536b5f8fb36ee7fbcef6c1293c8bf1b17d1645aa845a7ac2cccdbe9fd16c99d8

Analysis

max time kernel
36s
max time network
119s
platform
windows10_x64
resource
win10v20201028
submitted
30-12-2020 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16x.bin.exe
Size

4.4MB
MD5

3e05cdc35f300de783fcb3dcd71e4970
SHA1

abfc51fe7bc93d12d0d163b1f7fecae0a6a8e52e
SHA256

adc220109f73acdd307036a6d14bffa68103a48e2305c3a4f1533aab74d9deb8
SHA512

fff156d64fcd720d2d27b3e53dccb9fb817775b11b04eae44e41bb266112f3655ced03ef3e6037748155bdd02b6d749eda778e92eb66a9362546513c48ce4775

Score

9^/10

evasion spyware

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

16x.bin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16x.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16x.bin.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

16x.bin.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine 16x.bin.exe
Loads dropped DLL 1 IoCs

Processes:

16x.bin.exe

pid process

3932 16x.bin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Wine	16x.bin.exe

pid	process
3932	16x.bin.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\libeay32.dll	js

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

16x.bin.exe

pid process

3932 16x.bin.exe
3932 16x.bin.exe
3932 16x.bin.exe
3932 16x.bin.exe
3932 16x.bin.exe
3932 16x.bin.exe
3932 16x.bin.exe
3932 16x.bin.exe

pid	process
3932	16x.bin.exe
3932	16x.bin.exe
3932	16x.bin.exe
3932	16x.bin.exe
3932	16x.bin.exe
3932	16x.bin.exe
3932	16x.bin.exe
3932	16x.bin.exe

Suspicious use of AdjustPrivilegeToken 292 IoCs

Processes:

16x.bin.exe

description	pid	process
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe
Token: 33	3932	16x.bin.exe
Token: SeIncBasePriorityPrivilege	3932	16x.bin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

16x.bin.exe

pid process

3932 16x.bin.exe
3932 16x.bin.exe

pid	process
3932	16x.bin.exe
3932	16x.bin.exe

Suspicious use of WriteProcessMemory 831 IoCs

Processes:

16x.bin.exe

description	pid	process	target process
PID 3932 wrote to memory of 1440	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1440	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1440	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2424	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2424	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2424	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3424	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3424	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3424	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3180	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3180	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3180	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1544	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1544	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1544	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3736	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3736	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3736	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3224	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3224	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3224	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2152	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2152	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2152	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3644	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3644	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3644	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 512	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 512	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 512	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 800	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 800	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 800	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1192	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1192	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1192	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3836	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3836	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3836	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1028	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1028	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 1028	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2848	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2848	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2848	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2460	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2460	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2460	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2468	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2468	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2468	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2404	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2404	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 2404	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3344	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3344	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3344	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3876	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3876	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3876	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 4016	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 4016	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 4016	3932	16x.bin.exe	cmd.exe
PID 3932 wrote to memory of 3808	3932	16x.bin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\16x.bin.exe
"C:\Users\Admin\AppData\Local\Temp\16x.bin.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4108

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\libeay32.dll
MD5
e5e521468e2a9f9b314e06e29116b5a9

SHA1
4044a4efd7998e8c4245e632b18056b089f0aa53

SHA256
19b4d189a73b79a73c2ddd678ed5ff7357d92494cf76a21372a58e3dce075d50

SHA512
71b7fca9d2bf361daaa69f3855e49f635183b6a2c6fa7f82376c7e565694d14859adb649cdf8d12b6b6749f4777948d9164a2a8580143171f2970ce8b28f3a41

Download Submit
memory/188-87-0x0000000000000000-mapping.dmp

Download
memory/204-64-0x0000000000000000-mapping.dmp

Download
memory/488-230-0x0000000000000000-mapping.dmp

Download
memory/492-229-0x0000000000000000-mapping.dmp

Download
memory/512-18-0x0000000000000000-mapping.dmp

Download
memory/612-88-0x0000000000000000-mapping.dmp

Download
memory/720-56-0x0000000000000000-mapping.dmp

Download
memory/800-19-0x0000000000000000-mapping.dmp

Download
memory/1004-217-0x0000000000000000-mapping.dmp

Download
memory/1028-22-0x0000000000000000-mapping.dmp

Download
memory/1044-78-0x0000000000000000-mapping.dmp

Download
memory/1064-169-0x0000000000000000-mapping.dmp

Download
memory/1100-93-0x0000000000000000-mapping.dmp

Download
memory/1112-50-0x0000000000000000-mapping.dmp

Download
memory/1116-84-0x0000000000000000-mapping.dmp

Download
memory/1144-86-0x0000000000000000-mapping.dmp

Download
memory/1180-65-0x0000000000000000-mapping.dmp

Download
memory/1192-20-0x0000000000000000-mapping.dmp

Download
memory/1372-257-0x0000000000000000-mapping.dmp

Download
memory/1432-75-0x0000000000000000-mapping.dmp

Download
memory/1440-9-0x0000000000000000-mapping.dmp

Download
memory/1444-90-0x0000000000000000-mapping.dmp

Download
memory/1452-81-0x0000000000000000-mapping.dmp

Download
memory/1492-39-0x0000000000000000-mapping.dmp

Download
memory/1544-13-0x0000000000000000-mapping.dmp

Download
memory/1552-82-0x0000000000000000-mapping.dmp

Download
memory/1556-35-0x0000000000000000-mapping.dmp

Download
memory/1784-239-0x0000000000000000-mapping.dmp

Download
memory/1840-57-0x0000000000000000-mapping.dmp

Download
memory/2056-258-0x0000000000000000-mapping.dmp

Download
memory/2060-85-0x0000000000000000-mapping.dmp

Download
memory/2068-92-0x0000000000000000-mapping.dmp

Download
memory/2084-223-0x0000000000000000-mapping.dmp

Download
memory/2092-176-0x0000000000000000-mapping.dmp

Download
memory/2104-238-0x0000000000000000-mapping.dmp

Download
memory/2112-274-0x0000000000000000-mapping.dmp

Download
memory/2116-38-0x0000000000000000-mapping.dmp

Download
memory/2136-211-0x0000000000000000-mapping.dmp

Download
memory/2152-16-0x0000000000000000-mapping.dmp

Download
memory/2188-43-0x0000000000000000-mapping.dmp

Download
memory/2240-46-0x0000000000000000-mapping.dmp

Download
memory/2404-26-0x0000000000000000-mapping.dmp

Download
memory/2408-66-0x0000000000000000-mapping.dmp

Download
memory/2412-72-0x0000000000000000-mapping.dmp

Download
memory/2424-10-0x0000000000000000-mapping.dmp

Download
memory/2436-44-0x0000000000000000-mapping.dmp

Download
memory/2440-55-0x0000000000000000-mapping.dmp

Download
memory/2460-24-0x0000000000000000-mapping.dmp

Download
memory/2468-25-0x0000000000000000-mapping.dmp

Download
memory/2472-62-0x0000000000000000-mapping.dmp

Download
memory/2480-70-0x0000000000000000-mapping.dmp

Download
memory/2484-45-0x0000000000000000-mapping.dmp

Download
memory/2488-60-0x0000000000000000-mapping.dmp

Download
memory/2516-67-0x0000000000000000-mapping.dmp

Download
memory/2532-73-0x0000000000000000-mapping.dmp

Download
memory/2544-31-0x0000000000000000-mapping.dmp

Download
memory/2572-224-0x0000000000000000-mapping.dmp

Download
memory/2608-49-0x0000000000000000-mapping.dmp

Download
memory/2720-48-0x0000000000000000-mapping.dmp

Download
memory/2728-83-0x0000000000000000-mapping.dmp

Download
memory/2748-241-0x0000000000000000-mapping.dmp

Download
memory/2820-40-0x0000000000000000-mapping.dmp

Download
memory/2848-23-0x0000000000000000-mapping.dmp

Download
memory/2856-54-0x0000000000000000-mapping.dmp

Download
memory/2900-74-0x0000000000000000-mapping.dmp

Download
memory/2964-52-0x0000000000000000-mapping.dmp

Download
memory/3180-12-0x0000000000000000-mapping.dmp

Download
memory/3188-168-0x0000000000000000-mapping.dmp

Download
memory/3192-91-0x0000000000000000-mapping.dmp

Download
memory/3208-37-0x0000000000000000-mapping.dmp

Download
memory/3224-15-0x0000000000000000-mapping.dmp

Download
memory/3344-27-0x0000000000000000-mapping.dmp

Download
memory/3424-11-0x0000000000000000-mapping.dmp

Download
memory/3476-47-0x0000000000000000-mapping.dmp

Download
memory/3492-167-0x0000000000000000-mapping.dmp

Download
memory/3532-94-0x0000000000000000-mapping.dmp

Download
memory/3540-77-0x0000000000000000-mapping.dmp

Download
memory/3548-51-0x0000000000000000-mapping.dmp

Download
memory/3556-68-0x0000000000000000-mapping.dmp

Download
memory/3644-17-0x0000000000000000-mapping.dmp

Download
memory/3688-59-0x0000000000000000-mapping.dmp

Download
memory/3736-14-0x0000000000000000-mapping.dmp

Download
memory/3764-32-0x0000000000000000-mapping.dmp

Download
memory/3808-30-0x0000000000000000-mapping.dmp

Download
memory/3812-79-0x0000000000000000-mapping.dmp

Download
memory/3820-53-0x0000000000000000-mapping.dmp

Download
memory/3824-42-0x0000000000000000-mapping.dmp

Download
memory/3828-41-0x0000000000000000-mapping.dmp

Download
memory/3832-71-0x0000000000000000-mapping.dmp

Download
memory/3836-21-0x0000000000000000-mapping.dmp

Download
memory/3876-28-0x0000000000000000-mapping.dmp

Download
memory/3880-58-0x0000000000000000-mapping.dmp

Download
memory/3884-89-0x0000000000000000-mapping.dmp

Download
memory/3908-95-0x0000000000000000-mapping.dmp

Download
memory/3924-36-0x0000000000000000-mapping.dmp

Download
memory/3932-2-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3932-3-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3932-5-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3932-4-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3932-8-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3932-7-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3948-76-0x0000000000000000-mapping.dmp

Download
memory/3956-61-0x0000000000000000-mapping.dmp

Download
memory/3968-63-0x0000000000000000-mapping.dmp

Download
memory/4012-69-0x0000000000000000-mapping.dmp

Download
memory/4016-29-0x0000000000000000-mapping.dmp

Download
memory/4020-80-0x0000000000000000-mapping.dmp

Download
memory/4044-240-0x0000000000000000-mapping.dmp

Download
memory/4048-275-0x0000000000000000-mapping.dmp

Download
memory/4056-34-0x0000000000000000-mapping.dmp

Download
memory/4064-33-0x0000000000000000-mapping.dmp

Download
memory/4100-284-0x0000000000000000-mapping.dmp

Download
memory/4104-96-0x0000000000000000-mapping.dmp

Download
memory/4108-285-0x0000000000000000-mapping.dmp

Download
memory/4112-160-0x0000000000000000-mapping.dmp

Download
memory/4120-97-0x0000000000000000-mapping.dmp

Download
memory/4124-254-0x0000000000000000-mapping.dmp

Download
memory/4132-161-0x0000000000000000-mapping.dmp

Download
memory/4136-98-0x0000000000000000-mapping.dmp

Download
memory/4140-162-0x0000000000000000-mapping.dmp

Download
memory/4144-212-0x0000000000000000-mapping.dmp

Download
memory/4152-99-0x0000000000000000-mapping.dmp

Download
memory/4156-213-0x0000000000000000-mapping.dmp

Download
memory/4168-100-0x0000000000000000-mapping.dmp

Download
memory/4176-163-0x0000000000000000-mapping.dmp

Download
memory/4180-255-0x0000000000000000-mapping.dmp

Download
memory/4184-101-0x0000000000000000-mapping.dmp

Download
memory/4192-214-0x0000000000000000-mapping.dmp

Download
memory/4196-164-0x0000000000000000-mapping.dmp

Download
memory/4200-102-0x0000000000000000-mapping.dmp

Download
memory/4204-165-0x0000000000000000-mapping.dmp

Download
memory/4208-256-0x0000000000000000-mapping.dmp

Download
memory/4216-103-0x0000000000000000-mapping.dmp

Download
memory/4228-215-0x0000000000000000-mapping.dmp

Download
memory/4232-104-0x0000000000000000-mapping.dmp

Download
memory/4240-166-0x0000000000000000-mapping.dmp

Download
memory/4248-105-0x0000000000000000-mapping.dmp

Download
memory/4252-259-0x0000000000000000-mapping.dmp

Download
memory/4256-216-0x0000000000000000-mapping.dmp

Download
memory/4260-218-0x0000000000000000-mapping.dmp

Download
memory/4264-106-0x0000000000000000-mapping.dmp

Download
memory/4272-170-0x0000000000000000-mapping.dmp

Download
memory/4280-107-0x0000000000000000-mapping.dmp

Download
memory/4288-219-0x0000000000000000-mapping.dmp

Download
memory/4292-171-0x0000000000000000-mapping.dmp

Download
memory/4296-108-0x0000000000000000-mapping.dmp

Download
memory/4300-172-0x0000000000000000-mapping.dmp

Download
memory/4308-220-0x0000000000000000-mapping.dmp

Download
memory/4312-109-0x0000000000000000-mapping.dmp

Download
memory/4320-221-0x0000000000000000-mapping.dmp

Download
memory/4324-260-0x0000000000000000-mapping.dmp

Download
memory/4328-110-0x0000000000000000-mapping.dmp

Download
memory/4336-173-0x0000000000000000-mapping.dmp

Download
memory/4340-261-0x0000000000000000-mapping.dmp

Download
memory/4344-111-0x0000000000000000-mapping.dmp

Download
memory/4356-174-0x0000000000000000-mapping.dmp

Download
memory/4360-112-0x0000000000000000-mapping.dmp

Download
memory/4364-175-0x0000000000000000-mapping.dmp

Download
memory/4368-222-0x0000000000000000-mapping.dmp

Download
memory/4372-262-0x0000000000000000-mapping.dmp

Download
memory/4380-113-0x0000000000000000-mapping.dmp

Download
memory/4388-177-0x0000000000000000-mapping.dmp

Download
memory/4396-114-0x0000000000000000-mapping.dmp

Download
memory/4404-263-0x0000000000000000-mapping.dmp

Download
memory/4408-178-0x0000000000000000-mapping.dmp

Download
memory/4412-115-0x0000000000000000-mapping.dmp

Download
memory/4416-179-0x0000000000000000-mapping.dmp

Download
memory/4420-225-0x0000000000000000-mapping.dmp

Download
memory/4428-116-0x0000000000000000-mapping.dmp

Download
memory/4432-265-0x0000000000000000-mapping.dmp

Download
memory/4436-226-0x0000000000000000-mapping.dmp

Download
memory/4440-264-0x0000000000000000-mapping.dmp

Download
memory/4444-117-0x0000000000000000-mapping.dmp

Download
memory/4456-180-0x0000000000000000-mapping.dmp

Download
memory/4460-118-0x0000000000000000-mapping.dmp

Download
memory/4472-227-0x0000000000000000-mapping.dmp

Download
memory/4476-119-0x0000000000000000-mapping.dmp

Download
memory/4484-181-0x0000000000000000-mapping.dmp

Download
memory/4488-228-0x0000000000000000-mapping.dmp

Download
memory/4492-120-0x0000000000000000-mapping.dmp

Download
memory/4508-121-0x0000000000000000-mapping.dmp

Download
memory/4516-182-0x0000000000000000-mapping.dmp

Download
memory/4524-122-0x0000000000000000-mapping.dmp

Download
memory/4528-267-0x0000000000000000-mapping.dmp

Download
memory/4532-266-0x0000000000000000-mapping.dmp

Download
memory/4536-183-0x0000000000000000-mapping.dmp

Download
memory/4540-123-0x0000000000000000-mapping.dmp

Download
memory/4544-184-0x0000000000000000-mapping.dmp

Download
memory/4556-124-0x0000000000000000-mapping.dmp

Download
memory/4568-268-0x0000000000000000-mapping.dmp

Download
memory/4572-125-0x0000000000000000-mapping.dmp

Download
memory/4576-231-0x0000000000000000-mapping.dmp

Download
memory/4580-185-0x0000000000000000-mapping.dmp

Download
memory/4588-126-0x0000000000000000-mapping.dmp

Download
memory/4600-186-0x0000000000000000-mapping.dmp

Download
memory/4604-127-0x0000000000000000-mapping.dmp

Download
memory/4608-187-0x0000000000000000-mapping.dmp

Download
memory/4616-232-0x0000000000000000-mapping.dmp

Download
memory/4620-128-0x0000000000000000-mapping.dmp

Download
memory/4628-233-0x0000000000000000-mapping.dmp

Download
memory/4632-269-0x0000000000000000-mapping.dmp

Download
memory/4636-129-0x0000000000000000-mapping.dmp

Download
memory/4644-188-0x0000000000000000-mapping.dmp

Download
memory/4648-270-0x0000000000000000-mapping.dmp

Download
memory/4652-130-0x0000000000000000-mapping.dmp

Download
memory/4664-189-0x0000000000000000-mapping.dmp

Download
memory/4668-131-0x0000000000000000-mapping.dmp

Download
memory/4672-190-0x0000000000000000-mapping.dmp

Download
memory/4676-234-0x0000000000000000-mapping.dmp

Download
memory/4680-271-0x0000000000000000-mapping.dmp

Download
memory/4684-132-0x0000000000000000-mapping.dmp

Download
memory/4688-235-0x0000000000000000-mapping.dmp

Download
memory/4700-133-0x0000000000000000-mapping.dmp

Download
memory/4708-191-0x0000000000000000-mapping.dmp

Download
memory/4712-236-0x0000000000000000-mapping.dmp

Download
memory/4716-134-0x0000000000000000-mapping.dmp

Download
memory/4728-192-0x0000000000000000-mapping.dmp

Download
memory/4732-135-0x0000000000000000-mapping.dmp

Download
memory/4736-193-0x0000000000000000-mapping.dmp

Download
memory/4744-272-0x0000000000000000-mapping.dmp

Download
memory/4748-136-0x0000000000000000-mapping.dmp

Download
memory/4760-237-0x0000000000000000-mapping.dmp

Download
memory/4764-137-0x0000000000000000-mapping.dmp

Download
memory/4768-273-0x0000000000000000-mapping.dmp

Download
memory/4772-194-0x0000000000000000-mapping.dmp

Download
memory/4780-138-0x0000000000000000-mapping.dmp

Download
memory/4784-276-0x0000000000000000-mapping.dmp

Download
memory/4792-195-0x0000000000000000-mapping.dmp

Download
memory/4796-139-0x0000000000000000-mapping.dmp

Download
memory/4800-196-0x0000000000000000-mapping.dmp

Download
memory/4812-140-0x0000000000000000-mapping.dmp

Download
memory/4816-277-0x0000000000000000-mapping.dmp

Download
memory/4824-242-0x0000000000000000-mapping.dmp

Download
memory/4828-141-0x0000000000000000-mapping.dmp

Download
memory/4836-197-0x0000000000000000-mapping.dmp

Download
memory/4844-142-0x0000000000000000-mapping.dmp

Download
memory/4848-244-0x0000000000000000-mapping.dmp

Download
memory/4852-243-0x0000000000000000-mapping.dmp

Download
memory/4856-198-0x0000000000000000-mapping.dmp

Download
memory/4860-143-0x0000000000000000-mapping.dmp

Download
memory/4864-199-0x0000000000000000-mapping.dmp

Download
memory/4876-144-0x0000000000000000-mapping.dmp

Download
memory/4880-278-0x0000000000000000-mapping.dmp

Download
memory/4892-145-0x0000000000000000-mapping.dmp

Download
memory/4896-245-0x0000000000000000-mapping.dmp

Download
memory/4900-200-0x0000000000000000-mapping.dmp

Download
memory/4908-146-0x0000000000000000-mapping.dmp

Download
memory/4912-280-0x0000000000000000-mapping.dmp

Download
memory/4920-201-0x0000000000000000-mapping.dmp

Download
memory/4924-147-0x0000000000000000-mapping.dmp

Download
memory/4928-202-0x0000000000000000-mapping.dmp

Download
memory/4932-279-0x0000000000000000-mapping.dmp

Download
memory/4936-246-0x0000000000000000-mapping.dmp

Download
memory/4940-148-0x0000000000000000-mapping.dmp

Download
memory/4948-247-0x0000000000000000-mapping.dmp

Download
memory/4956-149-0x0000000000000000-mapping.dmp

Download
memory/4964-203-0x0000000000000000-mapping.dmp

Download
memory/4972-150-0x0000000000000000-mapping.dmp

Download
memory/4976-281-0x0000000000000000-mapping.dmp

Download
memory/4984-204-0x0000000000000000-mapping.dmp

Download
memory/4988-151-0x0000000000000000-mapping.dmp

Download
memory/4992-205-0x0000000000000000-mapping.dmp

Download
memory/4996-248-0x0000000000000000-mapping.dmp

Download
memory/5004-152-0x0000000000000000-mapping.dmp

Download
memory/5008-249-0x0000000000000000-mapping.dmp

Download
memory/5020-153-0x0000000000000000-mapping.dmp

Download
memory/5028-206-0x0000000000000000-mapping.dmp

Download
memory/5032-250-0x0000000000000000-mapping.dmp

Download
memory/5036-154-0x0000000000000000-mapping.dmp

Download
memory/5044-282-0x0000000000000000-mapping.dmp

Download
memory/5048-207-0x0000000000000000-mapping.dmp

Download
memory/5052-155-0x0000000000000000-mapping.dmp

Download
memory/5056-208-0x0000000000000000-mapping.dmp

Download
memory/5060-283-0x0000000000000000-mapping.dmp

Download
memory/5068-156-0x0000000000000000-mapping.dmp

Download
memory/5080-251-0x0000000000000000-mapping.dmp

Download
memory/5084-157-0x0000000000000000-mapping.dmp

Download
memory/5092-209-0x0000000000000000-mapping.dmp

Download
memory/5100-158-0x0000000000000000-mapping.dmp

Download
memory/5104-253-0x0000000000000000-mapping.dmp

Download
memory/5108-252-0x0000000000000000-mapping.dmp

Download
memory/5112-210-0x0000000000000000-mapping.dmp

Download
memory/5116-159-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads