7134d89f7f72c71f93789149807b9ee4ea6df5b34aaca60a94074543112e4d55cfb6413133d80f1ff564b17cc608bb06fc81e9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5f1c459274cdc1cec210e56281dc0f80

SHA1
efd26e24c61971cbfe9867efadf5092cc8caba0a

SHA256
f482aa514c54b5b0e415ff61aad52c295e2521bf4143296ce7bdbd207563b3d6

SHA512
74cf4aba06b1f508d8e2798402808d129c6b3e1642c45214ba4206cb58b208f399e75c27ef565e585f4d5071049b03539d9deb739d5b62acd4ff485a249e21ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
6102f0b55c2b0ddae9d41da648edbe88

SHA1
eef74ede2aa983041bd15ec6c8ff632316b22357

SHA256
7e4620a4404ed99dcb1fd5799cc73cf02a63c3393f8ca6d8256a59f610b01e4c

SHA512
f4d2c574e5e2ffdd7de3059dc647d955b6772cbf9b8c5fe2c41e4c90e71bc786356278a277ed08c7ef03c781bccb7e994acd3f483d851b76f54726ed7f7b3762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
342f1314039721bfc302668567e5d29f

SHA1
5b73bab8a8d6955d5d8472d34527fc4c298744c8

SHA256
9cf4e1acb440fd4f6e03fdf67d358040957e84e552144c7df986bc4571a01df5

SHA512
bed1ee7fa8b2977c91a07cebed2b4653a771a8909232aa3143999ece7de01f8da3e2a08d426a8142c1a2544f9e5b9a839238fef0af4c7674a05c61ead0a3b271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d4a13951301c4c028447c0c1830024fc

SHA1
efeb8d13d2b3c311a11b6976d1ffafbbc4e8b56e

SHA256
ce0a7fa6ba80c70ed1e63097b9aa7699faf493d224095fa00e206b8447e493bd

SHA512
56b118808ebb93b1f2419eb6a8577909ccb39ec55517bd6250ec5716a04cf97bced65abc1eff03894a47475da90c7437e9d51b34fffc91db64c3b9f50a3c1bf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
84e7a3abbc13d5ce3614b2e09dfd9668

SHA1
901951891c6725189bb32387710c4744fc2700a6

SHA256
c510d3b726cd558f76354ab4df821ba7f436b20cb50b5b49ef049de87b05424f

SHA512
3d1c7b52013ab1da6418dead443cbaa5b7bdf78334ed6fe1c0ff447a11f8e80cada1d1002085ff32b11bdac55fad6217a12c1cb280fe25dfd599236138ebc5ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f18a3ecfa1506ecd0a90b1512820a71b

SHA1
fda4d61505d917b9620f9d470809ff668ad2dcb1

SHA256
92b9c5e96abcb454454f15e3c9656ab37cf2d4ff628a643c5ceafb918825cada

SHA512
fc1de984dd94db8867aad47f8d1c32380fc4c3beb277e5889497a523f3701926f7f708b29542c1c38275474272b0cc9c2e5d2e632adc8bae952c49b0ac2e21fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
02685fb48e49fd272dea0447c5fa6dde

SHA1
3d3347be476af578ac6fcbde4f23ed75d762c306

SHA256
2474b07b45578e0264b09213e247817889663a811af780dd3f1ddfd8976eceb2

SHA512
f8b63eb53bf4fd49dc681c82255c1a38486c29abde6dff414571ad872bbfac8f729d8e66a08117594e7cc42269446e7818397a436dcf449d4ad5fa88200255e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
6ef898145f977c962d31f79a02e8d867

SHA1
94854e8bb0a41e7ea3935b430e0b1a316a4880fe

SHA256
9b2f70c8f28a5cc49e03b280659292439dd8df3d6dcf679f5d8a050f06cd4739

SHA512
adbcf9dc9e7e0b9c73e0bc8ea9762ca8df64b45aae21cc8e3f44ff49c03988d4be05664ca82601cda78ad47758836d6a73c7ff54fa10f740e935687cce98e0b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
90KB

MD5
2562707397f19f69c82ffd2b3c0da426

SHA1
113f99e086cd87412059447eff0d66bdc2cfe21a

SHA256
e13fb08d7084407014b4216c541392ee30c3be5cd9dd5b93807f038eacbdbfac

SHA512
1c2d8056c2ffbd44ae187dd3cc73e222f0718896ff652db3edb8a835286fde8cfd9561ef2c850df2652cc4cadfa7fe75f9614c8ab15dfa8d1e5ace3395cb685f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58ff89.TMP

Filesize
89KB

MD5
1a4c8cbaf2519867da85badba2f84a29

SHA1
4977a5ffc78f0f8a3a51342e6fc05e9fd6e5cb1e

SHA256
e822c1d6de48895525d8fd53aae631a10d262f77db28d6bf7f38cb7018c00df5

SHA512
e0930f479d7cd4a9558ad591ec8ec7b36203e167f3a6e420fc145aaf33d3ac33778b6460920d3e60c2d1b6f8670fcf62c479434c091468a9988451aa9a549ade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b09c5d9d170124cc803af2dd5f23e2b4

SHA1
41a3ddbafd6f3062f07ec162679bfab95fd88482

SHA256
5e6d5fcfb3805ecd4d9388837551cc02c5452f03cddba1b29b23fd02686befd8

SHA512
8fd1752211ec074f85d0ee59f39bea6e639199602d71ec947940575a9c515dda96b1eed5af10d513e21373f64a6d03146bb3251aa690830110ff4c6c486b4036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2dac1354-f46e-4be6-8952-7d3c29be8e28.tmp

Filesize
5KB

MD5
fe428397b321aeed3666d0db17ba632c

SHA1
8b3017c2a07acc6b20e4e3509168c1247d1cd8ba

SHA256
2151cf96e19d98710fcc286e61c554785fe4c3f16a59a81036bcdcb0c441af3d

SHA512
b9558444a37e357147d3a482357e90c29364551cfead18ce8c46ab54849fa431cbbd3ba6cd855d1731904a585ded9ad35a180a848ec20e9b5e5a66b375af918b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
194B

MD5
749375d5ea8eea239b014e4f5c754271

SHA1
1912e9ba87288ceb2fc790df8bec5a07334dd966

SHA256
e97d962819a5ba3d2f2663df144a63e69ee0dc87f169c4ba2381860f76054c18

SHA512
7f8fbc1ccb8b0cb360a867a54e1ac8c6190e77ff3e960a35caf9ce3b1c5ce33f211362f1b0225212f6543a84f6b227c26a1574f0f751c4056a6189c9e1fcb641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
62701b7379b5453defbf984710df7066

SHA1
eb94932a5d1768d8523a705dbe274500d31ffd29

SHA256
fe4ec76d6e326e4f7bdc69562e484d2242bbde6aa260186c9bcac41e15fb42a4

SHA512
76eea6080f57bee5f3e512c8b8356ef3858ff8d44395e3728bc49f51dd9da21e019fe9e859177c8564cb1378df28b7949834b1be2b56664e30843f5d806075c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
45f438536a856b778c5b3ee631b3c2a1

SHA1
b8a8c1263c224cbff96da2ff6024a5cdb0c7f434

SHA256
47ca8c1e03b0058738c145b08e6d7e09e7c063f6c4b9f55397bf8ed203531509

SHA512
9146161e58a3ab618eae47124982ae03dc6e8b9fa78bfdbf90935ec255072a5b09a4a32a7a6410370b66d02a4aa2cb14c7772ffdebedd87c0d0a60b24b3bd688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8383b8774471ec7063bb4b80e1dbf635

SHA1
6a1449b9535db4907eaea152ab0c2869df8324cb

SHA256
8017a3132afb7bbcb967b241a92f27701f5dfd11e0fa0d4242e55487ad14c39e

SHA512
9f5badb221cbeb98531f5581700be976478437c2e601249a894f9cbb1bcca5fb8dfff1eacdebfe590ff0d81adadbb149c1db24bf13af8d4c1c520e39f304e226

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
c7092e044a47c593ef643da75dc6a456

SHA1
80e8bca84e362de86a7332742a62834ba887deb4

SHA256
18ac390cf8b5d7c5ceb90ce5e744deedc18be8e33c84e214bb64fbffd0686751

SHA512
b93ed015737a477a735c03e0cc884d746444d081dbb24d542ebbfbc2d30a5101799d2564733780091f28bf84adc3c7b2eadc265cb6bad6f26080abf63e0f085f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57c6c429ba7535d0dc9df074865f287d

SHA1
7bb84974946447c0b42c7fea25625b383d65625d

SHA256
8cfbfafe97c88a50038e42426aa7881fe6fc860b00643f48400ed9f612c403e7

SHA512
dec89c24a87cee198f5944a7091b2cbffc17bcb79c722003e2c7fe8b9ab169d3b3f76bd28675aa2784c0825b98f0edf1eb9edae218dfa8263491ac2ca6ea5ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aa4213885acbb216221450718ce558a9

SHA1
5edd1bed0572b8202de0ecbed1b5a947d01021d6

SHA256
22ab8e96517efe1f80d82aae7e2059dc43803a7434645635d66ad1d92110725d

SHA512
78074e55333b454fc79e3d6f3d63a86c5372dbb32563fc23f1d48a362456758d088336c0184f69e74df64454ec4981c0b33229f1617389d60a9669afc9cf7e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f01f08c6b607293475a92dd316ca9a48

SHA1
20efad345dc734860ebe601867dd8cd9f9e3c317

SHA256
7b09e60e3807a30328504e5cfd50a4389bacbb58f54c6b15fabc805855f7fbbc

SHA512
7a751b94ecac5a1f36c87cec1ffbffd21a2c22c08d06745252affaf3893a815eae7ef3c2ee9a450d379d9b6a9a991fb8d518aee449ce20db170f9a4fc0cf4312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit