5f32ef9a224027930381255b1ff7d6be7af83f4886006243effeee31ec775b6e

Analysis

max time kernel
150s
max time network
118s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa625b84_by_Libranalysis.exe
Size

534KB
MD5

aa625b8479b7874ae21cfce7f0bd6de1
SHA1

f5906108c38dd0ff1a5f846f80cbc648f03e5f0a
SHA256

5f32ef9a224027930381255b1ff7d6be7af83f4886006243effeee31ec775b6e
SHA512

3d047f66aff1786cce70dd8f465e0332a329d2e50c47fa63dab56a81923c3e19f6e536bfdef1d0f978b9ab41043e4aa836a54734e1a569577c58cd35065b7f82

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

aa625b84_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\qIUAccIE\\oScMQMYQ.exe,"	aa625b84_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\qIUAccIE\\oScMQMYQ.exe,"	aa625b84_by_Libranalysis.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 3 IoCs

Processes:

cSoAgogs.exeoScMQMYQ.exeVMUUkEMc.exe

pid process

516 cSoAgogs.exe
188 oScMQMYQ.exe
852 VMUUkEMc.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

oScMQMYQ.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation oScMQMYQ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
516	cSoAgogs.exe
188	oScMQMYQ.exe
852	VMUUkEMc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	oScMQMYQ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cSoAgogs.exeoScMQMYQ.exeVMUUkEMc.exeaa625b84_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\cSoAgogs.exe = "C:\\Users\\Admin\\DkoIAoAI\\cSoAgogs.exe"	cSoAgogs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oScMQMYQ.exe = "C:\\ProgramData\\qIUAccIE\\oScMQMYQ.exe"	oScMQMYQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oScMQMYQ.exe = "C:\\ProgramData\\qIUAccIE\\oScMQMYQ.exe"	VMUUkEMc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\cSoAgogs.exe = "C:\\Users\\Admin\\DkoIAoAI\\cSoAgogs.exe"	aa625b84_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oScMQMYQ.exe = "C:\\ProgramData\\qIUAccIE\\oScMQMYQ.exe"	aa625b84_by_Libranalysis.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmd.exeaa625b84_by_Libranalysis.execmd.execmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa625b84_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aa625b84_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 6 IoCs

Processes:

oScMQMYQ.exeVMUUkEMc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\sheOpenJoin.doc	oScMQMYQ.exe
File opened for modification	C:\Windows\SysWOW64\shePopBackup.pptm	oScMQMYQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\DkoIAoAI	VMUUkEMc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\DkoIAoAI\cSoAgogs	VMUUkEMc.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	oScMQMYQ.exe
File opened for modification	C:\Windows\SysWOW64\sheFormatOpen.xlsm	oScMQMYQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2124	reg.exe
1020	reg.exe
4072	reg.exe
2096	reg.exe
2164	reg.exe
2416	reg.exe
2328	reg.exe
1120	reg.exe
2284	reg.exe
3564	reg.exe
2984	reg.exe
2880	reg.exe
580	reg.exe
3772	reg.exe
900	reg.exe
3868	reg.exe
1732	reg.exe
580	reg.exe
1468	reg.exe
2316	reg.exe
2160	reg.exe
2412	reg.exe
1756	reg.exe
2156	reg.exe
3156	reg.exe
996	reg.exe
3948	reg.exe
2636	reg.exe
4052	reg.exe
3708	reg.exe
2164	reg.exe
2284	reg.exe
3172	reg.exe
1576	reg.exe
4060	reg.exe
2156	reg.exe
2156	reg.exe
3168	reg.exe
2456	reg.exe
3172	reg.exe
3708	reg.exe
2156	reg.exe
3156	reg.exe
1736	reg.exe
2160	reg.exe
2096	reg.exe
496	reg.exe
2636	reg.exe
1588	reg.exe
2460	reg.exe
2424	reg.exe
3172	reg.exe
2316	reg.exe
2508	reg.exe
2760	reg.exe
2344	reg.exe
1908	reg.exe
1824	reg.exe
2436	reg.exe
2352	reg.exe
1588	reg.exe
1456	reg.exe
4008	reg.exe
3644	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.execmd.execmd.exeConhost.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exeaa625b84_by_Libranalysis.exe

pid	process
4024	aa625b84_by_Libranalysis.exe
4024	aa625b84_by_Libranalysis.exe
4024	aa625b84_by_Libranalysis.exe
4024	aa625b84_by_Libranalysis.exe
2568	aa625b84_by_Libranalysis.exe
2568	aa625b84_by_Libranalysis.exe
2568	aa625b84_by_Libranalysis.exe
2568	aa625b84_by_Libranalysis.exe
1736	aa625b84_by_Libranalysis.exe
1736	aa625b84_by_Libranalysis.exe
1736	aa625b84_by_Libranalysis.exe
1736	aa625b84_by_Libranalysis.exe
2416	aa625b84_by_Libranalysis.exe
2416	aa625b84_by_Libranalysis.exe
2416	aa625b84_by_Libranalysis.exe
2416	aa625b84_by_Libranalysis.exe
408	aa625b84_by_Libranalysis.exe
408	aa625b84_by_Libranalysis.exe
408	aa625b84_by_Libranalysis.exe
408	aa625b84_by_Libranalysis.exe
3904	aa625b84_by_Libranalysis.exe
3904	aa625b84_by_Libranalysis.exe
3904	aa625b84_by_Libranalysis.exe
3904	aa625b84_by_Libranalysis.exe
3108	aa625b84_by_Libranalysis.exe
3108	aa625b84_by_Libranalysis.exe
3108	aa625b84_by_Libranalysis.exe
3108	aa625b84_by_Libranalysis.exe
992	aa625b84_by_Libranalysis.exe
992	aa625b84_by_Libranalysis.exe
992	aa625b84_by_Libranalysis.exe
992	aa625b84_by_Libranalysis.exe
2984	aa625b84_by_Libranalysis.exe
2984	aa625b84_by_Libranalysis.exe
2984	aa625b84_by_Libranalysis.exe
2984	aa625b84_by_Libranalysis.exe
1612	aa625b84_by_Libranalysis.exe
1612	aa625b84_by_Libranalysis.exe
1612	aa625b84_by_Libranalysis.exe
1612	aa625b84_by_Libranalysis.exe
2568	cmd.exe
2568	cmd.exe
2568	cmd.exe
2568	cmd.exe
2096	cmd.exe
2096	cmd.exe
2096	cmd.exe
2096	cmd.exe
1448	Conhost.exe
1448	Conhost.exe
1448	Conhost.exe
1448	Conhost.exe
3116	aa625b84_by_Libranalysis.exe
3116	aa625b84_by_Libranalysis.exe
3116	aa625b84_by_Libranalysis.exe
3116	aa625b84_by_Libranalysis.exe
584	aa625b84_by_Libranalysis.exe
584	aa625b84_by_Libranalysis.exe
584	aa625b84_by_Libranalysis.exe
584	aa625b84_by_Libranalysis.exe
1576	aa625b84_by_Libranalysis.exe
1576	aa625b84_by_Libranalysis.exe
1576	aa625b84_by_Libranalysis.exe
1576	aa625b84_by_Libranalysis.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

oScMQMYQ.exe

pid process

188 oScMQMYQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

oScMQMYQ.exe

pid	process
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe
188	oScMQMYQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa625b84_by_Libranalysis.execmd.exeaa625b84_by_Libranalysis.execmd.execmd.exeaa625b84_by_Libranalysis.execmd.execmd.exeaa625b84_by_Libranalysis.exe

description	pid	process	target process
PID 4024 wrote to memory of 516	4024	aa625b84_by_Libranalysis.exe	cSoAgogs.exe
PID 4024 wrote to memory of 516	4024	aa625b84_by_Libranalysis.exe	cSoAgogs.exe
PID 4024 wrote to memory of 516	4024	aa625b84_by_Libranalysis.exe	cSoAgogs.exe
PID 4024 wrote to memory of 188	4024	aa625b84_by_Libranalysis.exe	oScMQMYQ.exe
PID 4024 wrote to memory of 188	4024	aa625b84_by_Libranalysis.exe	oScMQMYQ.exe
PID 4024 wrote to memory of 188	4024	aa625b84_by_Libranalysis.exe	oScMQMYQ.exe
PID 4024 wrote to memory of 1376	4024	aa625b84_by_Libranalysis.exe	cmd.exe
PID 4024 wrote to memory of 1376	4024	aa625b84_by_Libranalysis.exe	cmd.exe
PID 4024 wrote to memory of 1376	4024	aa625b84_by_Libranalysis.exe	cmd.exe
PID 4024 wrote to memory of 1736	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 4024 wrote to memory of 1736	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 4024 wrote to memory of 1736	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 4024 wrote to memory of 1864	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 4024 wrote to memory of 1864	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 4024 wrote to memory of 1864	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 4024 wrote to memory of 1588	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 4024 wrote to memory of 1588	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 4024 wrote to memory of 1588	4024	aa625b84_by_Libranalysis.exe	reg.exe
PID 1376 wrote to memory of 2568	1376	cmd.exe	aa625b84_by_Libranalysis.exe
PID 1376 wrote to memory of 2568	1376	cmd.exe	aa625b84_by_Libranalysis.exe
PID 1376 wrote to memory of 2568	1376	cmd.exe	aa625b84_by_Libranalysis.exe
PID 2568 wrote to memory of 3208	2568	aa625b84_by_Libranalysis.exe	cmd.exe
PID 2568 wrote to memory of 3208	2568	aa625b84_by_Libranalysis.exe	cmd.exe
PID 2568 wrote to memory of 3208	2568	aa625b84_by_Libranalysis.exe	cmd.exe
PID 2568 wrote to memory of 2156	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 2156	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 2156	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 2128	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 2128	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 2128	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 1756	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 1756	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 1756	2568	aa625b84_by_Libranalysis.exe	reg.exe
PID 2568 wrote to memory of 3936	2568	aa625b84_by_Libranalysis.exe	cmd.exe
PID 2568 wrote to memory of 3936	2568	aa625b84_by_Libranalysis.exe	cmd.exe
PID 2568 wrote to memory of 3936	2568	aa625b84_by_Libranalysis.exe	cmd.exe
PID 3208 wrote to memory of 1736	3208	cmd.exe	aa625b84_by_Libranalysis.exe
PID 3208 wrote to memory of 1736	3208	cmd.exe	aa625b84_by_Libranalysis.exe
PID 3208 wrote to memory of 1736	3208	cmd.exe	aa625b84_by_Libranalysis.exe
PID 3936 wrote to memory of 2344	3936	cmd.exe	cscript.exe
PID 3936 wrote to memory of 2344	3936	cmd.exe	cscript.exe
PID 3936 wrote to memory of 2344	3936	cmd.exe	cscript.exe
PID 1736 wrote to memory of 2868	1736	aa625b84_by_Libranalysis.exe	cmd.exe
PID 1736 wrote to memory of 2868	1736	aa625b84_by_Libranalysis.exe	cmd.exe
PID 1736 wrote to memory of 2868	1736	aa625b84_by_Libranalysis.exe	cmd.exe
PID 2868 wrote to memory of 2416	2868	cmd.exe	aa625b84_by_Libranalysis.exe
PID 2868 wrote to memory of 2416	2868	cmd.exe	aa625b84_by_Libranalysis.exe
PID 2868 wrote to memory of 2416	2868	cmd.exe	aa625b84_by_Libranalysis.exe
PID 1736 wrote to memory of 2060	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 2060	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 2060	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 4072	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 4072	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 4072	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 2892	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 2892	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 2892	1736	aa625b84_by_Libranalysis.exe	reg.exe
PID 1736 wrote to memory of 3832	1736	aa625b84_by_Libranalysis.exe	cmd.exe
PID 1736 wrote to memory of 3832	1736	aa625b84_by_Libranalysis.exe	cmd.exe
PID 1736 wrote to memory of 3832	1736	aa625b84_by_Libranalysis.exe	cmd.exe
PID 3832 wrote to memory of 1456	3832	cmd.exe	cscript.exe
PID 3832 wrote to memory of 1456	3832	cmd.exe	cscript.exe
PID 3832 wrote to memory of 1456	3832	cmd.exe	cscript.exe
PID 2416 wrote to memory of 2760	2416	aa625b84_by_Libranalysis.exe	cmd.exe

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

Processes:

aa625b84_by_Libranalysis.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aa625b84_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aa625b84_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\DkoIAoAI\cSoAgogs.exe
"C:\Users\Admin\DkoIAoAI\cSoAgogs.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:516

C:\ProgramData\qIUAccIE\oScMQMYQ.exe
"C:\ProgramData\qIUAccIE\oScMQMYQ.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
4⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
6⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
8⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
10⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
12⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
14⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
16⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
18⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
20⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
21⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
22⤵
PID:200

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
23⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
24⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
25⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
26⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
28⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
30⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
31⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2568

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
33⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
34⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
35⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
36⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
37⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
38⤵
PID:2852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
39⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
40⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
41⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
42⤵
PID:3172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
43⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
44⤵
PID:3096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:200

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
45⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
46⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
47⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
48⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
49⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
50⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
51⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
52⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
54⤵
PID:496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
55⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
56⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
57⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
58⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
59⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
60⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
61⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
62⤵
- Checks whether UAC is enabled
- System policy modification
PID:576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
63⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
64⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
65⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
66⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
67⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
68⤵
PID:3772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
69⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
70⤵
PID:2868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
71⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
72⤵
PID:3496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
73⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
74⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
75⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
76⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
77⤵
PID:200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
78⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
79⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
80⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
81⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
82⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
83⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
84⤵
PID:1300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
85⤵
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
86⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
87⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
88⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
89⤵
- Checks whether UAC is enabled
- System policy modification
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
90⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
91⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
92⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
93⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
94⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
95⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
96⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
97⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
98⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
99⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
100⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
101⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
102⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
103⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
104⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
105⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
106⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
107⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
108⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
109⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
110⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
111⤵
PID:500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
112⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
113⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
114⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
115⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
116⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
117⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
118⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
119⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
120⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
121⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
122⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
123⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
124⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
125⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
126⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
127⤵
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis"
128⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
129⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- Modifies registry key
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pukQMoMM.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
128⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies registry key
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naQoYQkg.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
126⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- Modifies registry key
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMoEsYMQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
124⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lMgEgkYw.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
122⤵
PID:2156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuYwMgsU.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
120⤵
PID:3156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies registry key
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AokAoIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
118⤵
PID:2084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMogMUsQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
116⤵
PID:1576

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- Modifies registry key
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
- Modifies registry key
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkcskkwE.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
114⤵
PID:2868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
- Modifies registry key
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCEYUUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
112⤵
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
- Modifies registry key
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWswowYs.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
110⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGAAcoAk.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
108⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCgUosYs.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
106⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKAMkcko.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
104⤵
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BsAEUIAE.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
102⤵
PID:1456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jSQoYEwc.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
100⤵
PID:3932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- Modifies registry key
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOkcIMQY.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
98⤵
PID:408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOsosYsw.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
96⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UMssoAIg.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
94⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
- Modifies registry key
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUokcwEg.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
92⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKkIwMAw.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
90⤵
PID:1736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- Modifies registry key
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\suEkAMMs.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
88⤵
PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:3832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- Modifies registry key
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOsYcIww.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
86⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGUoUkEc.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
84⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWAUcEgA.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
82⤵
PID:580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYgwQIEc.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
80⤵
PID:1448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCQQoQgk.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
78⤵
- Checks whether UAC is enabled
- System policy modification
PID:2128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:2060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkAMgsgs.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
76⤵
PID:3096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIsYwYUs.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
74⤵
- Checks whether UAC is enabled
- System policy modification
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:3772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
PID:3948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:3904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sywwAMEM.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
72⤵
PID:996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIIQEYIU.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
70⤵
PID:3660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies registry key
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqUEkAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
68⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYcMkMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
66⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- Modifies registry key
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
- Modifies registry key
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies registry key
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyssUMQg.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
64⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FOoUgAIw.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
62⤵
PID:1736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- Modifies registry key
PID:2636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUUsgYcw.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
60⤵
PID:4016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:2892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies registry key
PID:496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies registry key
PID:2436

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGIwgswU.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
58⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- Modifies registry key
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSEAEgwA.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
56⤵
PID:2288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- Modifies registry key
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:2420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:2984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSIYsAUs.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
54⤵
PID:2060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies registry key
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWkQssgs.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
52⤵
PID:1860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
53⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies registry key
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:2160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pscMkIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
50⤵
- Checks whether UAC is enabled
- System policy modification
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:2096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
50⤵
PID:500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyIUoIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
48⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- Modifies registry key
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcUkswkQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
46⤵
PID:3240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
PID:580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GssIkoos.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
44⤵
PID:1908

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies registry key
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KywkUkQw.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
42⤵
PID:3952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- Modifies registry key
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAcQIEcQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
40⤵
PID:500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:1728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
41⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hOwAEQgw.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
38⤵
PID:2084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqsQYMgg.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
36⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:3172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcYMEwEA.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
34⤵
PID:200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OEgkogAo.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
32⤵
PID:3108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies registry key
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYcQEEUo.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
30⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMAkEQQc.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
28⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:64

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:1704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies registry key
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkIkUUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
26⤵
PID:992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies registry key
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEwYcssc.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
24⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
- Modifies registry key
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies registry key
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkcYcwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
22⤵
PID:2328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies registry key
PID:2636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
22⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:2164

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- Modifies registry key
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAUwcMsI.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
20⤵
PID:64

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
20⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies registry key
PID:2760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMAIkgEc.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
18⤵
PID:2420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwIAIUYU.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
16⤵
PID:3172

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies registry key
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkIgMYgc.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
14⤵
PID:580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGEkgMMY.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
12⤵
PID:3156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- Modifies registry key
PID:2880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies registry key
PID:3168

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEwAkcYY.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
10⤵
PID:3868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies registry key
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqYMEEQI.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
8⤵
PID:2316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:4072

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VawsYgUo.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
6⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies registry key
PID:2156

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKUEUIMA.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- Modifies registry key
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EeogcIcM.bat" "C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis.exe""
2⤵
PID:2304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:1608

C:\ProgramData\JkIEQswQ\VMUUkEMc.exe
C:\ProgramData\JkIEQswQ\VMUUkEMc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:200

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JkIEQswQ\VMUUkEMc.exe
MD5
a7920e1c7f13aad7740b3b54c5e967fc

SHA1
eade3826c829a901cb28bdf0d02cc3ad2f1f8459

SHA256
db7e2a49c4667f2733f3e7207bbe6712cc5e54a20bfc24a533073472eceb330f

SHA512
11ef1b223922ef38a340dcb9abf12d0bae13180eb0476478fc1a8f2b361a67dc29af187902680547e4e9035b49708a93e93a9f83a9011129485268785762025a

Download Submit
C:\ProgramData\JkIEQswQ\VMUUkEMc.exe
MD5
a7920e1c7f13aad7740b3b54c5e967fc

SHA1
eade3826c829a901cb28bdf0d02cc3ad2f1f8459

SHA256
db7e2a49c4667f2733f3e7207bbe6712cc5e54a20bfc24a533073472eceb330f

SHA512
11ef1b223922ef38a340dcb9abf12d0bae13180eb0476478fc1a8f2b361a67dc29af187902680547e4e9035b49708a93e93a9f83a9011129485268785762025a

Download Submit
C:\ProgramData\qIUAccIE\oScMQMYQ.exe
MD5
4240e1cb61de6ab3f7bcad2c135d0844

SHA1
e942034d196a4ff5e1f3b1b8cd1c1347b7eb4c73

SHA256
652f56cbcba7a9dd12558c3a11831258eaaa13962c70a4510dff243af1ee00aa

SHA512
4c4a82586e006788f1002b122b736752f10d6c1cf2500c9255c0e94e7dad2baa01ee2abd013f5b92346f8d7a3b6bc1d77180e3e08d2a9ea810afca4521870339

Download Submit
C:\ProgramData\qIUAccIE\oScMQMYQ.exe
MD5
4240e1cb61de6ab3f7bcad2c135d0844

SHA1
e942034d196a4ff5e1f3b1b8cd1c1347b7eb4c73

SHA256
652f56cbcba7a9dd12558c3a11831258eaaa13962c70a4510dff243af1ee00aa

SHA512
4c4a82586e006788f1002b122b736752f10d6c1cf2500c9255c0e94e7dad2baa01ee2abd013f5b92346f8d7a3b6bc1d77180e3e08d2a9ea810afca4521870339

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwIAIUYU.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEwAkcYY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkIkUUkQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAcQIEcQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqYMEEQI.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAUwcMsI.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LqsQYMgg.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEgkogAo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkcYcwEQ.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VMAkEQQc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VawsYgUo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIgMYgc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa625b84_by_Libranalysis
MD5
187048b427556605b452d1a18359bb8b

SHA1
19fef45d5f94903ac879fc2404490fc796ad1b08

SHA256
18d6564632c7a550efbc5db58e500e28c107dcf0cf06171ca765632de44a8a2b

SHA512
94c577a08d39e29799ecb60300f910a2797e7ff9b9dba82c8231dbff22a6c83ec8b42bc5d99c3277b28f0ef637aec2b2b25fbe459941088142becb9ca9e74094

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOwAEQgw.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYcQEEUo.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGEkgMMY.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEwYcssc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tKUEUIMA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcYMEwEA.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMAIkgEc.bat
MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\DkoIAoAI\cSoAgogs.exe
MD5
0c0dac5a5a53da5c398e66e4dfbdc9fb

SHA1
0c73d6ebd330a9d96be843dd0c1aa55b5f5097cb

SHA256
870432d9d70ee8dae02572680de1ba2227859a9085f69d93f4af966f557464b2

SHA512
a0688b28182b66d3fd67d96af41e95703132868d90353d9ed8696a734a90783e659cfe59cf489403f073aaa8a3e62b023d920d96669ce9df6934046d5631b734

Download Submit
C:\Users\Admin\DkoIAoAI\cSoAgogs.exe
MD5
0c0dac5a5a53da5c398e66e4dfbdc9fb

SHA1
0c73d6ebd330a9d96be843dd0c1aa55b5f5097cb

SHA256
870432d9d70ee8dae02572680de1ba2227859a9085f69d93f4af966f557464b2

SHA512
a0688b28182b66d3fd67d96af41e95703132868d90353d9ed8696a734a90783e659cfe59cf489403f073aaa8a3e62b023d920d96669ce9df6934046d5631b734

Download Submit
memory/64-162-0x0000000000000000-mapping.dmp

Download
memory/188-117-0x0000000000000000-mapping.dmp

Download
memory/408-153-0x0000000000000000-mapping.dmp

Download
memory/516-114-0x0000000000000000-mapping.dmp

Download
memory/580-183-0x0000000000000000-mapping.dmp

Download
memory/584-207-0x0000000000000000-mapping.dmp

Download
memory/584-195-0x0000000000000000-mapping.dmp

Download
memory/992-179-0x0000000000000000-mapping.dmp

Download
memory/992-205-0x0000000000000000-mapping.dmp

Download
memory/1376-122-0x0000000000000000-mapping.dmp

Download
memory/1456-145-0x0000000000000000-mapping.dmp

Download
memory/1456-161-0x0000000000000000-mapping.dmp

Download
memory/1456-188-0x0000000000000000-mapping.dmp

Download
memory/1516-175-0x0000000000000000-mapping.dmp

Download
memory/1588-125-0x0000000000000000-mapping.dmp

Download
memory/1612-199-0x0000000000000000-mapping.dmp

Download
memory/1728-198-0x0000000000000000-mapping.dmp

Download
memory/1736-151-0x0000000000000000-mapping.dmp

Download
memory/1736-123-0x0000000000000000-mapping.dmp

Download
memory/1736-133-0x0000000000000000-mapping.dmp

Download
memory/1756-131-0x0000000000000000-mapping.dmp

Download
memory/1864-124-0x0000000000000000-mapping.dmp

Download
memory/1864-185-0x0000000000000000-mapping.dmp

Download
memory/1908-201-0x0000000000000000-mapping.dmp

Download
memory/2060-140-0x0000000000000000-mapping.dmp

Download
memory/2084-158-0x0000000000000000-mapping.dmp

Download
memory/2128-130-0x0000000000000000-mapping.dmp

Download
memory/2144-178-0x0000000000000000-mapping.dmp

Download
memory/2156-170-0x0000000000000000-mapping.dmp

Download
memory/2156-129-0x0000000000000000-mapping.dmp

Download
memory/2164-180-0x0000000000000000-mapping.dmp

Download
memory/2288-167-0x0000000000000000-mapping.dmp

Download
memory/2304-150-0x0000000000000000-mapping.dmp

Download
memory/2316-190-0x0000000000000000-mapping.dmp

Download
memory/2316-152-0x0000000000000000-mapping.dmp

Download
memory/2344-135-0x0000000000000000-mapping.dmp

Download
memory/2344-189-0x0000000000000000-mapping.dmp

Download
memory/2352-187-0x0000000000000000-mapping.dmp

Download
memory/2416-139-0x0000000000000000-mapping.dmp

Download
memory/2420-203-0x0000000000000000-mapping.dmp

Download
memory/2436-182-0x0000000000000000-mapping.dmp

Download
memory/2568-126-0x0000000000000000-mapping.dmp

Download
memory/2760-147-0x0000000000000000-mapping.dmp

Download
memory/2760-200-0x0000000000000000-mapping.dmp

Download
memory/2868-138-0x0000000000000000-mapping.dmp

Download
memory/2880-171-0x0000000000000000-mapping.dmp

Download
memory/2888-165-0x0000000000000000-mapping.dmp

Download
memory/2892-142-0x0000000000000000-mapping.dmp

Download
memory/2984-169-0x0000000000000000-mapping.dmp

Download
memory/2984-181-0x0000000000000000-mapping.dmp

Download
memory/2984-193-0x0000000000000000-mapping.dmp

Download
memory/3108-172-0x0000000000000000-mapping.dmp

Download
memory/3156-149-0x0000000000000000-mapping.dmp

Download
memory/3156-173-0x0000000000000000-mapping.dmp

Download
memory/3168-160-0x0000000000000000-mapping.dmp

Download
memory/3172-191-0x0000000000000000-mapping.dmp

Download
memory/3208-128-0x0000000000000000-mapping.dmp

Download
memory/3208-155-0x0000000000000000-mapping.dmp

Download
memory/3832-143-0x0000000000000000-mapping.dmp

Download
memory/3868-163-0x0000000000000000-mapping.dmp

Download
memory/3904-159-0x0000000000000000-mapping.dmp

Download
memory/3936-132-0x0000000000000000-mapping.dmp

Download
memory/4008-202-0x0000000000000000-mapping.dmp

Download
memory/4072-141-0x0000000000000000-mapping.dmp

Download