bb7a3834b1e8f94560df24fbfc744f8fc6771f40eb5cb66bd5844134c4838944

Analysis

max time kernel
85s
max time network
118s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-04-2023 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CellebriteReader.exe
Size

521.2MB
MD5

4ee6c8c467042231f679373b235a3277
SHA1

473b6be91286e95af2c5f4dc020fb0a0cfb8a64e
SHA256

bb7a3834b1e8f94560df24fbfc744f8fc6771f40eb5cb66bd5844134c4838944
SHA512

ca0a8356109a86b1dbea3d57ba642f88f979e34400dca37f9002e7501808bc0400dcb135eef8118ae573a6a99eb8f3501cc8eba88924ea13bfffdaad38321135
SSDEEP

6291456:merX4TNsSd5LTgMFz2KJbTbOA2yeCpc8xFs5:mu4iSvTysZPe2xs

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 14 IoCs

Processes:

CellebriteReader.exe

pid	process
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe
1440	CellebriteReader.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE

Modifies registry class 64 IoCs

Processes:

vlc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}"	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "96"	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "1"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\TV_FolderType = "{292108BE-88AB-4F33-9A26-7748E62E37AD}"	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 9e0000001a00eebbfe23000010009fae90a93ba0804e94bc9912d750410400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbeebaa2b0b4200ca4daa4d3ee8648d03e58207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\MRUListEx = ffffffff	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 9e0000001a00eebbfe23000010002f921e494356f44aa7eb4e7a138d817400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbea65819630fad3540a74528ac066dc6ed8207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0 = c80500009805811914106e052000000000600000000000000000000000000000000000000000000000000001000029000000315350533c0af1e4e6495d408288a23bd4eeaa6c0d00000064000000000100000000000000240100003153505340e83e1e2bbc6c4782372acd1a839b2211000000140000000003000000010000002500000003000000001f100000010000000700000066006f006c00640065007200000000007500000011000000001f000000310000007b00310036003800350044003400410042002d0041003500310042002d0034004100460031002d0041003400450035002d004300450045003800370030003000320034003300310044007d002e004d006500720067006500200041006e007900000000005d00000008000000001f0000002500000043003a005c00550073006500720073005c005000750062006c00690063005c0056006900640065006f0073005c00530061006d0070006c006500200056006900640065006f0073000000000000000000940000003153505330f125b7ef471a10a5f102608c9eebac2900000004000000001f0000000c000000460069006c006500200066006f006c0064006500720000000d0000000c0000000001000000150000000e0000000040000000006d8c293f04ca012d0000000a000000001f0000000e000000530061006d0070006c006500200056006900640065006f007300000000000000ac02000031535053a66a63283d95d211b5d600c04fd918d02d0200002000000000111000001b02000014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000074003100000000005456b4b61100557365727300600008000400efbeee3a851a5456b4b62a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d00320031003800310033000000140078003100000000008c3e854311005075626c69630000620008000400efbeee3a851a8c3e85432a0000007c0200000000010000000000000000003800000000005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016007800310000000000ee3acd261100566964656f730000620008000400efbeee3a851aee3acc262a0000008802000000000100000000000000000038000000000056006900640065006f007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003400000016008800310000000000ee3acd26110053414d504c457e310000700008000400efbeee3a142cee3a142c2a00000089020000000001000000000000000000460000000000530061006d0070006c006500200056006900640065006f007300000040007300680065006c006c00330032002e0064006c006c002c002d003200310038003000370000001800000000110000001900000000130000007f018070250000000b000000001f0000000a0000004400690072006500630074006f007200790000002d00000018000000001f0000000e000000530061006d0070006c006500200056006900640065006f0073000000000000002d00000031535053901c6949177e1a10a91c08002b2ecda91100000003000000000300000000000000000000002d00000031535053c0e85bcf6c23d34abacecd608a2748d71100000064000000000b000000ffff0000000000003100000031535053b1166d44ad8d7048a748402ea43d788c15000000640000000015000000126e49bf82cad6b3000000002900000031535053f4767d7a30b6d74b95ff37cc51a975c90d000000020000000001000000000000002900000031535053fcb3b4b9512b424ab5d8324146afcf250d000000080000000001000000000000000000000000002a0000000000efbebe082129ab88334f9a267748e62e37ad8207ba827a5b6945b5d7ec83085f08cc9e050000	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\TV_TopViewVersion = "0"	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\TV_FolderType = "{631958A6-AD0F-4035-A745-28AC066DC6ED}"	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "3"	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "3"	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a0000000e0859ff2f94f6810ab9108002b27b3d9050000005800000030f125b7ef471a10a5f102608c9eebac0c00000050000000920444648b4cd1118b70080036b11a030900000060000000	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = 00000000ffffffff	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 740000001a00eebbfe23000010002f921e494356f44aa7eb4e7a138d817400002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000001900efbea65819630fad3540a74528ac066dc6ed8207ba827a5b6945b5d7ec83085f08cc20000000	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	vlc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{631958A6-AD0F-4035-A745-28AC066DC6ED}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	vlc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	vlc.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CellebriteReader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CellebriteReader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CellebriteReader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CellebriteReader.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

POWERPNT.EXEvlc.exe

pid process

944 POWERPNT.EXE
1212 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1212 vlc.exe

pid	process
944	POWERPNT.EXE
1212	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEvlc.exe

description	pid	process
Token: 33	2228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2228	AUDIODG.EXE
Token: 33	2228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2228	AUDIODG.EXE
Token: 33	1212	vlc.exe
Token: SeIncBasePriorityPrivilege	1212	vlc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

vlc.exe

pid	process
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe
1212	vlc.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

vlc.exe

pid process

1212 vlc.exe
1212 vlc.exe
1212 vlc.exe
1212 vlc.exe
1212 vlc.exe
1212 vlc.exe
1212 vlc.exe
1212 vlc.exe
1212 vlc.exe
1212 vlc.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXEvlc.exe

pid process

944 POWERPNT.EXE
944 POWERPNT.EXE
1212 vlc.exe
1212 vlc.exe

pid	process
944	POWERPNT.EXE
944	POWERPNT.EXE
1212	vlc.exe
1212	vlc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

POWERPNT.EXE

description	pid	process	target process
PID 944 wrote to memory of 1164	944	POWERPNT.EXE	splwow64.exe
PID 944 wrote to memory of 1164	944	POWERPNT.EXE	splwow64.exe
PID 944 wrote to memory of 1164	944	POWERPNT.EXE	splwow64.exe
PID 944 wrote to memory of 1164	944	POWERPNT.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\CellebriteReader.exe
"C:\Users\Admin\AppData\Local\Temp\CellebriteReader.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
PID:1440

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\TraceRemove.pptx"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1164

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A9D.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
288KB

MD5
b3ecb7645717e4e0b3daaacbedc7962d

SHA1
6f4fa9e4dd4d15cda757c527921248ad6f914ad2

SHA256
75551655a7473aa582e64dca59d2ae97fa2ba0293b05a0bbc69be001621f32d9

SHA512
5dab84eb7fbe8c3cd30ac67b987c8cad98e9145435bb72957ff1744ba0e09947a34d24e3133209d8f9332a552cc43a950d05a099cc00efdce530ca9dd5b3395c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD55F.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD729.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
90B

MD5
1189c6eef69065e0ece2f5cbb0a158df

SHA1
ebc63f25258046cf6a9540fe5a763413ebe8fac1

SHA256
bc4fd68df688d83b59910a4dd8c740a8a3abfc8b4d0ee529c0002d2dfb3bcc5e

SHA512
2b984ccbd329f134f8e1985281474857e3f29819465398ecbdf0dfe5733476cabf2dfeb079157a7d455efee35e56deb44027d48d2400ab39f5ae74ce41bc2019

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc.1212
Filesize
93KB

MD5
478a4a09f4f74e97335cd4d5e9da7ab5

SHA1
3c4f1dc52a293f079095d0b0370428ec8e8f9315

SHA256
884b59950669842f3c45e6da3480cd9a553538b951fb155b435b48ff38683974

SHA512
e96719663cd264132a8e1ea8c3f8a148c778a0c68caa2468ba47629393605b197dd9e00efad91f389de9fcc77b04981a0cf87f785f3c645cdc9e4ebd98060ca1

Download Submit
\Users\Admin\AppData\Local\Temp\CefSharp.dll
Filesize
221KB

MD5
87e6a6b7cf19961bb608b4ea2b02e66b

SHA1
bd84586d4c1277cf2be91e9d8212b22a612cb0a8

SHA256
9c2dd6803e0a02a2ded6f0b0fd1a2e509aec49a03fa33af6a02763e4d35e0c31

SHA512
58491a89096fa25aae0814f41938664d156fe2479827f09145b9f2d62ee39b8fb8bec4e6193608b1cc5eebe5995f4f6b049005770769d3795ce005425f192fa0

Download Submit
\Users\Admin\AppData\Local\Temp\CefSharp.dll
Filesize
221KB

MD5
87e6a6b7cf19961bb608b4ea2b02e66b

SHA1
bd84586d4c1277cf2be91e9d8212b22a612cb0a8

SHA256
9c2dd6803e0a02a2ded6f0b0fd1a2e509aec49a03fa33af6a02763e4d35e0c31

SHA512
58491a89096fa25aae0814f41938664d156fe2479827f09145b9f2d62ee39b8fb8bec4e6193608b1cc5eebe5995f4f6b049005770769d3795ce005425f192fa0

Download Submit
\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
288KB

MD5
b3ecb7645717e4e0b3daaacbedc7962d

SHA1
6f4fa9e4dd4d15cda757c527921248ad6f914ad2

SHA256
75551655a7473aa582e64dca59d2ae97fa2ba0293b05a0bbc69be001621f32d9

SHA512
5dab84eb7fbe8c3cd30ac67b987c8cad98e9145435bb72957ff1744ba0e09947a34d24e3133209d8f9332a552cc43a950d05a099cc00efdce530ca9dd5b3395c

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
288KB

MD5
b3ecb7645717e4e0b3daaacbedc7962d

SHA1
6f4fa9e4dd4d15cda757c527921248ad6f914ad2

SHA256
75551655a7473aa582e64dca59d2ae97fa2ba0293b05a0bbc69be001621f32d9

SHA512
5dab84eb7fbe8c3cd30ac67b987c8cad98e9145435bb72957ff1744ba0e09947a34d24e3133209d8f9332a552cc43a950d05a099cc00efdce530ca9dd5b3395c

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
288KB

MD5
b3ecb7645717e4e0b3daaacbedc7962d

SHA1
6f4fa9e4dd4d15cda757c527921248ad6f914ad2

SHA256
75551655a7473aa582e64dca59d2ae97fa2ba0293b05a0bbc69be001621f32d9

SHA512
5dab84eb7fbe8c3cd30ac67b987c8cad98e9145435bb72957ff1744ba0e09947a34d24e3133209d8f9332a552cc43a950d05a099cc00efdce530ca9dd5b3395c

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
288KB

MD5
b3ecb7645717e4e0b3daaacbedc7962d

SHA1
6f4fa9e4dd4d15cda757c527921248ad6f914ad2

SHA256
75551655a7473aa582e64dca59d2ae97fa2ba0293b05a0bbc69be001621f32d9

SHA512
5dab84eb7fbe8c3cd30ac67b987c8cad98e9145435bb72957ff1744ba0e09947a34d24e3133209d8f9332a552cc43a950d05a099cc00efdce530ca9dd5b3395c

Download Submit
\Users\Admin\AppData\Local\Temp\libeay32.dll
Filesize
2.2MB

MD5
54c61976fa3e68a06ae171e6de256003

SHA1
c4949c398e9b5a878634d07c19b92c2ee557241a

SHA256
d98bb0a0bcbb5332c4ed1fc2d11b2d5b456a3e863890e5476e0adda9fd2310f0

SHA512
9eaca66467e85875a09f8a478337b7a9f116c26034ea89030790dea4ce844fc5c96c8637b66c977366313c8a783afb37e367c35168f94b6e75d0dba9f30743d9

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll
Filesize
618KB

MD5
9ff712c25312821b8aec84c4f8782a34

SHA1
1a7a250d92a59c3af72a9573cffec2fcfa525f33

SHA256
517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094

SHA512
5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.2MB

MD5
28ab35ca1a3804109f43177552446c46

SHA1
dc4aea6bf488f61d09f195fc99b1128c270dce4a

SHA256
65428cf68340ebc65c399a4e8ae082ac51d31d9476180d94e8fa71d729ffdefa

SHA512
741bddff0de1a6484ac34e547cd1127597899ff893f73beeb9a15c5ec989a48bae8526f88df9af7cd7d1ba141e86278a0a7b32c3835b8d50d2ea9bc8a7a0499e

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
memory/944-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/944-183-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1212-407-0x000007FEE5C60000-0x000007FEE5CCF000-memory.dmp

Filesize
444KB

Download
memory/1212-397-0x000007FEE5E10000-0x000007FEE5E4F000-memory.dmp

Filesize
252KB

Download
memory/1212-419-0x000007FEE5950000-0x000007FEE5963000-memory.dmp

Filesize
76KB

Download
memory/1212-418-0x000007FEE5970000-0x000007FEE59DD000-memory.dmp

Filesize
436KB

Download
memory/1212-416-0x000007FEE59E0000-0x000007FEE5A42000-memory.dmp

Filesize
392KB

Download
memory/1212-415-0x000007FEE5A50000-0x000007FEE5AC5000-memory.dmp

Filesize
468KB

Download
memory/1212-414-0x000007FEE5AD0000-0x000007FEE5B95000-memory.dmp

Filesize
788KB

Download
memory/1212-421-0x000007FEE58E0000-0x000007FEE5930000-memory.dmp

Filesize
320KB

Download
memory/1212-413-0x000007FEE5BA0000-0x000007FEE5BB6000-memory.dmp

Filesize
88KB

Download
memory/1212-412-0x000007FEE5BC0000-0x000007FEE5BD1000-memory.dmp

Filesize
68KB

Download
memory/1212-411-0x000007FEE5BE0000-0x000007FEE5C0F000-memory.dmp

Filesize
188KB

Download
memory/1212-410-0x000007FEF1E60000-0x000007FEF1E70000-memory.dmp

Filesize
64KB

Download
memory/1212-409-0x000007FEE5C10000-0x000007FEE5C34000-memory.dmp

Filesize
144KB

Download
memory/1212-408-0x000007FEE5C40000-0x000007FEE5C51000-memory.dmp

Filesize
68KB

Download
memory/1212-422-0x000007FEE5820000-0x000007FEE58DD000-memory.dmp

Filesize
756KB

Download
memory/1212-405-0x000007FEE5D00000-0x000007FEE5D18000-memory.dmp

Filesize
96KB

Download
memory/1212-406-0x000007FEE5CD0000-0x000007FEE5D00000-memory.dmp

Filesize
192KB

Download
memory/1212-398-0x000007FEE5DE0000-0x000007FEE5E01000-memory.dmp

Filesize
132KB

Download
memory/1212-404-0x000007FEE5D20000-0x000007FEE5D31000-memory.dmp

Filesize
68KB

Download
memory/1212-403-0x000007FEE5D40000-0x000007FEE5D5B000-memory.dmp

Filesize
108KB

Download
memory/1212-402-0x000007FEE5D60000-0x000007FEE5D71000-memory.dmp

Filesize
68KB

Download
memory/1212-401-0x000007FEE5D80000-0x000007FEE5D91000-memory.dmp

Filesize
68KB

Download
memory/1212-400-0x000007FEE5DA0000-0x000007FEE5DB1000-memory.dmp

Filesize
68KB

Download
memory/1212-399-0x000007FEE5DC0000-0x000007FEE5DD8000-memory.dmp

Filesize
96KB

Download
memory/1212-395-0x000007FEE5E70000-0x000007FEE6070000-memory.dmp

Filesize
2.0MB

Download
memory/1212-420-0x000007FEE5930000-0x000007FEE5944000-memory.dmp

Filesize
80KB

Download
memory/1212-396-0x000007FEE5E50000-0x000007FEE5E67000-memory.dmp

Filesize
92KB

Download
memory/1212-393-0x000007FEE9B70000-0x000007FEEAC1B000-memory.dmp

Filesize
16.7MB

Download
memory/1212-386-0x000007FEEBD70000-0x000007FEEC024000-memory.dmp

Filesize
2.7MB

Download
memory/1212-423-0x000007FEE57F0000-0x000007FEE5820000-memory.dmp

Filesize
192KB

Download
memory/1212-424-0x000007FEE4040000-0x000007FEE57F0000-memory.dmp

Filesize
23.7MB

Download
memory/1212-425-0x000007FEE3ED0000-0x000007FEE4040000-memory.dmp

Filesize
1.4MB

Download
memory/1212-361-0x000007FEEF3B0000-0x000007FEEF417000-memory.dmp

Filesize
412KB

Download
memory/1212-356-0x000007FEE9B70000-0x000007FEEAC1B000-memory.dmp

Filesize
16.7MB

Download
memory/1212-353-0x000007FEF63A0000-0x000007FEF63BD000-memory.dmp

Filesize
116KB

Download
memory/1212-354-0x000007FEF5D50000-0x000007FEF5D61000-memory.dmp

Filesize
68KB

Download
memory/1212-351-0x000007FEF63C0000-0x000007FEF63D7000-memory.dmp

Filesize
92KB

Download
memory/1212-345-0x000007FEF6480000-0x000007FEF6498000-memory.dmp

Filesize
96KB

Download
memory/1212-348-0x000007FEF6440000-0x000007FEF6451000-memory.dmp

Filesize
68KB

Download
memory/1212-347-0x000007FEF6460000-0x000007FEF6477000-memory.dmp

Filesize
92KB

Download
memory/1212-343-0x000007FEEBD70000-0x000007FEEC024000-memory.dmp

Filesize
2.7MB

Download
memory/1212-341-0x000007FEF69C0000-0x000007FEF69F4000-memory.dmp

Filesize
208KB

Download
memory/1212-339-0x000000013F7E0000-0x000000013F8D8000-memory.dmp

Filesize
992KB

Download
memory/1212-426-0x000007FEE3EB0000-0x000007FEE3EC2000-memory.dmp

Filesize
72KB

Download
memory/1212-427-0x000007FEE3E60000-0x000007FEE3EA2000-memory.dmp

Filesize
264KB

Download
memory/1212-428-0x000007FEE3E10000-0x000007FEE3E5C000-memory.dmp

Filesize
304KB

Download
memory/1212-429-0x000007FEE3CA0000-0x000007FEE3E0B000-memory.dmp

Filesize
1.4MB

Download
memory/1212-430-0x000007FEE3C40000-0x000007FEE3C97000-memory.dmp

Filesize
348KB

Download
memory/1212-431-0x000007FEE39F0000-0x000007FEE3C3B000-memory.dmp

Filesize
2.3MB

Download
memory/1212-293-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/1212-432-0x000007FEE37D0000-0x000007FEE39ED000-memory.dmp

Filesize
2.1MB

Download
memory/1212-433-0x000007FEE37B0000-0x000007FEE37C5000-memory.dmp

Filesize
84KB

Download
memory/1440-227-0x000000003FEF0000-0x000000003FFE6000-memory.dmp

Filesize
984KB

Download
memory/1440-268-0x000000003CB60000-0x000000003CB86000-memory.dmp

Filesize
152KB

Download
memory/1440-267-0x0000000040160000-0x00000000401AA000-memory.dmp

Filesize
296KB

Download
memory/1440-266-0x000000003FAD0000-0x000000003FB0C000-memory.dmp

Filesize
240KB

Download
memory/1440-262-0x0000000045EF0000-0x0000000045FE8000-memory.dmp

Filesize
992KB

Download
memory/1440-330-0x0000000047FE0000-0x0000000048211000-memory.dmp

Filesize
2.2MB

Download
memory/1440-261-0x0000000045D90000-0x0000000045EE8000-memory.dmp

Filesize
1.3MB

Download
memory/1440-260-0x000000003CE20000-0x000000003CE30000-memory.dmp

Filesize
64KB

Download
memory/1440-259-0x0000000045A10000-0x0000000045D90000-memory.dmp

Filesize
3.5MB

Download
memory/1440-258-0x000000003CE10000-0x000000003CE24000-memory.dmp

Filesize
80KB

Download
memory/1440-257-0x000000003CE00000-0x000000003CE0C000-memory.dmp

Filesize
48KB

Download
memory/1440-256-0x000000003FD60000-0x000000003FDCA000-memory.dmp

Filesize
424KB

Download
memory/1440-255-0x0000000040CB0000-0x0000000040D62000-memory.dmp

Filesize
712KB

Download
memory/1440-254-0x0000000041DC0000-0x0000000041EC4000-memory.dmp

Filesize
1.0MB

Download
memory/1440-253-0x000000003CCF0000-0x000000003CCFE000-memory.dmp

Filesize
56KB

Download
memory/1440-252-0x000000003CBE0000-0x000000003CBEC000-memory.dmp

Filesize
48KB

Download
memory/1440-251-0x000000003FC10000-0x000000003FC62000-memory.dmp

Filesize
328KB

Download
memory/1440-250-0x0000000045860000-0x0000000045A12000-memory.dmp

Filesize
1.7MB

Download
memory/1440-249-0x0000000041CF0000-0x0000000041DB8000-memory.dmp

Filesize
800KB

Download
memory/1440-246-0x000000003C740000-0x000000003C752000-memory.dmp

Filesize
72KB

Download
memory/1440-247-0x000000003CAC0000-0x000000003CAC6000-memory.dmp

Filesize
24KB

Download
memory/1440-248-0x000000003CAD0000-0x000000003CAD8000-memory.dmp

Filesize
32KB

Download
memory/1440-245-0x000000003C730000-0x000000003C744000-memory.dmp

Filesize
80KB

Download
memory/1440-242-0x000000003FA70000-0x000000003FACE000-memory.dmp

Filesize
376KB

Download
memory/1440-241-0x000000003CF40000-0x000000003D01C000-memory.dmp

Filesize
880KB

Download
memory/1440-240-0x000000003CA80000-0x000000003CAC2000-memory.dmp

Filesize
264KB

Download
memory/1440-239-0x000000003C710000-0x000000003C72A000-memory.dmp

Filesize
104KB

Download
memory/1440-238-0x000000003C6F0000-0x000000003C70A000-memory.dmp

Filesize
104KB

Download
memory/1440-237-0x000000003C6E0000-0x000000003C6EC000-memory.dmp

Filesize
48KB

Download
memory/1440-236-0x0000000041BD0000-0x0000000041CE6000-memory.dmp

Filesize
1.1MB

Download
memory/1440-235-0x000000003C540000-0x000000003C55A000-memory.dmp

Filesize
104KB

Download
memory/1440-234-0x000000003C530000-0x000000003C538000-memory.dmp

Filesize
32KB

Download
memory/1440-233-0x000000003C380000-0x000000003C381000-memory.dmp

Filesize
4KB

Download
memory/1440-232-0x000000003B9B0000-0x000000003BA30000-memory.dmp

Filesize
512KB

Download
memory/1440-230-0x000000003C250000-0x000000003C25A000-memory.dmp

Filesize
40KB

Download
memory/1440-231-0x000000003B9B0000-0x000000003BA30000-memory.dmp

Filesize
512KB

Download
memory/1440-229-0x0000000040040000-0x000000004015A000-memory.dmp

Filesize
1.1MB

Download
memory/1440-54-0x0000000001010000-0x0000000002010000-memory.dmp

Filesize
16.0MB

Download
memory/1440-228-0x000000003C280000-0x000000003C294000-memory.dmp

Filesize
80KB

Download
memory/1440-226-0x000000003C270000-0x000000003C278000-memory.dmp

Filesize
32KB

Download
memory/1440-225-0x000000003C250000-0x000000003C270000-memory.dmp

Filesize
128KB

Download
memory/1440-195-0x000000003C240000-0x000000003C24C000-memory.dmp

Filesize
48KB

Download
memory/1440-194-0x000000003BB80000-0x000000003BB8A000-memory.dmp

Filesize
40KB

Download
memory/1440-193-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/1440-192-0x000000003E230000-0x000000003FA74000-memory.dmp

Filesize
24.3MB

Download
memory/1440-191-0x000000003D5B0000-0x000000003E230000-memory.dmp

Filesize
12.5MB

Download
memory/1440-190-0x000000003C850000-0x000000003C9F8000-memory.dmp

Filesize
1.7MB

Download
memory/1440-189-0x000000003BCC0000-0x000000003BCE6000-memory.dmp

Filesize
152KB

Download
memory/1440-185-0x000000003C1E0000-0x000000003C23A000-memory.dmp

Filesize
360KB

Download
memory/1440-184-0x000000003BB90000-0x000000003BBA4000-memory.dmp

Filesize
80KB

Download
memory/1440-88-0x000000003B9B0000-0x000000003BA30000-memory.dmp

Filesize
512KB

Download
memory/1440-68-0x000000003B9B0000-0x000000003BA30000-memory.dmp

Filesize
512KB

Download
memory/1440-67-0x000000003B960000-0x000000003B9A6000-memory.dmp

Filesize
280KB

Download
memory/1440-66-0x000000003B930000-0x000000003B964000-memory.dmp

Filesize
208KB

Download
memory/1440-65-0x000000003B8B0000-0x000000003B926000-memory.dmp

Filesize
472KB

Download
memory/1440-64-0x0000000000EC0000-0x0000000000EE6000-memory.dmp

Filesize
152KB

Download
memory/1440-61-0x000000003BA30000-0x000000003BB58000-memory.dmp

Filesize
1.2MB

Download
memory/1440-62-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/1440-63-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1440-60-0x00000000005F0000-0x000000000061A000-memory.dmp

Filesize
168KB

Download
memory/1440-59-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1440-58-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1440-57-0x0000000000540000-0x000000000055A000-memory.dmp

Filesize
104KB

Download
memory/1440-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1440-55-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads