d407b05c01f4fa48b2fed39737c3850961e2df38e4e76e1af6482770bc77a1de

Analysis

max time kernel
151s
max time network
124s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fa02afd_by_Libranalysis.exe
Size

622KB
MD5

4fa02afd5bbc31e0885d4581d151c26c
SHA1

c7ef6fddc1b48820b54cf1b47fc0822ad01bcefe
SHA256

d407b05c01f4fa48b2fed39737c3850961e2df38e4e76e1af6482770bc77a1de
SHA512

8e79a723894cc7c9c22c29b2f222dad56a24b26ec8d34ca74b0cb05361a1ee2d12b5aea1037552e87ada5c456600457c17361dbe5a4e700e304d735e8a349d3f

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

4fa02afd_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\hqEwkwoA\\rQMcgowY.exe,"	4fa02afd_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\hqEwkwoA\\rQMcgowY.exe,"	4fa02afd_by_Libranalysis.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

NiAcwAIU.exerQMcgowY.exefMoAUkUI.exe

pid process

3184 NiAcwAIU.exe
1868 rQMcgowY.exe
424 fMoAUkUI.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NiAcwAIU.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	NiAcwAIU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fMoAUkUI.exe4fa02afd_by_Libranalysis.exeNiAcwAIU.exerQMcgowY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rQMcgowY.exe = "C:\\ProgramData\\hqEwkwoA\\rQMcgowY.exe"	fMoAUkUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NiAcwAIU.exe = "C:\\Users\\Admin\\AwoccMoc\\NiAcwAIU.exe"	4fa02afd_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rQMcgowY.exe = "C:\\ProgramData\\hqEwkwoA\\rQMcgowY.exe"	4fa02afd_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NiAcwAIU.exe = "C:\\Users\\Admin\\AwoccMoc\\NiAcwAIU.exe"	NiAcwAIU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rQMcgowY.exe = "C:\\ProgramData\\hqEwkwoA\\rQMcgowY.exe"	rQMcgowY.exe

Drops file in System32 directory 4 IoCs

Processes:

fMoAUkUI.exeNiAcwAIU.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AwoccMoc	fMoAUkUI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AwoccMoc\NiAcwAIU	fMoAUkUI.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	NiAcwAIU.exe
File opened for modification	C:\Windows\SysWOW64\sheRenameExpand.docm	NiAcwAIU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4200	reg.exe
4744	reg.exe
1016	reg.exe
3812	reg.exe
4588	reg.exe
4972	reg.exe
4460	reg.exe
3820	reg.exe
4820	reg.exe
4424	reg.exe
4468	reg.exe
5068	reg.exe
4580	reg.exe
4204	reg.exe
4464	reg.exe
4820	reg.exe
4380	reg.exe
4516	reg.exe
4804	reg.exe
2300	reg.exe
4516	reg.exe
5084	reg.exe
3812	reg.exe
4364	reg.exe
4528	reg.exe
4816	reg.exe
4488	reg.exe
4248	reg.exe
4840	reg.exe
736	reg.exe
1872	reg.exe
196	reg.exe
4276	reg.exe
5076	reg.exe
4576	reg.exe
2216	reg.exe
4496	reg.exe
2948	reg.exe
4396	reg.exe
500	reg.exe
3648	reg.exe
1472	reg.exe
2000	reg.exe
2628	reg.exe
936	reg.exe
3700	reg.exe
3708	reg.exe
4664	reg.exe
1536	reg.exe
4972	reg.exe
412	reg.exe
4144	reg.exe
1212	reg.exe
4832	reg.exe
4068	reg.exe
2628	reg.exe
4412	reg.exe
4484	reg.exe
3796	reg.exe
416	reg.exe
2128	reg.exe
652	reg.exe
2808	reg.exe
4504	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe4fa02afd_by_Libranalysis.exe

pid	process
1000	4fa02afd_by_Libranalysis.exe
1000	4fa02afd_by_Libranalysis.exe
1000	4fa02afd_by_Libranalysis.exe
1000	4fa02afd_by_Libranalysis.exe
2200	4fa02afd_by_Libranalysis.exe
2200	4fa02afd_by_Libranalysis.exe
2200	4fa02afd_by_Libranalysis.exe
2200	4fa02afd_by_Libranalysis.exe
1472	4fa02afd_by_Libranalysis.exe
1472	4fa02afd_by_Libranalysis.exe
1472	4fa02afd_by_Libranalysis.exe
1472	4fa02afd_by_Libranalysis.exe
2152	4fa02afd_by_Libranalysis.exe
2152	4fa02afd_by_Libranalysis.exe
2152	4fa02afd_by_Libranalysis.exe
2152	4fa02afd_by_Libranalysis.exe
2704	4fa02afd_by_Libranalysis.exe
2704	4fa02afd_by_Libranalysis.exe
2704	4fa02afd_by_Libranalysis.exe
2704	4fa02afd_by_Libranalysis.exe
4072	4fa02afd_by_Libranalysis.exe
4072	4fa02afd_by_Libranalysis.exe
4072	4fa02afd_by_Libranalysis.exe
4072	4fa02afd_by_Libranalysis.exe
2148	4fa02afd_by_Libranalysis.exe
2148	4fa02afd_by_Libranalysis.exe
2148	4fa02afd_by_Libranalysis.exe
2148	4fa02afd_by_Libranalysis.exe
4400	4fa02afd_by_Libranalysis.exe
4400	4fa02afd_by_Libranalysis.exe
4400	4fa02afd_by_Libranalysis.exe
4400	4fa02afd_by_Libranalysis.exe
4696	4fa02afd_by_Libranalysis.exe
4696	4fa02afd_by_Libranalysis.exe
4696	4fa02afd_by_Libranalysis.exe
4696	4fa02afd_by_Libranalysis.exe
4800	4fa02afd_by_Libranalysis.exe
4800	4fa02afd_by_Libranalysis.exe
4800	4fa02afd_by_Libranalysis.exe
4800	4fa02afd_by_Libranalysis.exe
5048	4fa02afd_by_Libranalysis.exe
5048	4fa02afd_by_Libranalysis.exe
5048	4fa02afd_by_Libranalysis.exe
5048	4fa02afd_by_Libranalysis.exe
4336	4fa02afd_by_Libranalysis.exe
4336	4fa02afd_by_Libranalysis.exe
4336	4fa02afd_by_Libranalysis.exe
4336	4fa02afd_by_Libranalysis.exe
4572	4fa02afd_by_Libranalysis.exe
4572	4fa02afd_by_Libranalysis.exe
4572	4fa02afd_by_Libranalysis.exe
4572	4fa02afd_by_Libranalysis.exe
3584	4fa02afd_by_Libranalysis.exe
3584	4fa02afd_by_Libranalysis.exe
3584	4fa02afd_by_Libranalysis.exe
3584	4fa02afd_by_Libranalysis.exe
4900	4fa02afd_by_Libranalysis.exe
4900	4fa02afd_by_Libranalysis.exe
4900	4fa02afd_by_Libranalysis.exe
4900	4fa02afd_by_Libranalysis.exe
5100	4fa02afd_by_Libranalysis.exe
5100	4fa02afd_by_Libranalysis.exe
5100	4fa02afd_by_Libranalysis.exe
5100	4fa02afd_by_Libranalysis.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NiAcwAIU.exe

pid process

3184 NiAcwAIU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

NiAcwAIU.exe

pid	process
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe
3184	NiAcwAIU.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4fa02afd_by_Libranalysis.execmd.exe4fa02afd_by_Libranalysis.execmd.exe4fa02afd_by_Libranalysis.execmd.execmd.exe4fa02afd_by_Libranalysis.execmd.exe

description	pid	process	target process
PID 1000 wrote to memory of 3184	1000	4fa02afd_by_Libranalysis.exe	NiAcwAIU.exe
PID 1000 wrote to memory of 3184	1000	4fa02afd_by_Libranalysis.exe	NiAcwAIU.exe
PID 1000 wrote to memory of 3184	1000	4fa02afd_by_Libranalysis.exe	NiAcwAIU.exe
PID 1000 wrote to memory of 1868	1000	4fa02afd_by_Libranalysis.exe	rQMcgowY.exe
PID 1000 wrote to memory of 1868	1000	4fa02afd_by_Libranalysis.exe	rQMcgowY.exe
PID 1000 wrote to memory of 1868	1000	4fa02afd_by_Libranalysis.exe	rQMcgowY.exe
PID 1000 wrote to memory of 2468	1000	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 1000 wrote to memory of 2468	1000	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 1000 wrote to memory of 2468	1000	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 1000 wrote to memory of 2300	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1000 wrote to memory of 2300	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1000 wrote to memory of 2300	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1000 wrote to memory of 2000	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1000 wrote to memory of 2000	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1000 wrote to memory of 2000	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1000 wrote to memory of 2628	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1000 wrote to memory of 2628	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1000 wrote to memory of 2628	1000	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2468 wrote to memory of 2200	2468	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 2468 wrote to memory of 2200	2468	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 2468 wrote to memory of 2200	2468	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 2200 wrote to memory of 2080	2200	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 2200 wrote to memory of 2080	2200	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 2200 wrote to memory of 2080	2200	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 2080 wrote to memory of 1472	2080	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 2080 wrote to memory of 1472	2080	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 2080 wrote to memory of 1472	2080	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 2200 wrote to memory of 1872	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 1872	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 1872	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 3132	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 3132	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 3132	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 3820	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 3820	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 3820	2200	4fa02afd_by_Libranalysis.exe	reg.exe
PID 2200 wrote to memory of 3092	2200	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 2200 wrote to memory of 3092	2200	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 2200 wrote to memory of 3092	2200	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 1472 wrote to memory of 2604	1472	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 1472 wrote to memory of 2604	1472	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 1472 wrote to memory of 2604	1472	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 2604 wrote to memory of 2152	2604	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 2604 wrote to memory of 2152	2604	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 2604 wrote to memory of 2152	2604	cmd.exe	4fa02afd_by_Libranalysis.exe
PID 1472 wrote to memory of 416	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 416	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 416	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 2628	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 2628	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 2628	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 1492	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 1492	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 1492	1472	4fa02afd_by_Libranalysis.exe	reg.exe
PID 1472 wrote to memory of 3584	1472	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 1472 wrote to memory of 3584	1472	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 1472 wrote to memory of 3584	1472	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 3092 wrote to memory of 3900	3092	cmd.exe	cscript.exe
PID 3092 wrote to memory of 3900	3092	cmd.exe	cscript.exe
PID 3092 wrote to memory of 3900	3092	cmd.exe	cscript.exe
PID 2152 wrote to memory of 3892	2152	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 2152 wrote to memory of 3892	2152	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 2152 wrote to memory of 3892	2152	4fa02afd_by_Libranalysis.exe	cmd.exe
PID 3584 wrote to memory of 2588	3584	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AwoccMoc\NiAcwAIU.exe
"C:\Users\Admin\AwoccMoc\NiAcwAIU.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3184

C:\ProgramData\hqEwkwoA\rQMcgowY.exe
"C:\ProgramData\hqEwkwoA\rQMcgowY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
2⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
4⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
6⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
8⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
10⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
12⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
14⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
16⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
18⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
20⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
22⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
24⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
26⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
28⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
30⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
32⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
33⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
34⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
35⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
36⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
37⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
38⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
39⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
40⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
41⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
42⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
43⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
44⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
45⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
46⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
47⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
48⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
49⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
50⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
51⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
52⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
53⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
54⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
55⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
56⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
57⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
58⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
59⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
60⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
61⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
62⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
63⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis"
64⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UoYUUgQo.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
64⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- Modifies registry key
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies registry key
PID:4804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies registry key
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEkMUogs.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
62⤵
PID:4952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgcowEMY.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
60⤵
PID:4908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCUcMcwo.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
58⤵
PID:4416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- Modifies registry key
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies registry key
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmQIsoEg.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
56⤵
PID:5008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmAIggcQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
54⤵
PID:4056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- Modifies registry key
PID:4840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEEMUUkY.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
52⤵
PID:4636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSMskwcE.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
50⤵
PID:4608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
PID:3740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIUcAMMk.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
48⤵
PID:2692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oockUAIA.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
46⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuEcEQAo.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
44⤵
PID:4948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
- Modifies registry key
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NakMsIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
42⤵
PID:2604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies registry key
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsMccwcc.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
40⤵
PID:4960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies registry key
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hksEgIIk.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
38⤵
PID:3584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:3812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies registry key
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUIoEUsE.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
36⤵
PID:5000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiUAQgUg.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
34⤵
PID:4388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
- Modifies registry key
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies registry key
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYEggYQk.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
32⤵
PID:4132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
- Modifies registry key
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCgAcYEA.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
30⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:4484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies registry key
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGUQooII.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
28⤵
PID:4756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:4728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swoIcwYY.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
26⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- Modifies registry key
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKIEYQws.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
24⤵
PID:4428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- Modifies registry key
PID:4396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:4412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies registry key
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgcYwwYk.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
22⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies registry key
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeAcEIQI.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
20⤵
PID:5084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
- Modifies registry key
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
- Modifies registry key
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SacsgoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
18⤵
PID:4880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
- Modifies registry key
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWocIQEc.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
16⤵
PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
- Modifies registry key
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:4188

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEIMAAsA.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
14⤵
PID:4252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies registry key
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bckscYMs.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
12⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies registry key
PID:3700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- Modifies registry key
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOcEAUsY.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
10⤵
PID:200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEgQMEIM.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
8⤵
PID:3812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies registry key
PID:416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEooYsMY.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
6⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgIcYkcE.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWcokIsg.bat" "C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis.exe""
2⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4604

C:\ProgramData\zgoYMQIs\fMoAUkUI.exe
C:\ProgramData\zgoYMQIs\fMoAUkUI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hqEwkwoA\rQMcgowY.exe
MD5
5bbdac279786d17375c85dcbe6a24e0f

SHA1
4e9941862af8fbd121d62d9b213eedc42996df97

SHA256
c9b1bf4c2408ff5489c881e413cd43d14d72052ef9fb35bf270554de57eca5be

SHA512
01205f4dc543645b57764eccc1be445cc7887b419ef036ee56d999724dd4723db0aca258601a3a8704ced38c1548a87ffb8a17b9e63ea2a6fbbad290375aec7c

Download Submit
C:\ProgramData\hqEwkwoA\rQMcgowY.exe
MD5
5bbdac279786d17375c85dcbe6a24e0f

SHA1
4e9941862af8fbd121d62d9b213eedc42996df97

SHA256
c9b1bf4c2408ff5489c881e413cd43d14d72052ef9fb35bf270554de57eca5be

SHA512
01205f4dc543645b57764eccc1be445cc7887b419ef036ee56d999724dd4723db0aca258601a3a8704ced38c1548a87ffb8a17b9e63ea2a6fbbad290375aec7c

Download Submit
C:\ProgramData\zgoYMQIs\fMoAUkUI.exe
MD5
74eeb68e452028b0c53f59672131985f

SHA1
c871bfc9c16625ab157098b6c8da3de8a040065f

SHA256
e893309672f92f7a2d458492ea5932bd42040f1efb8755555c8c8dfd125d4a7c

SHA512
d58099df8e3ac4b0658997fcc78f594a803148ee8680d7cfcb028fcb3027bbed32d3b334911319cd3f835da65b2e4a3cfaf3c8d9c484c6a2157ec42c9dcb0fe6

Download Submit
C:\ProgramData\zgoYMQIs\fMoAUkUI.exe
MD5
74eeb68e452028b0c53f59672131985f

SHA1
c871bfc9c16625ab157098b6c8da3de8a040065f

SHA256
e893309672f92f7a2d458492ea5932bd42040f1efb8755555c8c8dfd125d4a7c

SHA512
d58099df8e3ac4b0658997fcc78f594a803148ee8680d7cfcb028fcb3027bbed32d3b334911319cd3f835da65b2e4a3cfaf3c8d9c484c6a2157ec42c9dcb0fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fa02afd_by_Libranalysis
MD5
ad19aeae3b6e4e7255c35b73bf519b49

SHA1
3ee1d901db2ed58d61a1c0da2532ef85562ae3fd

SHA256
e9acba85eeed608d5deb570026d92d5c2904fa621223818a26383f64ddf8bfe8

SHA512
a4c31c2dd8ca1ccfb59c73259f3b0d88fd0f93519f31e091e26748ccdb6e45780b6e2c8d9e0628195ac778480899e8102add43a20577bbf028d24952b24bf541

Download Submit
C:\Users\Admin\AppData\Local\Temp\AeAcEIQI.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEIMAAsA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKIEYQws.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOcEAUsY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JYEggYQk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgIcYkcE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUIoEUsE.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SacsgoAQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TsMccwcc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGUQooII.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bckscYMs.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiUAQgUg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hCgAcYEA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hksEgIIk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lWocIQEc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\swoIcwYY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEgQMEIM.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgcYwwYk.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEooYsMY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AwoccMoc\NiAcwAIU.exe
MD5
e8570d2ac48eff2e25099bed2db23ca4

SHA1
ad09014aabaec4361efb030ac64ed3c602aeaecf

SHA256
aa562fa88a67554356c314d45ef91205b30cb1234f28326a47e9fbe47f9ee316

SHA512
3ed9f47739ad045d4f266e47cc36c440d436c27958857336e675d09de2ca40115c89e98c86e276e0467e66c36e011d368b6a4a1350d355220d631289d9b642cb

Download Submit
C:\Users\Admin\AwoccMoc\NiAcwAIU.exe
MD5
e8570d2ac48eff2e25099bed2db23ca4

SHA1
ad09014aabaec4361efb030ac64ed3c602aeaecf

SHA256
aa562fa88a67554356c314d45ef91205b30cb1234f28326a47e9fbe47f9ee316

SHA512
3ed9f47739ad045d4f266e47cc36c440d436c27958857336e675d09de2ca40115c89e98c86e276e0467e66c36e011d368b6a4a1350d355220d631289d9b642cb

Download Submit
memory/196-169-0x0000000000000000-mapping.dmp

Download
memory/200-158-0x0000000000000000-mapping.dmp

Download
memory/416-138-0x0000000000000000-mapping.dmp

Download
memory/652-156-0x0000000000000000-mapping.dmp

Download
memory/792-154-0x0000000000000000-mapping.dmp

Download
memory/936-151-0x0000000000000000-mapping.dmp

Download
memory/1212-172-0x0000000000000000-mapping.dmp

Download
memory/1432-161-0x0000000000000000-mapping.dmp

Download
memory/1472-129-0x0000000000000000-mapping.dmp

Download
memory/1492-140-0x0000000000000000-mapping.dmp

Download
memory/1868-117-0x0000000000000000-mapping.dmp

Download
memory/1872-130-0x0000000000000000-mapping.dmp

Download
memory/2000-124-0x0000000000000000-mapping.dmp

Download
memory/2080-128-0x0000000000000000-mapping.dmp

Download
memory/2128-149-0x0000000000000000-mapping.dmp

Download
memory/2148-168-0x0000000000000000-mapping.dmp

Download
memory/2152-137-0x0000000000000000-mapping.dmp

Download
memory/2200-126-0x0000000000000000-mapping.dmp

Download
memory/2300-123-0x0000000000000000-mapping.dmp

Download
memory/2428-167-0x0000000000000000-mapping.dmp

Download
memory/2468-122-0x0000000000000000-mapping.dmp

Download
memory/2588-147-0x0000000000000000-mapping.dmp

Download
memory/2604-135-0x0000000000000000-mapping.dmp

Download
memory/2628-125-0x0000000000000000-mapping.dmp

Download
memory/2628-139-0x0000000000000000-mapping.dmp

Download
memory/2704-165-0x0000000000000000-mapping.dmp

Download
memory/2704-148-0x0000000000000000-mapping.dmp

Download
memory/2808-157-0x0000000000000000-mapping.dmp

Download
memory/3092-133-0x0000000000000000-mapping.dmp

Download
memory/3132-131-0x0000000000000000-mapping.dmp

Download
memory/3184-114-0x0000000000000000-mapping.dmp

Download
memory/3572-150-0x0000000000000000-mapping.dmp

Download
memory/3584-141-0x0000000000000000-mapping.dmp

Download
memory/3644-173-0x0000000000000000-mapping.dmp

Download
memory/3700-155-0x0000000000000000-mapping.dmp

Download
memory/3708-171-0x0000000000000000-mapping.dmp

Download
memory/3812-152-0x0000000000000000-mapping.dmp

Download
memory/3820-132-0x0000000000000000-mapping.dmp

Download
memory/3892-146-0x0000000000000000-mapping.dmp

Download
memory/3900-144-0x0000000000000000-mapping.dmp

Download
memory/4072-162-0x0000000000000000-mapping.dmp

Download
memory/4108-175-0x0000000000000000-mapping.dmp

Download
memory/4188-176-0x0000000000000000-mapping.dmp

Download
memory/4200-177-0x0000000000000000-mapping.dmp

Download
memory/4220-178-0x0000000000000000-mapping.dmp

Download
memory/4252-179-0x0000000000000000-mapping.dmp

Download
memory/4380-181-0x0000000000000000-mapping.dmp

Download
memory/4400-182-0x0000000000000000-mapping.dmp

Download
memory/4440-185-0x0000000000000000-mapping.dmp

Download
memory/4484-188-0x0000000000000000-mapping.dmp

Download
memory/4516-189-0x0000000000000000-mapping.dmp

Download
memory/4528-190-0x0000000000000000-mapping.dmp

Download
memory/4548-191-0x0000000000000000-mapping.dmp

Download
memory/4584-192-0x0000000000000000-mapping.dmp

Download
memory/4696-193-0x0000000000000000-mapping.dmp

Download
memory/4724-195-0x0000000000000000-mapping.dmp

Download
memory/4764-198-0x0000000000000000-mapping.dmp

Download
memory/4800-199-0x0000000000000000-mapping.dmp

Download
memory/4820-200-0x0000000000000000-mapping.dmp

Download
memory/4832-201-0x0000000000000000-mapping.dmp

Download
memory/4852-202-0x0000000000000000-mapping.dmp

Download
memory/4880-203-0x0000000000000000-mapping.dmp

Download
memory/5012-206-0x0000000000000000-mapping.dmp

Download
memory/5048-207-0x0000000000000000-mapping.dmp

Download