hxxps://rcs-user-content-us[.]storage[.]googleapis[.]com/bde46f4b-ca89-4fcf-bafe-6622f35b513b/2d3625f070938c8a83f21d7f88169d831067951b4da35668f28542c434f8

Resubmissions

29/02/2024, 08:58

240229-kw74jsca7t 1

29/02/2024, 08:55

29/02/2024, 08:47

29/02/2024, 08:41

29/02/2024, 08:38

29/02/2024, 01:40

Analysis

max time kernel
126s
max time network
302s
platform
windows7_x64
resource
win7-20240221-es
resource tags

arch:x64arch:x86image:win7-20240221-eslocale:es-esos:windows7-x64systemwindows
submitted
29/02/2024, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rcs-user-content-us.storage.googleapis.com/bde46f4b-ca89-4fcf-bafe-6622f35b513b/2d3625f070938c8a83f21d7f88169d831067951b4da35668f28542c434f8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2456	vlc.exe
2076	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2456	vlc.exe
2076	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
1844	SndVol.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
1844	SndVol.exe
1844	SndVol.exe
1844	SndVol.exe
1844	SndVol.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe
2456	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2456	vlc.exe
2076	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2160	1892	chrome.exe	28
PID 1892 wrote to memory of 2160	1892	chrome.exe	28
PID 1892 wrote to memory of 2160	1892	chrome.exe	28
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2088	1892	chrome.exe	30
PID 1892 wrote to memory of 2032	1892	chrome.exe	31
PID 1892 wrote to memory of 2032	1892	chrome.exe	31
PID 1892 wrote to memory of 2032	1892	chrome.exe	31
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32
PID 1892 wrote to memory of 2596	1892	chrome.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://rcs-user-content-us.storage.googleapis.com/bde46f4b-ca89-4fcf-bafe-6622f35b513b/2d3625f070938c8a83f21d7f88169d831067951b4da35668f28542c434f8
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7569758,0x7fef7569768,0x7fef7569778
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1324 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:2
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3184 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:8
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3496 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:1
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2372 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1612 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2364 --field-trial-handle=1232,i,12555437973148834153,9550367409229740390,131072 /prefetch:1
  2⤵
  PID:2720

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2680

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\2d3625f070938c8a83f21d7f88169d831067951b4da35668f28542c434f8.m4a"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45941906 1732
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1844

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\AddMove.mp3"
1⤵
PID:1592

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\AddMove.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WriteOut.aifc"
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
89d79dbf26a3c2e22ddd95766fe3173d

SHA1
f38fd066eef4cf4e72a934548eafb5f6abb00b53

SHA256
367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69

SHA512
ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4b308711ad2cac11f54fdcb64601804e

SHA1
23d10da64b095d86d5dd0646f4c5218106a479eb

SHA256
73c70ed1eaffe0c8950a3f30e1ce7f5489142e23428d29b724a2b5429258822e

SHA512
6d9fe2652e2e2dd0ef4a41a2fc8b8e25bf047ee32150999366cc0cb367864dedd2a6add3cf521c358c41ca2a6c70b4633b40fb2f8b2f9a89d055c9d30eacdff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
d8abb68a12be08c94f86dfaf9b6ef7d7

SHA1
81933bd17100df5067f68fedc24dd62d68bbbfcd

SHA256
81c26b4c4abebf2ea8ed8d0e4ae3efa90247101abafde9361f51f56fe45c52ff

SHA512
bfcb4293c75c7d9b53c91daa3c638c679782c35b2ff68b96cf111cafa0e244c99490cb439df581e919e56063ce91d7fea101db0f6b75698633ca2e29bf3bdde7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
8146e08b301d8958ae5bd3d4f57c018b

SHA1
8b59e04d563a64cbe70682a0296c4daac08a611c

SHA256
ae85a8fe7b0d645cd1242e57bbef0d14eefa98d70922363fa6062af8f2579b30

SHA512
6a52accb1d3cff2c6e49044ed16e8bd016068d009363c6d7b58ff2ef784b80c14e766b6e4d51daeb0e25025e3b7ac76224ab1d7203348ad465462594eb9f7dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cea24a2e113aa438a67cbb536851d578

SHA1
680b876b956feb9b52b9c411b41e1d3bc10254d7

SHA256
bef00ca87fc7c596fb6244e4b1581d8c876f0083d577692db6ddd5213f61fd45

SHA512
e747c2398f5ea135efee71c703f2e8f660933d8def5f6621159451d13a8efe52c8e23ee0b69eb51185fcdb09514ff0f35505cc6305b8661dac3e3480bc0ff3e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
11faf9998cf1e99f07f6eacc9ac187f8

SHA1
1b8bd8774262f8acf2f53bc52aae109a1956ac8c

SHA256
2c1cdbaabfa8fcd2678cce37c186f113ffcf88eed474f05c6b9e167f0e62d91f

SHA512
63de71701676677b11c1688faec7148e45b8ded7828988f98552fe904eef9511bf8ca0a1bb67c917b552f56a3e621b5c2875ac74d9c1d45594dc5f0e5af7e784

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b39f49dfb7289a8b6ce5d48665398060

SHA1
41135199e27662510d0db3af05a5761812324553

SHA256
941c07eda206ee7870b7c23a57ea22027ccd63a75e24b09f7ba2fee1f0880b8b

SHA512
eeba78b48c10b6346f95dd848980e2ca95aa9e13bed522483b1b1e3d2dff777aec76741b71cb3bc2e0ff8d00b2467038fd5d6892bfbab170fea4a08cd5b3c04c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9fd05d54fdf5a5e97d55555b959ed741

SHA1
c816d195a2f78ddd67796869c91e4a86957711b2

SHA256
86df14bfad3255f8b88a53ff96e7b3ec02f6a6c822c5373989fac1caaeb05e2f

SHA512
0922fd680aa3a0b9ff1c84b49880efbcca4119487dedc627b7a9522611c822343c8971fb00ee76a6e4452660afff7a226a66dd766f9347348e6df4c66fc5ccee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
68110388470b2d0744e649eb0e92200f

SHA1
6269fd3f9132bd1b37644e218053212f2a93b4fc

SHA256
126f9bf5ad925cd039b0e099c9fdcae568e0ec8dc53989e94dc4fb715c2e610e

SHA512
e21420fd77ee5b9ede0d7da44cffe7b940338f03a422fc1ac0c4ce3a039bce2cf8ff7c32064e707bc67fe65a1e4c0dc7f203f789a024809f9d3b04c5ff814d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
49eaf46cc4c3688caf7aaf02d4551bf7

SHA1
875e8756dd1f7e9529827d2b7b69858cf9d49cd1

SHA256
1ecc728e55b8295a2718aa5f1d8c356bedd890dac0013e881027f7c18ecaefff

SHA512
2fdd8b71394804c69781ec29d58ab93a5da1377bb7b959634e2ced388fa015f3d9dce7c05e2dbb7b76f9c365d30b4cdd006fc141c4c16b20caa789b359cbef64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6bed98a88004ec31da8f427940ce1925

SHA1
69774378f31dae8fe8bdf45839182704a5ea2266

SHA256
5c0ec6a466891d2535380c3db69026967ba6c2a61f662d82cf853fcf899fd24f

SHA512
a380390933d807b35036221e74c414e0deca0e5b5448bd88a97d4db3c37d10376191e275688bc4f77454df38d9aae59ff0c8a38f5bcbc73770e28ac510f59bd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
641f8e00819f8e59eb0a8507c54b47c5

SHA1
0821ab1369421e4b297cd3f5f669b03e30795a83

SHA256
e1f13c2925dded559bc56de6464fcbd28fe474b1b023ce4b5e4203ee7f45cc79

SHA512
48d626938ba0791bcbd2b3344345e792264b8d1ce57f411f2f18e65dccd4ac4cb3c5a4f632ea109fc8a910aa730300db0675b022434e99e6090b18a5d05b4bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
e0717849b94ef3e42eccad24d0af989e

SHA1
de0b13e1578d4e06426d8bc6667ecf9feb848c90

SHA256
1226055168ebc3f5e8cc18fa3ffa3fcc3cce3745d16b0a9266e4cc20a0dd1781

SHA512
18b544fdba9ba9d8e5b828d87b6688274e85822304963490e9707308912a6202505bf9636e5a22b4563cd474803ed9c94b4e7940772da429cfe65339464bce15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
83KB

MD5
5e1008ab83c6f89f162bb370f570a2d8

SHA1
4e14344e9454d21e78546f4b0c16c6a4cf7abecc

SHA256
a77389a398fde54b65b2072d758bf68235152b672160b874f68287f16662f2bf

SHA512
923febc02fc22508180f51a78d8840f4e7bd0bbbb62a27c26a03ba052dc00eed0c3d33006cd01ee65aa80d3c14b70f31a11900738a1a11824cd48e072c3ffd5d

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
312B

MD5
8e3eac4267eec836634e0496a41796b8

SHA1
6bfc04823eeed4524e8826d007d3d2253b539a88

SHA256
c3e4cbc19fb8d31aac7c29015bca2b405baa48edbc70d8d351ac4a3a6200bc6c

SHA512
3f4153decdfdfa445ab35fb68e4255d61d656189fc6756507e9a6433322cda44e8d23f80639353cb66a29ffe97f1304ca8cdadc5ee67c6211f30f4997263c0aa

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
631B

MD5
da192bdb59758d14ed48fa00ead5f72c

SHA1
83e1f7b6287baac69047a747ad09159b8329d2b3

SHA256
f79431f8800eb731dc8854c4392334c3109d199621825613a6f5af4fed01f514

SHA512
42450eed5e6ff4966fa00c9c4fa75d38ad250902a05db10ffbd37aa63ba90e5161e3812d412433262857f1709a9fc2de637f3e72f11251e4ee9f5946bc44bb22

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
674B

MD5
23f0a59427597229d0e4e8ae440f6643

SHA1
67deeb64d39c63764958f140cbdbd99d61f99a6b

SHA256
50f0f3f6875028c84a704f00353c028d837aa6160269f1f18752fd3eed77e327

SHA512
4a645f77dd4217029f8d15532497101b7e3665e4f4e17eabae49c3965e22a061cfb8dfff64f6b8cf5731235e19657303ba6f512ff0495298e7530e756c0af1eb

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
834B

MD5
9ae0f36a7a105aff782b7841aea4a630

SHA1
ae9eb904073f6631ee0cb5cca6f3d79f2123c2a9

SHA256
e10c6701dbdeb3cb721db92921a1452b1a62b603804e95ed8cfecdf2af956826

SHA512
d9333aef52bf8f8fa54cf1a9ccd92a9e44abccf854226674259afd529341b895869565c3b2da7ed056c44da62f8303f8a45c562f45b8c3b29a85b64003ead0a6

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.em2456

Filesize
127B

MD5
4f494a0a9a1393ffa28f297220a9ca60

SHA1
3d97c2ec601c1e2ef34bb8e3b0451eaeaa4cc1e7

SHA256
f6b4659daae6a624e4bc4f1732447c2858d49c9391ed6fffc590453f2acdfae5

SHA512
4a24e74fbd88784ab946529cb1362d681ae45cd049069588971144e935adff077cfc465ef0d8b36ac4fadb19bc8c99850b59184589df9fe694bd65fca29f4d5b

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
8ff7e25bb0d47026c131a5a698f3762b

SHA1
b7748c203308d9665c9afd7b90d93e7b978f08c8

SHA256
f127589fedfe4b8bab14d9db542a6401b21255f431978b031097b2c4c43ba6d7

SHA512
251f0ea631a5e62b207952b7cfb7dba152caa5d214f88ed5c65aa3731c5df9e20796549a0b2910f76be4ee0cab2a275cd9f7b2539f231518ff625a100741fe8d

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
93KB

MD5
7d5ef2dffb8d0f8c5dfde20525d9e9ec

SHA1
875f7115389c71f411249b9e619c6c3c76ad4972

SHA256
97f54303096bd3b0925de62fff499ebcaf6b152a7a49a805491b249fc2723b1e

SHA512
a37ad0ecb44b1d10293792bc9b6e79c9d507ccab608ba82576c7e27f6f167a0c122593a2dce5da79a5bb5d6deb5a80707873e69307e106a3632f925c7c0b8d39

Download Submit
C:\Users\Admin\Downloads\2d3625f070938c8a83f21d7f88169d831067951b4da35668f28542c434f8.m4a

Filesize
1KB

MD5
f6bd85e94dafb0b5ec011a478a4064fa

SHA1
20ba4e71debb538629f9832a000e73fb2bb38fbc

SHA256
5a99e9b4758c9be662d15016101e91bb5fc4f4b34bf280b9b93c4340c07b9640

SHA512
50338dc520139cd5204023c6d378acbba6042b78270ec4696589f53baabce63983233d92720243647745f7f59fb5d6fb07fec3769b00f97ca747e17ebd5b4640

Download Submit
memory/1844-188-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2456-153-0x000007FEEFF50000-0x000007FEF00C8000-memory.dmp

Filesize
1.5MB

Download
memory/2456-174-0x000007FEE35E0000-0x000007FEE35F1000-memory.dmp

Filesize
68KB

Download
memory/2456-145-0x000007FEF1BF0000-0x000007FEF1C08000-memory.dmp

Filesize
96KB

Download
memory/2456-147-0x000007FEF1B50000-0x000007FEF1BB7000-memory.dmp

Filesize
412KB

Download
memory/2456-146-0x000007FEF1BC0000-0x000007FEF1BF0000-memory.dmp

Filesize
192KB

Download
memory/2456-150-0x000007FEF0150000-0x000007FEF01BF000-memory.dmp

Filesize
444KB

Download
memory/2456-151-0x000007FEF0130000-0x000007FEF0141000-memory.dmp

Filesize
68KB

Download
memory/2456-152-0x000007FEF00D0000-0x000007FEF0126000-memory.dmp

Filesize
344KB

Download
memory/2456-143-0x000007FEF1C30000-0x000007FEF1C4B000-memory.dmp

Filesize
108KB

Download
memory/2456-154-0x000007FEEFF30000-0x000007FEEFF47000-memory.dmp

Filesize
92KB

Download
memory/2456-155-0x000007FEFBAD0000-0x000007FEFBAE0000-memory.dmp

Filesize
64KB

Download
memory/2456-156-0x000007FEEFF00000-0x000007FEEFF2F000-memory.dmp

Filesize
188KB

Download
memory/2456-157-0x000007FEEFEE0000-0x000007FEEFEF1000-memory.dmp

Filesize
68KB

Download
memory/2456-158-0x000007FEEFEC0000-0x000007FEEFED6000-memory.dmp

Filesize
88KB

Download
memory/2456-160-0x000007FEEFD70000-0x000007FEEFDE5000-memory.dmp

Filesize
468KB

Download
memory/2456-159-0x000007FEEFDF0000-0x000007FEEFEB5000-memory.dmp

Filesize
788KB

Download
memory/2456-161-0x000007FEE36E0000-0x000007FEE3742000-memory.dmp

Filesize
392KB

Download
memory/2456-142-0x000007FEF1C50000-0x000007FEF1C61000-memory.dmp

Filesize
68KB

Download
memory/2456-162-0x000007FEE3670000-0x000007FEE36DD000-memory.dmp

Filesize
436KB

Download
memory/2456-167-0x000007FEEFD50000-0x000007FEEFD63000-memory.dmp

Filesize
76KB

Download
memory/2456-172-0x000007FEE3620000-0x000007FEE3670000-memory.dmp

Filesize
320KB

Download
memory/2456-171-0x000007FEEFD30000-0x000007FEEFD44000-memory.dmp

Filesize
80KB

Download
memory/2456-173-0x000007FEE3600000-0x000007FEE3615000-memory.dmp

Filesize
84KB

Download
memory/2456-144-0x000007FEF1C10000-0x000007FEF1C21000-memory.dmp

Filesize
68KB

Download
memory/2456-175-0x000007FEE35C0000-0x000007FEE35D2000-memory.dmp

Filesize
72KB

Download
memory/2456-176-0x000007FEE3440000-0x000007FEE35BA000-memory.dmp

Filesize
1.5MB

Download
memory/2456-141-0x000007FEF2160000-0x000007FEF2171000-memory.dmp

Filesize
68KB

Download
memory/2456-140-0x000007FEF2180000-0x000007FEF2191000-memory.dmp

Filesize
68KB

Download
memory/2456-191-0x000007FEF35E0000-0x000007FEF3894000-memory.dmp

Filesize
2.7MB

Download
memory/2456-201-0x000007FEF21F0000-0x000007FEF329B000-memory.dmp

Filesize
16.7MB

Download
memory/2456-139-0x000007FEF21A0000-0x000007FEF21B8000-memory.dmp

Filesize
96KB

Download
memory/2456-137-0x000007FEF21F0000-0x000007FEF329B000-memory.dmp

Filesize
16.7MB

Download
memory/2456-138-0x000007FEF21C0000-0x000007FEF21E1000-memory.dmp

Filesize
132KB

Download
memory/2456-136-0x000007FEF32A0000-0x000007FEF32DF000-memory.dmp

Filesize
252KB

Download
memory/2456-135-0x000007FEF32E0000-0x000007FEF34E0000-memory.dmp

Filesize
2.0MB

Download
memory/2456-134-0x000007FEF34E0000-0x000007FEF34F1000-memory.dmp

Filesize
68KB

Download
memory/2456-133-0x000007FEF4240000-0x000007FEF425D000-memory.dmp

Filesize
116KB

Download
memory/2456-132-0x000007FEF4260000-0x000007FEF4271000-memory.dmp

Filesize
68KB

Download
memory/2456-131-0x000007FEF4280000-0x000007FEF4297000-memory.dmp

Filesize
92KB

Download
memory/2456-130-0x000007FEF4590000-0x000007FEF45A1000-memory.dmp

Filesize
68KB

Download
memory/2456-129-0x000007FEF7290000-0x000007FEF72A7000-memory.dmp

Filesize
92KB

Download
memory/2456-128-0x000007FEF84D0000-0x000007FEF84E8000-memory.dmp

Filesize
96KB

Download
memory/2456-127-0x000007FEF35E0000-0x000007FEF3894000-memory.dmp

Filesize
2.7MB

Download
memory/2456-126-0x000007FEFB840000-0x000007FEFB874000-memory.dmp

Filesize
208KB

Download
memory/2456-125-0x000000013F090000-0x000000013F188000-memory.dmp

Filesize
992KB

Download