crypted[1].bin

General
Target

crypted[1].bin

Filesize

N/A

Completed

29-11-2019 16:22

Score
10 /10
SHA256

9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Malware Config
Signatures 40

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • Reads Secure browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\1304crypted[1].bin.exe
  • Reads Waterfox user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\1304crypted[1].bin.exe
  • Reads Uran user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\1304crypted[1].bin.exe
  • Reads Tor Browser user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\TorBro\Profile\1304crypted[1].bin.exe
  • Reads Nichrome user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Nichrome\User Data\1304crypted[1].bin.exe
  • Reads Qip surf user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\QIP Surf\User Data\1304crypted[1].bin.exe
  • Reads 7star user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\7Star\7Star\User Data\1304crypted[1].bin.exe
  • Reads Torch user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Torch\User Data\1304crypted[1].bin.exe
  • Reads Pale Moon browser user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\1304crypted[1].bin.exe
  • Suspicious use of SetWindowsHookEx
    crypted[1].bin.exe

    Reported IOCs

    pidprocess
    1304crypted[1].bin.exe
  • crypted[1].bin.exe

    Reported IOCs

    ioc
    drive.google.com
    File opened for modificationC:\Users\Admin\AppData\Local\Temp\machineinfo.txt1304crypted[1].bin.exe
    HTTP URLhttp://34.76.145.229/gate/log.php
    HTTP URLhttp://34.76.145.229/file_handler/file.php?hash=d3a547a5fa34fecef563a4e0d65825c4539a5386&js=8eb1309d3b4163e746e3f66ce26ccf5f269dd5e5&callback=http://34.76.145.229/gate
  • Reads Sputnik user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\1304crypted[1].bin.exe
  • Reads user profile for Thunderbird email client, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\1304crypted[1].bin.exe
  • Reads Rockmelt user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\RockMelt\User Data\1304crypted[1].bin.exe
  • Reads Vivaldi user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Vivaldi\User Data\1304crypted[1].bin.exe
  • Reads Amigo user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Amigo\User Data\1304crypted[1].bin.exe
  • Reads Orbitum user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Orbitum\User Data\1304crypted[1].bin.exe
  • Reads Suhba user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Suhba\User Data\1304crypted[1].bin.exe
  • Checks for installed software on the system
    crypted[1].bin.exe

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptioniocpidprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName1304crypted[1].bin.exe
  • Reads Chromium user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Chromium\User Data\1304crypted[1].bin.exe
  • Reads Dragon user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\1304crypted[1].bin.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1232PING.EXE
  • Reads Kometa user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Kometa\User Data\1304crypted[1].bin.exe
  • Reads Superbird user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Superbird\User Data\1304crypted[1].bin.exe
  • Modifies system certificate store
    crypted[1].bin.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocpidprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e1304crypted[1].bin.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e1304crypted[1].bin.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e1304crypted[1].bin.exe
  • Reads Chrome user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1304crypted[1].bin.exe
  • Reads Epic privacy browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\1304crypted[1].bin.exe
  • Reads Centbrowser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\CentBrowser\User Data\1304crypted[1].bin.exe
  • Reads Elements browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Elements Browser\User Data\1304crypted[1].bin.exe
  • Reads Mustang user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\1304crypted[1].bin.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1800cmd.exe
  • Reads Chrome SxS user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\1304crypted[1].bin.exe
  • Reads Bromium user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Bromium\User Data\1304crypted[1].bin.exe
  • Reads Chedot user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Chedot\User Data\1304crypted[1].bin.exe
  • Reads Firefox user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1304crypted[1].bin.exe
  • Accesses Bither wallet, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    descriptioniocpidprocess
    File opened (read-only)C:\Users\Admin\AppData\Roaming\Bither\address.db1304crypted[1].bin.exe
  • Suspicious use of WriteProcessMemory
    crypted[1].bin.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 wrote to memory of 18001304crypted[1].bin.execmd.exe
    PID 1800 wrote to memory of 12321800cmd.exePING.EXE
  • raccoon family
  • Loads dropped DLL
    crypted[1].bin.exe

    Reported IOCs

    pidprocess
    1304crypted[1].bin.exe
  • Reads Go! user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Go!\User Data\1304crypted[1].bin.exe
Processes
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • \Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll

                    Download
                  • \Users\Admin\AppData\Local\Temp\AdLibs\msvcp140.dll

                    Download
                  • \Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll

                    Download
                  • \Users\Admin\AppData\Local\Temp\AdLibs\vcruntime140.dll

                    Download
                  • \Users\Admin\AppData\Local\Temp\sqlite3.dll

                    Download