750c145b76422b57f265cf4f98f9319d57d7badc6f131d2468a54f056910529b

Resubmissions

04-03-2022 11:09

220304-m89t1sedg6 8

04-03-2022 11:08

220304-m8qfdaedg5 1

Analysis

max time kernel
104s
max time network
152s
platform
windows10_x64
resource
win10-en-20211208
submitted
04-03-2022 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New folder/vlc-3.0.16-win32.exe
Size

39.5MB
MD5

1bed0a495133dd4d6c9efaf7e71f8ef3
SHA1

a51a1d258b5cbcc93916b5eeb0d530f4b3bd94df
SHA256

4599f5d504c127f7e2ee391f06725461b9b761492c72ac2eb98f2429f04ef5c1
SHA512

837b68de2f66e91fba29c394e4c2e4b91d735e5f9433178e95d6dda50d6f49b5d9dae43832f331e8db40b3e24b876daa8a0303d8d9cd9a6d55e758fa644b3b05

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2560	vlc-cache-gen.exe
656	vlc.exe

Loads dropped DLL 64 IoCs

pid	Process
2012	vlc-3.0.16-win32.exe
2012	vlc-3.0.16-win32.exe
2012	vlc-3.0.16-win32.exe
2012	vlc-3.0.16-win32.exe
2012	vlc-3.0.16-win32.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe
2560	vlc-cache-gen.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\meta\art\01_googleimage.luac	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\intf\modules\host.luac	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\access\libsmb_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\playlist\anevia_xml.luac	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\sd\jamendo.luac	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\http\images\buttons.png	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\libvlccore.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\AUTHORS.txt	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\access\libsatip_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\intf\luac.luac	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\playlist\vimeo.luac	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libopus_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\extensions\VLSub.luac	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\http\mobile_browse.html	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\access\librist_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\COPYING.txt	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libpva_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe
File created	C:\Program Files (x86)\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo	vlc-3.0.16-win32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wav\shell\Open\ = "Play"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.xm\ = "XM Audio File (VLC)"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m3u\shell\ = "Open"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wvx\shell\Open	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.a52\shell\AddToPlaylistVLC\command	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.f4v\shell\PlayWithVLC\command\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --no-playlist-enqueue \"%1\""	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.au\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.flac	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ts\shell\AddToPlaylistVLC\command\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --playlist-enqueue \"%1\""	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.opus\shell\AddToPlaylistVLC\command	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.f4v\shell\PlayWithVLC\MultiSelectModel = "Player"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mov\shell\PlayWithVLC\command	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\shell\AddToPlaylistVLC\Icon = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.dts\shell\Open\command\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\" --started-from-file \"%1\""	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wtv\shell\ = "Open"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpe\shell\AddToPlaylistVLC\ = "Add to VLC media player's Playlist"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.oma\shell\Open	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.aiff\shell\PlayWithVLC\MultiSelectModel = "Player"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spx\ = "VLC.spx"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.669\shell\PlayWithVLC\ = "Play with VLC media player"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.snd\shell\PlayWithVLC\Icon = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.vob\ = "VOB Video File (VLC)"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mka\ = "VLC.mka"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rmi\ = "RMI Audio File (VLC)"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amv\DefaultIcon	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogv\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\shell\PlayWithVLC\command	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ac3\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.cda\ = "CDA Audio File (VLC)"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.gvi\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m4v\shell\Open\command	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.cue\shell\ = "Open"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mlp\shell\PlayWithVLC\command\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --no-playlist-enqueue \"%1\""	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.vqf\shell\PlayWithVLC\Icon = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.w64\shell\AddToPlaylistVLC	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.w64\shell\Open\MultiSelectModel = "Player"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.xa\shell\Open\command	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ts\shell\AddToPlaylistVLC\command	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mtv\shell\AddToPlaylistVLC\Icon = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ts\shell\PlayWithVLC	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.bik\shell\PlayWithVLC\ = "Play with VLC media player"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m3u\shell\PlayWithVLC	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.oma\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ram	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}\VersionIndependentProgID\ = "VideoLAN.VLCPlugin"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.CDAudio\shell\Open\command\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\" --started-from-file cdda:///%1"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amv\shell\PlayWithVLC\command\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --no-playlist-enqueue \"%1\""	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.avi\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.pls\shell	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg1\shell\Open	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogm\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mlp\shell\PlayWithVLC\command	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tta\shell\PlayWithVLC\command	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ram\shell\PlayWithVLC\command\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --no-playlist-enqueue \"%1\""	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tta\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpa\ = "MPA Video File (VLC)"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ram\DefaultIcon	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wmv\shell\PlayWithVLC\command\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\" --started-from-file --no-playlist-enqueue \"%1\""	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m3u\shell\AddToPlaylistVLC\MultiSelectModel = "Player"	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.cda\DefaultIcon\ = "\"C:\\Program Files (x86)\\VideoLAN\\VLC\\vlc.exe\",0"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.dv\shell\Open	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.f4v\shell\Open\ = "Play"	vlc-3.0.16-win32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\shell\Open	vlc-3.0.16-win32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dts\ = "VLC.dts"	vlc-3.0.16-win32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
656	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2012	vlc-3.0.16-win32.exe
2012	vlc-3.0.16-win32.exe
2012	vlc-3.0.16-win32.exe
2012	vlc-3.0.16-win32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
656	vlc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
656	vlc.exe
656	vlc.exe
656	vlc.exe
656	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
656	vlc.exe
656	vlc.exe
656	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
656	vlc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2560	2012	vlc-3.0.16-win32.exe	69
PID 2012 wrote to memory of 2560	2012	vlc-3.0.16-win32.exe	69
PID 2012 wrote to memory of 2560	2012	vlc-3.0.16-win32.exe	69
PID 2012 wrote to memory of 1144	2012	vlc-3.0.16-win32.exe	72
PID 2012 wrote to memory of 1144	2012	vlc-3.0.16-win32.exe	72
PID 2384 wrote to memory of 656	2384	explorer.exe	74
PID 2384 wrote to memory of 656	2384	explorer.exe	74
PID 2384 wrote to memory of 656	2384	explorer.exe	74

C:\Users\Admin\AppData\Local\Temp\New folder\vlc-3.0.16-win32.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\vlc-3.0.16-win32.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files (x86)\VideoLAN\VLC\vlc-cache-gen.exe
  "C:\Program Files (x86)\VideoLAN\VLC\vlc-cache-gen.exe" C:\Program Files (x86)\VideoLAN\VLC\plugins
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2560
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe"
  2⤵
  PID:1144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
  "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads