868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0

Analysis

max time kernel
55s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
15/04/2022, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
Size

2.8MB
MD5

19fb0fd22c8d8b7d2d54821b3a170361
SHA1

af9aded796b0f2d0499fdee537a4008f3451921e
SHA256

868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0
SHA512

e18f37b44ceb99f13f74bc74afe3e0c6bd324bb3143425466e4b208c6b0a8f5ed58465ca04a26d9cd9c40cd655d10c247f4310494bb245121bc72757e04fda5a

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\""	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1172	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	28
PID 1664 wrote to memory of 1172	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	28
PID 1664 wrote to memory of 1172	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	28
PID 1664 wrote to memory of 1172	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	28
PID 1664 wrote to memory of 1172	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	28
PID 1664 wrote to memory of 1172	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	28
PID 1664 wrote to memory of 1172	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	28
PID 1664 wrote to memory of 1140	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	29
PID 1664 wrote to memory of 1140	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	29
PID 1664 wrote to memory of 1140	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	29
PID 1664 wrote to memory of 1140	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	29
PID 1664 wrote to memory of 1140	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	29
PID 1664 wrote to memory of 1140	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	29
PID 1664 wrote to memory of 1140	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	29
PID 1664 wrote to memory of 2000	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	30
PID 1664 wrote to memory of 2000	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	30
PID 1664 wrote to memory of 2000	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	30
PID 1664 wrote to memory of 2000	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	30
PID 1664 wrote to memory of 2000	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	30
PID 1664 wrote to memory of 2000	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	30
PID 1664 wrote to memory of 2000	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	30
PID 1664 wrote to memory of 2012	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	31
PID 1664 wrote to memory of 2012	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	31
PID 1664 wrote to memory of 2012	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	31
PID 1664 wrote to memory of 2012	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	31
PID 1664 wrote to memory of 2012	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	31
PID 1664 wrote to memory of 2012	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	31
PID 1664 wrote to memory of 2012	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	31
PID 1664 wrote to memory of 2016	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	32
PID 1664 wrote to memory of 2016	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	32
PID 1664 wrote to memory of 2016	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	32
PID 1664 wrote to memory of 2016	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	32
PID 1664 wrote to memory of 2016	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	32
PID 1664 wrote to memory of 2016	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	32
PID 1664 wrote to memory of 2016	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	32
PID 1664 wrote to memory of 1288	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	33
PID 1664 wrote to memory of 1288	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	33
PID 1664 wrote to memory of 1288	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	33
PID 1664 wrote to memory of 1288	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	33
PID 1664 wrote to memory of 1288	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	33
PID 1664 wrote to memory of 1288	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	33
PID 1664 wrote to memory of 1288	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	33
PID 1664 wrote to memory of 1176	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	34
PID 1664 wrote to memory of 1176	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	34
PID 1664 wrote to memory of 1176	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	34
PID 1664 wrote to memory of 1176	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	34
PID 1664 wrote to memory of 1176	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	34
PID 1664 wrote to memory of 1176	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	34
PID 1664 wrote to memory of 1176	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	34
PID 1664 wrote to memory of 1980	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	35
PID 1664 wrote to memory of 1980	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	35
PID 1664 wrote to memory of 1980	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	35
PID 1664 wrote to memory of 1980	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	35
PID 1664 wrote to memory of 1980	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	35
PID 1664 wrote to memory of 1980	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	35
PID 1664 wrote to memory of 1980	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	35
PID 1664 wrote to memory of 1968	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	36
PID 1664 wrote to memory of 1968	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	36
PID 1664 wrote to memory of 1968	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	36
PID 1664 wrote to memory of 1968	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	36
PID 1664 wrote to memory of 1968	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	36
PID 1664 wrote to memory of 1968	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	36
PID 1664 wrote to memory of 1968	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	36
PID 1664 wrote to memory of 1688	1664	868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe	37

C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
"C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:776
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:332
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:600
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:328
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:432
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1120
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:844
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1212
- C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe
  "C:\Users\Admin\AppData\Local\Temp\868bf5904a98abaa17511a14f7ee304f8cb73c95d616f056d7f51c3a3653aaf0.exe"
  2⤵
  PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-54-0x0000000000210000-0x00000000004E4000-memory.dmp

Filesize
2.8MB

Download
memory/1664-55-0x00000000022E0000-0x0000000002370000-memory.dmp

Filesize
576KB

Download
memory/1664-56-0x0000000000790000-0x00000000007AC000-memory.dmp

Filesize
112KB

Download