6023ea55d3ff78b3642367375c276bbde744636c1d485b5bf7cf3d4609936bef

Resubmissions

12/10/2024, 18:25

241012-w213zavare 7

12/10/2024, 18:24

241012-w17t5ayfkk 7

Analysis

max time kernel
54s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bios Flash Helper.exe
Size

6.5MB
MD5

ca968d3a6dea5e46716281ceb6cd575c
SHA1

792ef05b2262577e39b0c91d57874c2326ef0dc5
SHA256

6023ea55d3ff78b3642367375c276bbde744636c1d485b5bf7cf3d4609936bef
SHA512

b4b62663e9f08b29569cae12b8184366dd38004c574c3c33fe7a5859700277dc66f5d52184dd1a0d4ecac583909be10fe1f5bce250a86685b588edcea792035b
SSDEEP

196608:GPH+gp1DM9onJ5hrZER9xQ3jo4UR7+AkC2:WpNM9c5hlER9xA2RSA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3044	Bios Flash Helper.exe
3044	Bios Flash Helper.exe
3044	Bios Flash Helper.exe
3044	Bios Flash Helper.exe
3044	Bios Flash Helper.exe
3044	Bios Flash Helper.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6768	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6768	vlc.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe
6768	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6768	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3044	1504	Bios Flash Helper.exe	85
PID 1504 wrote to memory of 3044	1504	Bios Flash Helper.exe	85
PID 3044 wrote to memory of 1168	3044	Bios Flash Helper.exe	87
PID 3044 wrote to memory of 1168	3044	Bios Flash Helper.exe	87
PID 1168 wrote to memory of 2700	1168	cmd.exe	88
PID 1168 wrote to memory of 2700	1168	cmd.exe	88
PID 3044 wrote to memory of 4768	3044	Bios Flash Helper.exe	90
PID 3044 wrote to memory of 4768	3044	Bios Flash Helper.exe	90
PID 4768 wrote to memory of 2648	4768	cmd.exe	91
PID 4768 wrote to memory of 2648	4768	cmd.exe	91
PID 3044 wrote to memory of 2600	3044	Bios Flash Helper.exe	93
PID 3044 wrote to memory of 2600	3044	Bios Flash Helper.exe	93
PID 2600 wrote to memory of 2020	2600	cmd.exe	94
PID 2600 wrote to memory of 2020	2600	cmd.exe	94
PID 3044 wrote to memory of 1712	3044	Bios Flash Helper.exe	96
PID 3044 wrote to memory of 1712	3044	Bios Flash Helper.exe	96
PID 1712 wrote to memory of 1924	1712	cmd.exe	98
PID 1712 wrote to memory of 1924	1712	cmd.exe	98
PID 3044 wrote to memory of 3168	3044	Bios Flash Helper.exe	100
PID 3044 wrote to memory of 3168	3044	Bios Flash Helper.exe	100
PID 3168 wrote to memory of 4652	3168	cmd.exe	101
PID 3168 wrote to memory of 4652	3168	cmd.exe	101
PID 3044 wrote to memory of 3456	3044	Bios Flash Helper.exe	103
PID 3044 wrote to memory of 3456	3044	Bios Flash Helper.exe	103
PID 3456 wrote to memory of 2744	3456	cmd.exe	104
PID 3456 wrote to memory of 2744	3456	cmd.exe	104
PID 3044 wrote to memory of 452	3044	Bios Flash Helper.exe	106
PID 3044 wrote to memory of 452	3044	Bios Flash Helper.exe	106
PID 452 wrote to memory of 840	452	cmd.exe	107
PID 452 wrote to memory of 840	452	cmd.exe	107
PID 3044 wrote to memory of 5052	3044	Bios Flash Helper.exe	109
PID 3044 wrote to memory of 5052	3044	Bios Flash Helper.exe	109
PID 5052 wrote to memory of 3216	5052	cmd.exe	110
PID 5052 wrote to memory of 3216	5052	cmd.exe	110
PID 3044 wrote to memory of 848	3044	Bios Flash Helper.exe	112
PID 3044 wrote to memory of 848	3044	Bios Flash Helper.exe	112
PID 848 wrote to memory of 3464	848	cmd.exe	113
PID 848 wrote to memory of 3464	848	cmd.exe	113
PID 3044 wrote to memory of 3744	3044	Bios Flash Helper.exe	115
PID 3044 wrote to memory of 3744	3044	Bios Flash Helper.exe	115
PID 3744 wrote to memory of 5112	3744	cmd.exe	116
PID 3744 wrote to memory of 5112	3744	cmd.exe	116
PID 3044 wrote to memory of 2576	3044	Bios Flash Helper.exe	118
PID 3044 wrote to memory of 2576	3044	Bios Flash Helper.exe	118
PID 2576 wrote to memory of 2880	2576	cmd.exe	119
PID 2576 wrote to memory of 2880	2576	cmd.exe	119
PID 3044 wrote to memory of 4920	3044	Bios Flash Helper.exe	121
PID 3044 wrote to memory of 4920	3044	Bios Flash Helper.exe	121
PID 4920 wrote to memory of 2392	4920	cmd.exe	122
PID 4920 wrote to memory of 2392	4920	cmd.exe	122
PID 3044 wrote to memory of 3692	3044	Bios Flash Helper.exe	212
PID 3044 wrote to memory of 3692	3044	Bios Flash Helper.exe	212
PID 3692 wrote to memory of 4456	3692	cmd.exe	125
PID 3692 wrote to memory of 4456	3692	cmd.exe	125
PID 3044 wrote to memory of 2540	3044	Bios Flash Helper.exe	127
PID 3044 wrote to memory of 2540	3044	Bios Flash Helper.exe	127
PID 2540 wrote to memory of 4300	2540	cmd.exe	128
PID 2540 wrote to memory of 4300	2540	cmd.exe	128
PID 3044 wrote to memory of 3656	3044	Bios Flash Helper.exe	193
PID 3044 wrote to memory of 3656	3044	Bios Flash Helper.exe	193
PID 3656 wrote to memory of 1788	3656	cmd.exe	131
PID 3656 wrote to memory of 1788	3656	cmd.exe	131
PID 3044 wrote to memory of 1200	3044	Bios Flash Helper.exe	133
PID 3044 wrote to memory of 1200	3044	Bios Flash Helper.exe	133

C:\Users\Admin\AppData\Local\Temp\Bios Flash Helper.exe
"C:\Users\Admin\AppData\Local\Temp\Bios Flash Helper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\Bios Flash Helper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bios Flash Helper.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:1200
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:4304
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:1648
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:816
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:4536
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:456
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:1828
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:3472
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:2336
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:1732
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:1268
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:4820
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:3512
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:4140
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:1684
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:244
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:2300
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:452
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:4556
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:4644
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4956
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:1912
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:4660
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:988
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:1732
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:3544
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:4324
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:3692
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:3408
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2540
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5132
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5188
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5236
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5308
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5368
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5432
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5484
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5540
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5608
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5644
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5720
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5776
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5836
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5888
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5956
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6004
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6068
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6132
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5212
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5420
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5564
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5640
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5720
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5964
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6096
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6132
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5624
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5240
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:5744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6180
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6232
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6292
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6348
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6416
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6472
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6532
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6592
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6636
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6716
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6776
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6824
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6880
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6952
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7012
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7056
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7120
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:5240
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6360
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6572
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6720
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6904
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6968
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7060
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6396
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:6236
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7196
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7256
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7304
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7364
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7424
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start
    3⤵
    PID:7476
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:7500

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RemoveDismount.m4a"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI15042\VCRUNTIME140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15042\_ctypes.pyd

Filesize
123KB

MD5
b74f6285a790ffd7e9ec26e3ab4ca8df

SHA1
7e023c1e4f12e8e577e46da756657fd2db80b5e8

SHA256
c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a

SHA512
3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15042\_socket.pyd

Filesize
78KB

MD5
0df2287791c20a764e6641029a882f09

SHA1
8a0aeb4b4d8410d837469339244997c745c9640c

SHA256
09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869

SHA512
60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15042\base_library.zip

Filesize
767KB

MD5
7ece4ca42658ba2a669af5ba31c127f1

SHA1
eec81105b210e4a2cf576c7438647d5df2aa6169

SHA256
5dcbab6e1b53994dc71aa9b91f16d686387ba3b63c3e6acdf0b6bdf611271986

SHA512
818d550ee80d02a928a849383f588ba3f4e8031a5e0f46eabc075cfc8b5833c802740e48a055bab700a7961059fe53eddb487b2f306333f0c9e89a53d6a0f110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15042\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15042\python39.dll

Filesize
4.2MB

MD5
c4b75218b11808db4a04255574b2eb33

SHA1
f4a3497fb6972037fb271cfdc5b404a4b28ccf07

SHA256
53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2

SHA512
0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15042\select.pyd

Filesize
27KB

MD5
a2a4cf664570944ccc691acf47076eeb

SHA1
918a953817fff228dbd0bdf784ed6510314f4dd9

SHA256
b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434

SHA512
d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

Download Submit
memory/6768-68-0x00007FF8790B0000-0x00007FF8790E4000-memory.dmp

Filesize
208KB

Download
memory/6768-67-0x00007FF6FA640000-0x00007FF6FA738000-memory.dmp

Filesize
992KB

Download
memory/6768-69-0x00007FF864BC0000-0x00007FF864E76000-memory.dmp

Filesize
2.7MB

Download
memory/6768-70-0x00007FF862FB0000-0x00007FF864060000-memory.dmp

Filesize
16.7MB

Download