masslogger | 4b577a26e261acd8767d96e02aad2c523ca3a1244e9ce2f31ae3afac35b58ce2

General

Target

NEWPO9399172.exe
Size

912KB
MD5

5737d1acc70ed4c7085a9e69b9e7216e
SHA1

0601ecdf6c8e7559a405855756a80cda08407b38
SHA256

0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f
SHA512

639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

Score

10^/10

masslogger collection ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\0F48153F20\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/20/2022 11:27:22 PM MassLogger Started: 5/20/2022 11:27:19 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\VideoLAN\vlc.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Window Searcher ||> Disabled <|| Downloader ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file
Executes dropped EXE 2 IoCs

Processes:

vlc.exevlc.exe

pid process

980 vlc.exe
804 vlc.exe

yara_rule
masslogger_log_file

pid	process
980	vlc.exe
804	vlc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEWPO9399172.exevlc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	NEWPO9399172.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	vlc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

vlc.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	vlc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	vlc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vlc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vlc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 api.ipify.org
44 api.ipify.org

flow	ioc
34	api.ipify.org
44	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

NEWPO9399172.exevlc.exe

description	pid	process	target process
PID 2408 set thread context of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 980 set thread context of 804	980	vlc.exe	vlc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2716 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2472 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

804 vlc.exe

pid	process
2716	schtasks.exe

pid	process
2472	timeout.exe

pid	process
804	vlc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

NEWPO9399172.exeNEWPO9399172.exevlc.exevlc.exe

pid	process
2408	NEWPO9399172.exe
2408	NEWPO9399172.exe
2408	NEWPO9399172.exe
2408	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
1968	NEWPO9399172.exe
980	vlc.exe
980	vlc.exe
980	vlc.exe
804	vlc.exe
804	vlc.exe
804	vlc.exe
804	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

NEWPO9399172.exeNEWPO9399172.exevlc.exevlc.exe

description	pid	process
Token: SeDebugPrivilege	2408	NEWPO9399172.exe
Token: SeDebugPrivilege	1968	NEWPO9399172.exe
Token: SeDebugPrivilege	980	vlc.exe
Token: SeDebugPrivilege	804	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

804 vlc.exe

pid	process
804	vlc.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

NEWPO9399172.exeNEWPO9399172.execmd.execmd.exevlc.exe

description	pid	process	target process
PID 2408 wrote to memory of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 2408 wrote to memory of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 2408 wrote to memory of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 2408 wrote to memory of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 2408 wrote to memory of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 2408 wrote to memory of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 2408 wrote to memory of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 2408 wrote to memory of 1968	2408	NEWPO9399172.exe	NEWPO9399172.exe
PID 1968 wrote to memory of 64	1968	NEWPO9399172.exe	cmd.exe
PID 1968 wrote to memory of 64	1968	NEWPO9399172.exe	cmd.exe
PID 1968 wrote to memory of 64	1968	NEWPO9399172.exe	cmd.exe
PID 1968 wrote to memory of 2096	1968	NEWPO9399172.exe	cmd.exe
PID 1968 wrote to memory of 2096	1968	NEWPO9399172.exe	cmd.exe
PID 1968 wrote to memory of 2096	1968	NEWPO9399172.exe	cmd.exe
PID 2096 wrote to memory of 2472	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 2472	2096	cmd.exe	timeout.exe
PID 2096 wrote to memory of 2472	2096	cmd.exe	timeout.exe
PID 64 wrote to memory of 2716	64	cmd.exe	schtasks.exe
PID 64 wrote to memory of 2716	64	cmd.exe	schtasks.exe
PID 64 wrote to memory of 2716	64	cmd.exe	schtasks.exe
PID 2096 wrote to memory of 980	2096	cmd.exe	vlc.exe
PID 2096 wrote to memory of 980	2096	cmd.exe	vlc.exe
PID 2096 wrote to memory of 980	2096	cmd.exe	vlc.exe
PID 980 wrote to memory of 804	980	vlc.exe	vlc.exe
PID 980 wrote to memory of 804	980	vlc.exe	vlc.exe
PID 980 wrote to memory of 804	980	vlc.exe	vlc.exe
PID 980 wrote to memory of 804	980	vlc.exe	vlc.exe
PID 980 wrote to memory of 804	980	vlc.exe	vlc.exe
PID 980 wrote to memory of 804	980	vlc.exe	vlc.exe
PID 980 wrote to memory of 804	980	vlc.exe	vlc.exe
PID 980 wrote to memory of 804	980	vlc.exe	vlc.exe

outlook_office_path 1 IoCs

Processes:

vlc.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe

outlook_win_path 1 IoCs

Processes:

vlc.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vlc.exe

C:\Users\Admin\AppData\Local\Temp\NEWPO9399172.exe
"C:\Users\Admin\AppData\Local\Temp\NEWPO9399172.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\NEWPO9399172.exe
"{path}"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'
4⤵
- Creates scheduled task(s)
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7BE7.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2472

C:\Users\Admin\VideoLAN\vlc.exe
"C:\Users\Admin\VideoLAN\vlc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\VideoLAN\vlc.exe
"{path}"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEWPO9399172.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BE7.tmp.bat

Filesize
140B

MD5
9ec760ab6d092f81ec45db1579de07ea

SHA1
f4b3958f544d598090aced3c2b7c0706125072f8

SHA256
cffbd4172a3df88cef1c0e2c8bb0eb438ee6f23118362494cc697b887ba63eed

SHA512
87c35db386c7f09c2f2a93eb7c05573d7774b12b248aee890b9334c768f3bcc2efb99c0b4ebca1c167b614478dee838ff4d1094535e6ff65bdc64c75d8e05dbd

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe

Filesize
912KB

MD5
5737d1acc70ed4c7085a9e69b9e7216e

SHA1
0601ecdf6c8e7559a405855756a80cda08407b38

SHA256
0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

SHA512
639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe

Filesize
912KB

MD5
5737d1acc70ed4c7085a9e69b9e7216e

SHA1
0601ecdf6c8e7559a405855756a80cda08407b38

SHA256
0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

SHA512
639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

Download Submit
C:\Users\Admin\VideoLAN\vlc.exe

Filesize
912KB

MD5
5737d1acc70ed4c7085a9e69b9e7216e

SHA1
0601ecdf6c8e7559a405855756a80cda08407b38

SHA256
0fe7af2933781cea89408cc70b9563727d7d4e96dc9a7d18d8d92460823e0a9f

SHA512
639bcf98fbb7c5f8bd5e1b8691f83a9d59671fa1cef45590d14998e7e3ecbde975d2ead61109d3692dd8aa80f0d8d87c7da99f860632abb610eb70b706a35832

Download Submit
memory/64-139-0x0000000000000000-mapping.dmp

Download
memory/804-150-0x0000000007FC0000-0x0000000008010000-memory.dmp

Filesize
320KB

Download
memory/804-147-0x0000000000000000-mapping.dmp

Download
memory/980-144-0x0000000000000000-mapping.dmp

Download
memory/1968-135-0x0000000000000000-mapping.dmp

Download
memory/1968-138-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/1968-136-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2096-140-0x0000000000000000-mapping.dmp

Download
memory/2408-130-0x00000000009E0000-0x0000000000AC8000-memory.dmp

Filesize
928KB

Download
memory/2408-134-0x0000000008210000-0x00000000082AC000-memory.dmp

Filesize
624KB

Download
memory/2408-133-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/2408-132-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/2408-131-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/2472-142-0x0000000000000000-mapping.dmp

Download
memory/2716-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads