Analysis
-
max time kernel
4s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 16:31
Static task
static1
Behavioral task
behavioral1
Sample
Electron.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Electron.exe
Resource
win10v2004-20240426-en
General
-
Target
Electron.exe
-
Size
61KB
-
MD5
1ce13e423f57888a68c3c544460b13a4
-
SHA1
eb98c3220428ea3e5bf391f330af1317c839d258
-
SHA256
e8f1e825cd1da794257a8f1f38f291835b31d45ded1cace17953b4a4f3bbf040
-
SHA512
eb0da239fec584754fc720b50cd1668684e4eadbe86f267b6285806c79c045fa657aaf9e97c8e27c967207105180251c5e13b7eb213fa067ad301d4af316accb
-
SSDEEP
768:5vcc1E6Deh+l8qctQuC4jCqD1uu2wZy1PNQF1DCVTs85ECgm8Azet8AtZ:dCh+Oqmq/p1PqF1DCNs+EXAzeyAtZ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 3104 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 3104 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 3104 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 3104 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 3104 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 3104 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Wave.exe dcrat C:\intodll\agentSaves.exe dcrat behavioral2/memory/2316-39-0x0000000000C10000-0x0000000000CE6000-memory.dmp dcrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Wave.exeElectron.exeElectron.exeElectron.exeWave.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Wave.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Electron.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Electron.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Electron.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Wave.exe -
Executes dropped EXE 3 IoCs
Processes:
Wave.exeWave.exeWave.exepid process 2124 Wave.exe 5052 Wave.exe 4052 Wave.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1572 schtasks.exe 3652 schtasks.exe 4968 schtasks.exe 3096 schtasks.exe 4360 schtasks.exe 4040 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
Wave.exeWave.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings Wave.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings Wave.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 5252 reg.exe 5288 reg.exe 5172 reg.exe 6648 reg.exe 3296 reg.exe 6672 reg.exe 3128 reg.exe 6720 reg.exe 6340 reg.exe 6892 reg.exe 1640 reg.exe 7076 reg.exe 3296 reg.exe 3172 reg.exe 3344 reg.exe 6060 reg.exe 440 reg.exe 6172 reg.exe 4416 reg.exe 4580 reg.exe 5244 reg.exe 6876 reg.exe 5260 reg.exe 3244 reg.exe 7072 reg.exe 1188 reg.exe 6212 reg.exe 5284 reg.exe 7124 reg.exe 7044 reg.exe 3736 reg.exe 5856 reg.exe 5424 reg.exe 5336 reg.exe 2620 reg.exe 4884 reg.exe 5064 reg.exe 1640 reg.exe 7012 reg.exe 7120 reg.exe 212 reg.exe 6344 reg.exe 6612 reg.exe 5992 reg.exe 6800 reg.exe 3280 reg.exe 2516 reg.exe 5260 reg.exe 6388 reg.exe 5660 reg.exe 3552 reg.exe 6588 reg.exe 5908 reg.exe 6668 reg.exe 5880 reg.exe 6040 reg.exe 5128 reg.exe 7008 reg.exe 6436 reg.exe 6640 reg.exe 6760 reg.exe 2172 reg.exe 6320 reg.exe 6908 reg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Electron.exeElectron.exeElectron.exeElectron.exedescription pid process Token: SeDebugPrivilege 1344 Electron.exe Token: SeDebugPrivilege 1248 Electron.exe Token: SeDebugPrivilege 2228 Electron.exe Token: SeDebugPrivilege 2172 Electron.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Electron.exeElectron.exeWave.exeWave.exeElectron.exedescription pid process target process PID 1344 wrote to memory of 2124 1344 Electron.exe Wave.exe PID 1344 wrote to memory of 2124 1344 Electron.exe Wave.exe PID 1344 wrote to memory of 2124 1344 Electron.exe Wave.exe PID 1344 wrote to memory of 1248 1344 Electron.exe agentSaves.exe PID 1344 wrote to memory of 1248 1344 Electron.exe agentSaves.exe PID 1248 wrote to memory of 5052 1248 Electron.exe Wave.exe PID 1248 wrote to memory of 5052 1248 Electron.exe Wave.exe PID 1248 wrote to memory of 5052 1248 Electron.exe Wave.exe PID 1248 wrote to memory of 2228 1248 Electron.exe Electron.exe PID 1248 wrote to memory of 2228 1248 Electron.exe Electron.exe PID 2124 wrote to memory of 4064 2124 Wave.exe WScript.exe PID 2124 wrote to memory of 4064 2124 Wave.exe WScript.exe PID 2124 wrote to memory of 4064 2124 Wave.exe WScript.exe PID 5052 wrote to memory of 4060 5052 Wave.exe WScript.exe PID 5052 wrote to memory of 4060 5052 Wave.exe WScript.exe PID 5052 wrote to memory of 4060 5052 Wave.exe WScript.exe PID 2228 wrote to memory of 4052 2228 Electron.exe agentSaves.exe PID 2228 wrote to memory of 4052 2228 Electron.exe agentSaves.exe PID 2228 wrote to memory of 4052 2228 Electron.exe agentSaves.exe PID 2228 wrote to memory of 2172 2228 Electron.exe Conhost.exe PID 2228 wrote to memory of 2172 2228 Electron.exe Conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"3⤵PID:4064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "4⤵PID:3684
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"5⤵PID:2316
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bxb1a8eWE.bat"6⤵PID:2568
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3704
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"7⤵PID:5968
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"4⤵PID:4060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "5⤵PID:3648
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"6⤵PID:1256
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f6⤵
- Modifies registry key
PID:6320 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"4⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"5⤵PID:3544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "6⤵PID:1500
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"7⤵PID:228
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f7⤵
- Modifies registry key
PID:6612 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"5⤵PID:1308
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"6⤵PID:2776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "7⤵PID:1456
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"8⤵PID:4052
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f8⤵PID:6912
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"5⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"6⤵PID:3972
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"7⤵PID:4112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "8⤵PID:3900
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"9⤵PID:1248
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f9⤵
- Modifies registry key
PID:6388 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"6⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"7⤵PID:4992
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"8⤵PID:4780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "9⤵PID:1692
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"10⤵PID:3988
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f10⤵PID:6320
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"7⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"8⤵PID:2012
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"9⤵PID:2672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "10⤵PID:4120
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"11⤵PID:4348
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f11⤵PID:6300
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"8⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"9⤵PID:4488
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"10⤵PID:4584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "11⤵PID:968
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"12⤵PID:5028
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f12⤵
- Modifies registry key
PID:5992 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"9⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"10⤵PID:952
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"11⤵PID:4980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "12⤵PID:4328
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"13⤵PID:4624
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f13⤵
- Modifies registry key
PID:6672 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"10⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"11⤵PID:4716
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"12⤵PID:1344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "13⤵PID:1900
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"14⤵PID:4644
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f14⤵
- Modifies registry key
PID:7076 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"11⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"12⤵PID:3276
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"13⤵PID:4656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "14⤵PID:2296
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"15⤵PID:4272
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f15⤵
- Modifies registry key
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"12⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"13⤵PID:3208
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"14⤵PID:808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "15⤵PID:3012
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"16⤵PID:2620
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f16⤵
- Modifies registry key
PID:5424 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"13⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"14⤵PID:4272
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"15⤵PID:3148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "16⤵PID:5144
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"17⤵PID:5344
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f17⤵
- Modifies registry key
PID:5284 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"14⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"15⤵PID:4148
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"16⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "17⤵PID:5328
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"18⤵PID:5752
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f18⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"15⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"16⤵PID:1144
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"17⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "18⤵PID:5660
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"19⤵PID:5848
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f19⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"16⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"17⤵PID:772
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"18⤵PID:4760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "19⤵PID:5980
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"20⤵PID:6096
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f20⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"17⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"18⤵PID:3332
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"19⤵PID:4416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "20⤵PID:4600
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"21⤵PID:5576
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f21⤵PID:5284
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"18⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"19⤵PID:1972
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"20⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "21⤵PID:5492
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"22⤵PID:5912
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f22⤵
- Modifies registry key
PID:5880 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"19⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"20⤵PID:4608
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"21⤵PID:2068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "22⤵PID:5784
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"23⤵PID:3836
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f23⤵
- Modifies registry key
PID:6040 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"20⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"21⤵PID:4124
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"22⤵PID:4560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "23⤵PID:5592
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"24⤵PID:6104
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f24⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"21⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"22⤵PID:672
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"23⤵PID:5172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "24⤵PID:1644
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"25⤵PID:5432
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f25⤵PID:7024
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"22⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"23⤵PID:4936
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"24⤵PID:5304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "25⤵PID:904
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"26⤵PID:5172
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f26⤵
- Modifies registry key
PID:7012 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"23⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"24⤵PID:5424
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"25⤵PID:5628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "26⤵PID:5316
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"27⤵PID:3624
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f27⤵
- Modifies registry key
PID:5336 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"24⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"25⤵PID:5780
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"26⤵PID:6032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "27⤵PID:5084
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"28⤵PID:6156
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f28⤵
- Modifies registry key
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"25⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"26⤵PID:6108
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"27⤵PID:5224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "28⤵PID:6372
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"29⤵PID:6660
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f29⤵
- Modifies registry key
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"26⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"27⤵PID:5228
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"28⤵PID:5324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "29⤵PID:6552
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"30⤵PID:6864
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f30⤵
- Modifies registry key
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"27⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"28⤵PID:5584
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"29⤵PID:5880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "30⤵PID:6788
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"31⤵PID:6920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f31⤵
- Modifies registry key
PID:6800 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"28⤵PID:5588
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"29⤵PID:6052
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"30⤵PID:2860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "31⤵PID:7136
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"32⤵PID:5136
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f32⤵
- Modifies registry key
PID:6060 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"29⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"30⤵PID:3228
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"31⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "32⤵PID:6452
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"33⤵PID:5176
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f33⤵
- Modifies registry key
PID:6908 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"30⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"31⤵PID:5416
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"32⤵PID:5928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "33⤵PID:6668
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"34⤵PID:1456
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f34⤵
- Modifies registry key
PID:6640 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"31⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"32⤵PID:384
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"33⤵PID:2272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "34⤵PID:2164
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"35⤵PID:6272
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f35⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"32⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"33⤵PID:5524
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"34⤵PID:6344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "35⤵PID:6464
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"36⤵PID:4120
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f36⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"33⤵PID:6164
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"34⤵PID:6356
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"35⤵PID:6536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "36⤵PID:6752
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"37⤵PID:3708
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f37⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"34⤵PID:6400
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"35⤵PID:6620
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"36⤵PID:6800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "37⤵PID:2448
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"38⤵PID:7044
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f38⤵PID:6028
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"35⤵PID:6680
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"36⤵PID:6972
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"37⤵PID:7124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "38⤵PID:7152
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"39⤵PID:864
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f39⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"36⤵PID:7020
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"37⤵PID:5320
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"38⤵PID:5956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "39⤵PID:804
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"40⤵PID:5420
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f40⤵
- Modifies registry key
PID:5660 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"37⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"38⤵PID:6280
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"39⤵PID:6368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "40⤵PID:4940
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"41⤵PID:2660
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f41⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"38⤵PID:6188
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"39⤵PID:4716
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"40⤵PID:6704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "41⤵PID:5144
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"42⤵PID:4788
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f42⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"39⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"40⤵PID:5952
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"41⤵PID:6892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "42⤵PID:2364
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"43⤵PID:2560
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f43⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"40⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"41⤵PID:6208
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"42⤵PID:7036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "43⤵PID:4472
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"44⤵PID:5528
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f44⤵
- Modifies registry key
PID:7120 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"41⤵PID:7080
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"42⤵PID:2316
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"43⤵PID:4748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "44⤵PID:6100
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"45⤵PID:1256
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f45⤵
- Modifies registry key
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"42⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"43⤵PID:1508
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"44⤵PID:6396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "45⤵PID:2316
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"46⤵PID:5400
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f46⤵
- Modifies registry key
PID:7044 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"43⤵PID:6300
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"44⤵PID:6420
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"45⤵PID:4584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "46⤵PID:3908
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"47⤵PID:5968
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f47⤵
- Modifies registry key
PID:6340 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"44⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"45⤵PID:6532
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"46⤵PID:3428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "47⤵PID:1684
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"48⤵PID:5468
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f48⤵PID:6680
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"45⤵PID:6708
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"46⤵PID:2516
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"47⤵PID:440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "48⤵PID:5892
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"49⤵PID:5608
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f49⤵PID:5244
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"46⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"47⤵PID:4272
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"48⤵PID:2296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "49⤵PID:6052
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"50⤵PID:2332
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f50⤵
- Modifies registry key
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"47⤵PID:7092
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"48⤵PID:2776
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"49⤵PID:3112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "50⤵PID:6544
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"51⤵PID:6048
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f51⤵
- Modifies registry key
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"48⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"49⤵PID:3468
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"50⤵PID:6420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "51⤵PID:5404
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"52⤵PID:3600
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f52⤵
- Modifies registry key
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"49⤵PID:6180
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"50⤵PID:6560
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"51⤵PID:5792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "52⤵PID:6084
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"53⤵PID:2760
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f53⤵
- Modifies registry key
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"50⤵PID:6260
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"51⤵PID:5864
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"52⤵PID:6784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "53⤵PID:4656
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"54⤵PID:1588
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f54⤵PID:5328
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"51⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"52⤵PID:6052
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"53⤵PID:4652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "54⤵PID:4464
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"55⤵PID:3772
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f55⤵
- Modifies registry key
PID:5288 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"52⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"53⤵PID:5956
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"54⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "55⤵PID:3148
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"56⤵PID:6120
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f56⤵PID:7164
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"53⤵PID:6428
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"54⤵PID:5576
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"55⤵PID:5164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "56⤵PID:6532
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"57⤵PID:6184
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f57⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"54⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"55⤵PID:4600
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"56⤵PID:7032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "57⤵PID:4328
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"58⤵PID:6020
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f58⤵
- Modifies registry key
PID:6212 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"55⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"56⤵PID:4552
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"57⤵PID:5516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "58⤵PID:6472
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"59⤵PID:4756
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f59⤵PID:6332
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"56⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"57⤵PID:5724
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"58⤵PID:7060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "59⤵PID:4684
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"60⤵PID:7072
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f60⤵
- Modifies registry key
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"57⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"58⤵PID:656
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"59⤵PID:1596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "60⤵PID:7136
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"61⤵PID:6320
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f61⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"58⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"59⤵PID:5944
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"60⤵PID:224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "61⤵PID:5756
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"62⤵PID:1500
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f62⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"59⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"60⤵PID:6448
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"61⤵PID:904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "62⤵PID:6364
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"63⤵PID:5716
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f63⤵PID:6896
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"60⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"61⤵PID:1236
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"62⤵PID:1032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "63⤵PID:2004
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"64⤵PID:6888
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f64⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"61⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"62⤵PID:5908
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"63⤵PID:6348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "64⤵PID:4364
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"65⤵PID:5016
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f65⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"62⤵PID:7112
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"63⤵PID:4136
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"64⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "65⤵PID:736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵PID:2172
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"66⤵PID:6536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f66⤵
- Modifies registry key
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"63⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"64⤵PID:6756
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"65⤵PID:6952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "66⤵PID:6348
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"67⤵PID:5200
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f67⤵
- Modifies registry key
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"64⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"65⤵PID:5856
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"66⤵PID:5388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "67⤵PID:3760
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"68⤵PID:6620
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f68⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"65⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"66⤵PID:3972
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"67⤵PID:6308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "68⤵PID:228
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"69⤵PID:456
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f69⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"66⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"67⤵PID:4628
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"68⤵PID:1260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "69⤵PID:5388
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"70⤵PID:5700
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f70⤵
- Modifies registry key
PID:7072 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"67⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"68⤵PID:4468
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"69⤵PID:324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "70⤵PID:6812
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"71⤵PID:4788
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f71⤵
- Modifies registry key
PID:6876 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"68⤵PID:6956
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"69⤵PID:5272
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"70⤵PID:6040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "71⤵PID:6840
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"72⤵PID:5376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f72⤵
- Modifies registry key
PID:212 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"69⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"70⤵PID:6536
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"71⤵PID:1484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "72⤵PID:1036
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"73⤵PID:6436
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f73⤵
- Modifies registry key
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"70⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"71⤵PID:7024
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"72⤵PID:6836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "73⤵PID:404
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"74⤵PID:4272
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f74⤵
- Modifies registry key
PID:5128 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"71⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"72⤵PID:3988
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"73⤵PID:6292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "74⤵PID:5916
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"75⤵PID:4604
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f75⤵PID:6436
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"72⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"73⤵PID:2324
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"74⤵PID:6384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "75⤵PID:7124
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"76⤵PID:4764
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f76⤵
- Modifies registry key
PID:6760 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"73⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"74⤵PID:3652
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"75⤵PID:6440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "76⤵PID:5344
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"77⤵PID:4720
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f77⤵
- Modifies registry key
PID:5172 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"74⤵PID:5276
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"75⤵PID:4444
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"76⤵PID:5864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "77⤵PID:6600
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"78⤵PID:6520
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f78⤵
- Modifies registry key
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"75⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"76⤵PID:6848
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"77⤵PID:7024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "78⤵PID:6660
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"79⤵PID:7132
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f79⤵
- Modifies registry key
PID:7124 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"76⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"77⤵PID:1188
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"78⤵PID:1260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "79⤵PID:4584
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"80⤵PID:840
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f80⤵
- Modifies registry key
PID:6892 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"77⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"78⤵PID:7008
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"79⤵PID:5776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "80⤵PID:6244
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"81⤵PID:5156
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f81⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"78⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"79⤵PID:4644
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"80⤵PID:3120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "81⤵PID:4928
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"82⤵PID:5724
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f82⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"79⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"80⤵PID:6848
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"81⤵PID:5276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "82⤵PID:6384
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"83⤵PID:4044
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f83⤵
- Modifies registry key
PID:5260 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"80⤵PID:7076
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"81⤵PID:4720
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"82⤵PID:1196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "83⤵PID:2636
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"84⤵PID:6688
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f84⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"81⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"82⤵PID:3096
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"83⤵PID:5488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "84⤵PID:6104
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"85⤵PID:5244
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f85⤵
- Modifies registry key
PID:5260 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"82⤵PID:6684
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"83⤵PID:6192
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"84⤵PID:3724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "85⤵PID:3016
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"86⤵PID:5044
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f86⤵
- Modifies registry key
PID:6588 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"83⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"84⤵PID:1996
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"85⤵PID:4888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "86⤵PID:5436
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"87⤵PID:4452
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f87⤵PID:7088
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"84⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"85⤵PID:3888
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"86⤵PID:4020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "87⤵PID:5092
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"88⤵PID:4780
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f88⤵
- Modifies registry key
PID:6648 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"85⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"86⤵PID:6708
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"87⤵PID:6988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "88⤵PID:6928
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"89⤵PID:6700
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f89⤵
- Modifies registry key
PID:7008 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"86⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"87⤵PID:4184
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"88⤵PID:5752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "89⤵PID:7108
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"90⤵PID:4152
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f90⤵
- Modifies registry key
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"87⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"88⤵PID:5724
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"89⤵PID:5780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "90⤵PID:6500
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"91⤵PID:5016
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f91⤵PID:7016
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"88⤵PID:6608
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"89⤵PID:6096
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"90⤵PID:6744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "91⤵PID:5488
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"92⤵PID:2176
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f92⤵
- Modifies registry key
PID:6720 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"89⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"90⤵PID:6688
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"91⤵PID:6448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "92⤵PID:7060
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"93⤵PID:4636
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f93⤵
- Modifies registry key
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"90⤵PID:6656
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"91⤵PID:5436
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"92⤵PID:6148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "93⤵PID:4296
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"94⤵PID:5364
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f94⤵
- Modifies registry key
PID:5908 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"91⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"92⤵PID:5060
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"93⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "94⤵PID:5404
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"95⤵PID:5712
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f95⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"92⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"93⤵PID:2176
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"94⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "95⤵PID:6768
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"96⤵PID:6868
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f96⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"93⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"94⤵PID:6924
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"95⤵PID:1588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "96⤵PID:3516
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"97⤵PID:5676
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f97⤵
- Modifies registry key
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"94⤵PID:6936
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"95⤵PID:5732
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"96⤵PID:7112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "97⤵PID:2228
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"98⤵PID:548
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f98⤵
- Modifies registry key
PID:440 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"95⤵PID:7072
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"96⤵PID:5876
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"97⤵PID:1284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "98⤵PID:6164
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"99⤵PID:1568
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f99⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"96⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"97⤵PID:4888
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"98⤵PID:1132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "99⤵PID:6848
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"100⤵PID:5768
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f100⤵
- Modifies registry key
PID:6344 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"97⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"98⤵PID:6896
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"99⤵PID:5728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "100⤵PID:6472
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"101⤵PID:904
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f101⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"98⤵PID:6888
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"99⤵PID:6808
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"100⤵PID:4088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "101⤵PID:6804
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"102⤵PID:6876
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f102⤵
- Modifies registry key
PID:6172 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"99⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"100⤵PID:1236
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"101⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "102⤵PID:1980
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"103⤵PID:4112
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f103⤵PID:6712
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"100⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"101⤵PID:3332
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"102⤵PID:7104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "103⤵PID:5888
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"104⤵PID:4444
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f104⤵
- Modifies registry key
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"101⤵PID:7032
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"102⤵PID:6348
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"103⤵PID:2348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "104⤵PID:2640
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"105⤵PID:4560
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f105⤵
- Modifies registry key
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"102⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"103⤵PID:5480
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"104⤵PID:5444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "105⤵PID:3220
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"106⤵PID:6836
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f106⤵
- Modifies registry key
PID:6668 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"103⤵PID:6228
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"104⤵PID:5200
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"105⤵PID:5248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "106⤵PID:5804
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"107⤵PID:3900
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f107⤵
- Modifies registry key
PID:6436 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"104⤵PID:6844
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"105⤵PID:4444
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"106⤵PID:2808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "107⤵PID:6652
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"108⤵PID:1588
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f108⤵PID:4632
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"105⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"106⤵PID:3096
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"107⤵PID:976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "108⤵PID:6272
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"109⤵PID:2920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f109⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"106⤵PID:6892
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"107⤵PID:228
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"108⤵PID:5200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "109⤵PID:6108
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"110⤵PID:4992
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f110⤵
- Modifies registry key
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"107⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"108⤵PID:5268
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"109⤵PID:5056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "110⤵PID:5384
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"111⤵PID:1988
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f111⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"108⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"109⤵PID:1068
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"110⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "111⤵PID:6600
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"112⤵PID:5448
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f112⤵
- Modifies registry key
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"109⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"110⤵PID:6616
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"111⤵PID:6976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "112⤵PID:1624
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"113⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"110⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"111⤵PID:6168
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"112⤵PID:4764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "113⤵PID:6452
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"114⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"111⤵PID:5576
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"112⤵PID:6032
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"113⤵PID:7144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "114⤵PID:3704
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"115⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"112⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"113⤵PID:6628
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"114⤵PID:6576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "115⤵PID:6840
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"116⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"113⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"114⤵PID:404
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"115⤵PID:440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "116⤵PID:5336
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"117⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"114⤵PID:6816
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"115⤵PID:3800
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"116⤵PID:2840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "117⤵PID:804
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"118⤵PID:6288
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"115⤵PID:6620
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"116⤵PID:6392
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"117⤵PID:5944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "118⤵PID:5924
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"119⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"116⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"117⤵PID:916
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"118⤵PID:6280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "119⤵PID:6084
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"120⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"117⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"118⤵PID:5564
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"119⤵PID:5368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "120⤵PID:5364
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"121⤵PID:6624
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"118⤵PID:6440
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"119⤵PID:4920
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"120⤵PID:1196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "121⤵PID:6376
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"122⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"119⤵PID:6396
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"120⤵PID:1944
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"121⤵PID:6032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "122⤵PID:2256
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"123⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"120⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"121⤵PID:5924
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"122⤵PID:3524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "123⤵PID:6052
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"124⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"121⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"122⤵PID:7164
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"123⤵PID:6568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "124⤵PID:5168
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"125⤵PID:7100
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"122⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"123⤵PID:4100
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"124⤵PID:4920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "125⤵PID:3244
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"126⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"123⤵PID:7148
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"124⤵PID:3988
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"125⤵PID:5208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "126⤵PID:6392
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"127⤵PID:7092
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"124⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"125⤵PID:5284
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"126⤵PID:6552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "127⤵PID:7104
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"128⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"125⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"126⤵PID:2164
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"127⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "128⤵PID:1596
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"129⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"126⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"127⤵PID:6012
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"128⤵PID:4136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "129⤵PID:1140
-
C:\intodll\agentSaves.exe"C:\intodll\agentSaves.exe"130⤵PID:5272
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"127⤵PID:6564
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"128⤵PID:7128
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"129⤵PID:1444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "130⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"128⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"129⤵PID:4576
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"130⤵PID:6072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "131⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"129⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"130⤵PID:1188
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"131⤵PID:6976
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"130⤵PID:6596
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"131⤵PID:672
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"132⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"131⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"132⤵PID:904
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"133⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"132⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"133⤵PID:6888
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"134⤵PID:6508
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"133⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"134⤵PID:7108
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"135⤵PID:6804
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"134⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"135⤵PID:952
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"136⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"135⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"136⤵PID:6396
-
C:\Users\Admin\AppData\Local\Temp\Electron.exe"C:\Users\Admin\AppData\Local\Temp\Electron.exe"136⤵PID:6408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\intodll\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\intodll\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\intodll\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Electron.exe.logFilesize
847B
MD566a0a4aa01208ed3d53a5e131a8d030a
SHA1ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentSaves.exe.logFilesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
C:\Users\Admin\AppData\Local\Temp\5bxb1a8eWE.batFilesize
190B
MD5e908357382a43049d50c6af3a2da45a4
SHA1c67cb397e5c6f4001104e06549dac48570394cbb
SHA25621aeaf625449f7c64a4f1f84cde49775c88a7b9122031bfcd680dcf2c7664883
SHA512418431430b431316dc0fc4f3387bb6c98962d92e92beef0f3e7c135407c794a2be5589cdf46131e11fdcbf01c8be04bea206958edeb646e39147dbe9adf4ae78
-
C:\Users\Admin\AppData\Local\Temp\Wave.exeFilesize
1.1MB
MD5685ff3fd7d167e37b45bda7c65fe191e
SHA1b01fd735f75f2ac70fe78c30488cc19c0730378a
SHA256b93a75b91fc959841d58f93830d4759f52e48ad15c16af9a18dd4d015623427f
SHA512ae1389e64b5bf4ca6ced8a6ac1e17878684cd84ca8f342d8b3d2880129397d330838761c28e14327784fa627cedd1145036840af38dfe113e28208673d40a8b2
-
C:\intodll\SNnEeg5Q2Cv9CjuPi.batFilesize
139B
MD53bcbf28bfcd7d6834260c1bfe587f748
SHA15903cf4f9af2c0fb7758d610cf55fca400681f31
SHA2562c3da80e897eeac43a7af3256ff0d7ace9f47409eb807d3ea927386a18bb50b0
SHA5121f3c27dfe1c4207a8e504e1e9fe05a00e411bf9391725d9606b189135d52896c6116d514ff339f1f825a27c283b19103725d8ada7ec3bd7337dd8ab8d1d004c4
-
C:\intodll\agentSaves.exeFilesize
828KB
MD58ee83bf5811c7d6dfc440def46698e1b
SHA1ba308e644aa6da9c49b30cde55250bd21b46311d
SHA2560829cf36a0c20e61d3b17d7567285d8c781956f11bcf5dfdf01bf7eec55639ee
SHA5123b85bb9588e00962a3c6b7943682ea854dd07eb147328613a76ee12495182f293f8c9ca4e893a35998257308404d312dddeff5a2eb233f76d7360f86c0d9c61b
-
C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbeFilesize
201B
MD5f1f4878ad9b863a501dc67c5abf778d8
SHA14e4bc06616ac50f2a213cb110db76a48726d1f8d
SHA25605293f26bbcaf3bcc4047490be599c8e3663cf06be1422651ea2a42291cf6218
SHA512a84fcfa4947c52531a9ae500e81ef69bed6fabb714190e9328e328bec23ca9b30c562d565aaccd3085ca086ae0814802ed54634c51bccbc6d5b84d3c8a75fb2c
-
memory/1248-15-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmpFilesize
10.8MB
-
memory/1248-24-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmpFilesize
10.8MB
-
memory/1248-13-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmpFilesize
10.8MB
-
memory/1344-1-0x00007FF90B123000-0x00007FF90B125000-memory.dmpFilesize
8KB
-
memory/1344-12-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmpFilesize
10.8MB
-
memory/1344-2-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmpFilesize
10.8MB
-
memory/1344-0-0x0000000000AA0000-0x0000000000AB8000-memory.dmpFilesize
96KB
-
memory/2316-39-0x0000000000C10000-0x0000000000CE6000-memory.dmpFilesize
856KB