5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a

General

Target

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
Size

2.0MB
MD5

308ba50b58f386adfc787ca380002cd1
SHA1

1172a6183ae0a119cb7c0aa0bd910b24dde15a2f
SHA256

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a
SHA512

7158d0e5f562a5f5fe1eef8e12b95222f1b08c962311aa73f81fca8ca1621e84711891584859b47b44fbadf1e95e3c1b0b9644d13592b100f26df727e4d90e29
SSDEEP

49152:f4EheAoP8dmPTRuITqGMbZ22tDR0YeHjJzrteTqAQ7vKwHSO:fDOdMbZ2id0YYJzrBv

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1940-54-0x0000000000F50000-0x0000000001368000-memory.dmp	vmprotect
behavioral1/memory/1940-57-0x0000000000F50000-0x0000000001368000-memory.dmp	vmprotect
behavioral1/memory/1940-59-0x0000000000F50000-0x0000000001368000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

pid process

1940 5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

pid	process
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

description	pid	process	target process
PID 1940 wrote to memory of 1448	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1448	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1448	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1448	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1552	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1552	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1552	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1552	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1372	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1372	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1372	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1372	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1720	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1720	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1720	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1720	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1128	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1128	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1128	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1128	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 836	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 836	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 836	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 836	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1976	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1976	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1976	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1976	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 2028	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 2028	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 2028	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 2028	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 968	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 968	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 968	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 968	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1388	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1388	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1388	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1388	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1380	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1380	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1380	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1380	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1164	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1164	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1164	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1164	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1224	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1224	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1224	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1224	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1728	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1728	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1728	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1728	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 760	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 760	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 760	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 760	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1832	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1832	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1832	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 1940 wrote to memory of 1832	1940	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
"C:\Users\Admin\AppData\Local\Temp\5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1184

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-83-0x0000000000000000-mapping.dmp

Download
memory/316-89-0x0000000000000000-mapping.dmp

Download
memory/340-77-0x0000000000000000-mapping.dmp

Download
memory/568-78-0x0000000000000000-mapping.dmp

Download
memory/596-79-0x0000000000000000-mapping.dmp

Download
memory/760-73-0x0000000000000000-mapping.dmp

Download
memory/768-82-0x0000000000000000-mapping.dmp

Download
memory/836-64-0x0000000000000000-mapping.dmp

Download
memory/968-67-0x0000000000000000-mapping.dmp

Download
memory/1044-87-0x0000000000000000-mapping.dmp

Download
memory/1052-81-0x0000000000000000-mapping.dmp

Download
memory/1072-88-0x0000000000000000-mapping.dmp

Download
memory/1128-63-0x0000000000000000-mapping.dmp

Download
memory/1164-70-0x0000000000000000-mapping.dmp

Download
memory/1184-91-0x0000000000000000-mapping.dmp

Download
memory/1224-71-0x0000000000000000-mapping.dmp

Download
memory/1372-61-0x0000000000000000-mapping.dmp

Download
memory/1380-69-0x0000000000000000-mapping.dmp

Download
memory/1388-68-0x0000000000000000-mapping.dmp

Download
memory/1400-85-0x0000000000000000-mapping.dmp

Download
memory/1448-58-0x0000000000000000-mapping.dmp

Download
memory/1552-60-0x0000000000000000-mapping.dmp

Download
memory/1676-75-0x0000000000000000-mapping.dmp

Download
memory/1680-76-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x0000000000000000-mapping.dmp

Download
memory/1728-72-0x0000000000000000-mapping.dmp

Download
memory/1808-86-0x0000000000000000-mapping.dmp

Download
memory/1832-74-0x0000000000000000-mapping.dmp

Download
memory/1912-80-0x0000000000000000-mapping.dmp

Download
memory/1940-54-0x0000000000F50000-0x0000000001368000-memory.dmp

Filesize
4.1MB

Download
memory/1940-59-0x0000000000F50000-0x0000000001368000-memory.dmp

Filesize
4.1MB

Download
memory/1940-57-0x0000000000F50000-0x0000000001368000-memory.dmp

Filesize
4.1MB

Download
memory/1976-65-0x0000000000000000-mapping.dmp

Download
memory/2004-84-0x0000000000000000-mapping.dmp

Download
memory/2028-66-0x0000000000000000-mapping.dmp

Download
memory/2032-90-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads