5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a

General

Target

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
Size

2.0MB
MD5

308ba50b58f386adfc787ca380002cd1
SHA1

1172a6183ae0a119cb7c0aa0bd910b24dde15a2f
SHA256

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a
SHA512

7158d0e5f562a5f5fe1eef8e12b95222f1b08c962311aa73f81fca8ca1621e84711891584859b47b44fbadf1e95e3c1b0b9644d13592b100f26df727e4d90e29
SSDEEP

49152:f4EheAoP8dmPTRuITqGMbZ22tDR0YeHjJzrteTqAQ7vKwHSO:fDOdMbZ2id0YYJzrBv

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3016-132-0x00000000009E0000-0x0000000000DF8000-memory.dmp	vmprotect
behavioral2/memory/3016-133-0x00000000009E0000-0x0000000000DF8000-memory.dmp	vmprotect
behavioral2/memory/3016-136-0x00000000009E0000-0x0000000000DF8000-memory.dmp	vmprotect
behavioral2/memory/3016-143-0x00000000009E0000-0x0000000000DF8000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

pid process

3016 5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

pid	process
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe

description	pid	process	target process
PID 3016 wrote to memory of 4924	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4924	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4924	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2732	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2732	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2732	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3048	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3048	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3048	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4484	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4484	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4484	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 1588	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 1588	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 1588	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3844	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3844	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3844	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3208	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3208	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3208	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2644	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2644	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2644	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3688	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3688	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3688	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5040	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5040	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5040	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2748	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2748	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2748	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5028	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5028	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5028	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 228	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 228	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 228	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 116	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 116	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 116	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2684	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2684	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 2684	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3644	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3644	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3644	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 872	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 872	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 872	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4180	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4180	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4180	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5084	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5084	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5084	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3360	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3360	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 3360	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5012	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5012	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 5012	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe
PID 3016 wrote to memory of 4556	3016	5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe
"C:\Users\Admin\AppData\Local\Temp\5d8cd7711e8df82f888e96eb8f08548431120f9a2edcfc51127a8331bb4d218a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-151-0x0000000000000000-mapping.dmp

Download
memory/228-150-0x0000000000000000-mapping.dmp

Download
memory/524-199-0x0000000000000000-mapping.dmp

Download
memory/692-172-0x0000000000000000-mapping.dmp

Download
memory/872-154-0x0000000000000000-mapping.dmp

Download
memory/1420-173-0x0000000000000000-mapping.dmp

Download
memory/1432-185-0x0000000000000000-mapping.dmp

Download
memory/1556-168-0x0000000000000000-mapping.dmp

Download
memory/1584-169-0x0000000000000000-mapping.dmp

Download
memory/1588-141-0x0000000000000000-mapping.dmp

Download
memory/1632-187-0x0000000000000000-mapping.dmp

Download
memory/1656-167-0x0000000000000000-mapping.dmp

Download
memory/1780-160-0x0000000000000000-mapping.dmp

Download
memory/1812-161-0x0000000000000000-mapping.dmp

Download
memory/1908-198-0x0000000000000000-mapping.dmp

Download
memory/1996-189-0x0000000000000000-mapping.dmp

Download
memory/2104-171-0x0000000000000000-mapping.dmp

Download
memory/2192-201-0x0000000000000000-mapping.dmp

Download
memory/2340-193-0x0000000000000000-mapping.dmp

Download
memory/2572-195-0x0000000000000000-mapping.dmp

Download
memory/2592-181-0x0000000000000000-mapping.dmp

Download
memory/2632-182-0x0000000000000000-mapping.dmp

Download
memory/2644-145-0x0000000000000000-mapping.dmp

Download
memory/2664-191-0x0000000000000000-mapping.dmp

Download
memory/2684-152-0x0000000000000000-mapping.dmp

Download
memory/2696-196-0x0000000000000000-mapping.dmp

Download
memory/2732-138-0x0000000000000000-mapping.dmp

Download
memory/2748-148-0x0000000000000000-mapping.dmp

Download
memory/2964-180-0x0000000000000000-mapping.dmp

Download
memory/2972-194-0x0000000000000000-mapping.dmp

Download
memory/3016-143-0x00000000009E0000-0x0000000000DF8000-memory.dmp

Filesize
4.1MB

Download
memory/3016-136-0x00000000009E0000-0x0000000000DF8000-memory.dmp

Filesize
4.1MB

Download
memory/3016-133-0x00000000009E0000-0x0000000000DF8000-memory.dmp

Filesize
4.1MB

Download
memory/3016-132-0x00000000009E0000-0x0000000000DF8000-memory.dmp

Filesize
4.1MB

Download
memory/3048-139-0x0000000000000000-mapping.dmp

Download
memory/3208-144-0x0000000000000000-mapping.dmp

Download
memory/3248-179-0x0000000000000000-mapping.dmp

Download
memory/3252-166-0x0000000000000000-mapping.dmp

Download
memory/3308-163-0x0000000000000000-mapping.dmp

Download
memory/3360-157-0x0000000000000000-mapping.dmp

Download
memory/3396-165-0x0000000000000000-mapping.dmp

Download
memory/3460-190-0x0000000000000000-mapping.dmp

Download
memory/3512-176-0x0000000000000000-mapping.dmp

Download
memory/3644-153-0x0000000000000000-mapping.dmp

Download
memory/3688-146-0x0000000000000000-mapping.dmp

Download
memory/3844-142-0x0000000000000000-mapping.dmp

Download
memory/3928-197-0x0000000000000000-mapping.dmp

Download
memory/4068-175-0x0000000000000000-mapping.dmp

Download
memory/4120-174-0x0000000000000000-mapping.dmp

Download
memory/4180-155-0x0000000000000000-mapping.dmp

Download
memory/4192-170-0x0000000000000000-mapping.dmp

Download
memory/4228-184-0x0000000000000000-mapping.dmp

Download
memory/4324-162-0x0000000000000000-mapping.dmp

Download
memory/4428-164-0x0000000000000000-mapping.dmp

Download
memory/4484-140-0x0000000000000000-mapping.dmp

Download
memory/4556-159-0x0000000000000000-mapping.dmp

Download
memory/4704-177-0x0000000000000000-mapping.dmp

Download
memory/4788-178-0x0000000000000000-mapping.dmp

Download
memory/4800-183-0x0000000000000000-mapping.dmp

Download
memory/4864-186-0x0000000000000000-mapping.dmp

Download
memory/4888-200-0x0000000000000000-mapping.dmp

Download
memory/4924-137-0x0000000000000000-mapping.dmp

Download
memory/4960-188-0x0000000000000000-mapping.dmp

Download
memory/4996-192-0x0000000000000000-mapping.dmp

Download
memory/5012-158-0x0000000000000000-mapping.dmp

Download
memory/5028-149-0x0000000000000000-mapping.dmp

Download
memory/5040-147-0x0000000000000000-mapping.dmp

Download
memory/5084-156-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads