Malware Analysis Report

2024-10-10 12:55

Sample ID 240531-t1cymsea7s
Target Electron.exe
SHA256 e8f1e825cd1da794257a8f1f38f291835b31d45ded1cace17953b4a4f3bbf040
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8f1e825cd1da794257a8f1f38f291835b31d45ded1cace17953b4a4f3bbf040

Threat Level: Known bad

The file Electron.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DcRat

Process spawned unexpected child process

DCRat payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies system certificate store

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 16:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 16:31

Reported

2024-05-31 16:33

Platform

win7-20240215-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 3004 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 3004 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2552 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2552 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2552 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2052 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2052 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2052 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 3048 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 3048 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 3048 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1532 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1532 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1532 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2276 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2276 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2276 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2148 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2148 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2148 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1300 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1300 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1300 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2424 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2424 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2424 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2684 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2684 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2684 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2208 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2208 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2208 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1240 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1240 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1240 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 804 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 804 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 804 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 284 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 284 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 284 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2084 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2084 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2084 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2916 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2916 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2916 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1040 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1040 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1040 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2040 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2040 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2040 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1036 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1036 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1036 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1304 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1304 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1304 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2520 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/3004-0-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp

memory/3004-1-0x0000000000170000-0x0000000000188000-memory.dmp

memory/3004-2-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1D29.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/3004-120-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6fbb6fe5ea4ce84e38b31b9bc1bf3a0
SHA1 aab43b30ae6832dab48d12d487b6281c09d748fb
SHA256 06369dc19031f4e88ffe00135509224199956995b8ffbdf016b64e10f0dc8334
SHA512 d756e824701d95c13184ccc04ecf9aa17f9a4b46f51863c4c66894248eab293f69d80690f35306cfcc8efa926a295d5e8320676181a12fe1b1fa1c810d294533

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eab8e8a8cfb6acc363e7368aaaa7a070
SHA1 b1c6ae5243d692771338d033dcffa70c614906ef
SHA256 d0212d248ff28b41b2ecb1a9122ca2549e69babf2230c910de774a9ca6229a89
SHA512 a3b267e029d379d3186847372cf7eafe7831384bfd02f28013103ff0133e3efa2bbe15b83cc4db57d1de4a7e387224753ce0a28d1a76ccac7254cd9441a86463

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ddccbaa244422308e3df4169035cab6
SHA1 e3819ca025f4ca647987ca1b92d640f5b5039a3f
SHA256 97873e39f3cefdd1fba4335bc22bd552bcc5cfe88ef6d092bb66ab95756f4dd8
SHA512 1da64ab72f75e6ca4f9ed73da45a67eeb428575dd22b0387f0c444e51faf4b9f55f1e1f6c452b8df20a203f7e425eaefb36817c6c238fd77f8577012b1d5657c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2482a3ac9f316cc8950fef51336fe9f5
SHA1 123f16777a60512d72a4a13f9ae7b494fb85afe3
SHA256 013b3cf8635ad260c31004044ae41457bbf681c19d6361baa599e1890a476b04
SHA512 a93f522c802877ebaf9735329c0581dcedb47dc4d80b725e2350830d188105b9a0db3f0ee957003f55104d4b469555354f1592fd7fe809dbfa0ddf8fac05c690

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1c209ab65d1a074dfc02dbe5a4683cb
SHA1 55f40929a5eee61fd4b23bd470a64a89178c76e6
SHA256 b352cc92d0d21daf7bde5a3b2271c851c08a78b3f426a890e117beb214ec39cb
SHA512 f3a872fcce97df23bac12683537de46866a9e5774564fcfb4e25b8d12045d858ef796b953a0076ab15dfb9793c0812ad6ec228e3660f35eede417359d06d8982

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef92ad30724b8ba845f8f9e8579521f9
SHA1 733a3ec85a2854280d03af72f742cbee6e2578f2
SHA256 bf67f00d10da50853f02dbaf04e415531b183c6e2ea342401bef895a1b68c080
SHA512 09b24250d1dc36d5e853d577c21009f7e3b793889496a76b31bb019bf3fe4aa2fe5b1641398de201fd2a498fcca4fd324fa4df4af8c55ed155f007aaaa72a5a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ccceb156d85d75156f5e4fbb39c74822
SHA1 b62399d226050251559d39686cf05ca0dce8a12e
SHA256 57e03d31a33eb1322a3f8becf0ca1d66e9760e6cc14ef2f3081a135a310bf081
SHA512 4fb954cd8c7748bdab5b3c21250db69e8f8709920a3c3da6357419572ab5a76110b1df5ecec73c72b5aa5f1295a8a5cb44806ef0c3519aadf655c932921aa044

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5fa4c25ed5696cb4d520d221d3f6e07
SHA1 d75823f7e1bb19311dc6ff0fa00713a82be22902
SHA256 569cc29b60bc93c7c4600f2a85aab809d90e940012e22f8b3c5f07d9c511e2ef
SHA512 b28fe76e9266faad20d708a36048cd7739199da7349453d5f4b873ea64d3bf4a9ee7c28b2e071e0c48963bcebb88fdb6e2cf1ba4ac8ba63da7c6b6156213dae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef8ec28d90435a7a858ab612b34f995d
SHA1 a1e3df77bd96dcece8ec39c540703a0b29b98415
SHA256 d1491ced1e65f50a457800e7830efbb8c6557afaf7bd800baeaf67d582d3f79a
SHA512 9c69e8c9a4c5fa48524e86134f296ffa85d74ce7569fedf0446929ee2a609f84119baa7b0f3bd59f8c0fda48f910730942dbef4d820a55cb3dd2c74ff31c7408

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b430b798152ee7e72676b031816af18
SHA1 a570c4c65bf25a1aa116fe14ecc2743128652a46
SHA256 d757bc1f82fce89326f66729c3f8c2d5dfe25134fc146d14f7c4fcf7665716dd
SHA512 121b9ed79f2d02e33f28120bb1886b036e89426dc05ffbf07b99c8009ca006cfc5df1725af3230af4f508863fdaddc714018ca74c862e0f2447e7b08dd2e5347

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fcf5655f11f0c29e39f2a18cb774e0b
SHA1 068e13813697b11a39bb4d2b1f5dfa3dec361955
SHA256 843768d0a826edde08f859f7dfa493ef1c573c9e1a491f1df40c08cb98db3ca0
SHA512 074141381a0e957497d1b5b4c92164748da43bb72c326fc295f8a54109ecf74cebc88fe37bdb4f0e8582281654fdd16ddf963cc42290d1533b9d4b257f77e360

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04a547b6964b5f16961e45bb23f002de
SHA1 e99fd018e841599b449b82ff157691caa03ddcda
SHA256 cd565d97f22d86427dd78e7de766e3fdc0bedb2f652509f9e0f1847c9e979f36
SHA512 977a8e7fbf630bbcc0c3e4711fbd239f43f2fdc11f1320f812f8efaa59b7c89ba2bc6b68b282b0909ad4478c7aa89b8a236d9bf7de5f70250101b6433b3aa066

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4b662aa3d4b8fef9bc6a0b8fddac42b
SHA1 7434bad3972299732b5f3efac41c5efb4543bcad
SHA256 5e34324fc41ead2d486e64cb6eb20e238f7f99a6b02ed5b4a705b468c75a5cc0
SHA512 df14561e13d602cb43abad6b72b9f776f79e5b4b4cff376164c47e6494c9b2a7bd610647bffc06953ed7e059873e12e075e7ae94194830dfaa9a007ab3596dbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c44326210950720272f286aec755ae98
SHA1 d09411dc9b94199cce72b8457fffcdc80f9e8f19
SHA256 801cb6774b95ff97a5e8a8080cad5e33ab0972b87860213aca1f0d31f67d5aba
SHA512 92c322aa052d193dd5ab4b18ac1895d309b70036e8ad74b50deeec28e5c65eacaf6848fe1dc3685723bd9a935670e0f20ccf31e345dc9d10e2f1a9c93f87b84a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce014b1dac48a35a068d88ce83a1240e
SHA1 fb0a7c5b9f835dc7694b7294d1893b7566dbb84e
SHA256 44e36ea224ecd8a32bb0f7a8f3631b88548a83225976a0201a312d42eaf7191f
SHA512 0e2f7d78d32a8e7e0576963b20967c4960e3907c383e00e5000d73ed20662a0199ac1ba07bad9235dad170ed29f4f2cf1ef9fb54c21d6cfa36074fda5458a509

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8f1b409433be7acb1a63f30c98edce7
SHA1 c12190ee586f406fbcb06f9edcbd910986c1a10c
SHA256 0b63d6f06cfe1c2e48d7675b00160329c84c70f996a244dba0689534a5b73584
SHA512 b4054258033934014a4e11630e7c63915045cecef2e305eb5c3a02c6eaef89e1fc8e70cf07f05440e692632461cdbfc8a0d8b944aef2d117075684bafa29d015

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0be71e12d49b6a541af6f5b2af0e2e0e
SHA1 3b40f4928e54e32d316b970fca1a4d8a5475c6dc
SHA256 d20db2ae48e272d17e0c742ff38bcae52d11533dbf3d8a0008094ccae72b1e45
SHA512 db8cd6589b8b7d90a74c157bea3bdeef8db79e4138d6a15effd8a63af8354bf221e470f54924dceb7bb2f388c1a6efc71a1b2ca9f5fe3a32889c9f74341d2689

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed6ccf8af4484851ae5425868d9f009b
SHA1 8acd39311b3bc8438b2072603b56f2c4e2c6ddb5
SHA256 3a975b8c4cb6c68513c3b17d2bd55bd8b5c0b981924305191dca5d39ed045464
SHA512 1046a6058021801cba5d718e240de81171fb222ea4be5028061f621a32e5257d81071fc52866549a899b1932314dc6d499a06ad476936e2b128b9de9472b6cb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 544aaf6028d502e36f3ec5b4d139aff9
SHA1 f868632e18e13d78106a6a2a5424d105fcc66696
SHA256 04d3eff7861d7b78021c2abf192f170429d36e5658967e0a80d36b24595b7e60
SHA512 38cdfc8d1547e5cf171c6a56a8c8f8785a6b6d662ab872376442ee82a890acfb80c287503d325b0ce829dab185c8bfb6ca936b6e66421be0de0cefc253d44b48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50d56e795ae43d60d12a6f85b5814b09
SHA1 6221e2dda8bb0bd3895572eb36d0574a2b37759d
SHA256 9fff0f4ca0b53de5fcec9fbf5b7ae80db6511de4833261d732c8b19b534ab507
SHA512 a81b555ac36a2d58d1229493853e7382e2e4286725d847469c4601fbac427b292f4269683b9bafbf8de26de9a53924239bc1c66ebe0d9098148f69cff607a19d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b391ac04aedabbe0cfa6511ce2636e40
SHA1 68b8639124e0055428a206a3b7e6626044dc0cd1
SHA256 5f6de3f28316a2c885bc1c65ffbcd297b7a3fc9687dbf36796c11766d1b59488
SHA512 d94d30a46fb5d6df67f11c0beec02aab187a943c635daaa3ffb646b608e4f04b38650bc0dab7cc44358d383d0e7a4b0ba78d75bee42da1ffb38a99d6f3848dd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7731ceafcd9663a92ce79c5ab157abf
SHA1 9c37908639777b8cbe18679a229164b3f06ed4f6
SHA256 4fb8a3453e29983b96d0964416953017ffafd89d476e5dc6ac4509b5dbb2a7df
SHA512 e3ca623ab3c085340a8e98a20de20bca1ace27f6543e61e576beef8a86f12aa5a21a86450d594dc413f1440833246a0a747489f6fd9ad647c087e5c65470b8e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 609da5e15f95e98b640fbce2aafb9b68
SHA1 21c5637239140b91a348d154c2a3f1fffeea4d16
SHA256 c908d980e782cf63e638dd74f6e8f8459e37706bb56f832b1aaf3fcb59d9dbfe
SHA512 a5ba8b92af25e77e76057e5f45dfe68c4187f9d7cfa748884e03d672879e5c44f780913afa03e3306c554e02ab0ab8f54acc5e1d957b1a93e40f9186d05fc360

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17b53df560a01123269333d103c6f276
SHA1 0a0f82c3223aad5d221296fa52683698920b4ba4
SHA256 0d585e37959186d33f35844aead29a7a4f7b87d574fa640c61dcfaea9c173747
SHA512 ccb3e013d2db8e0c2874d76d680714b84825f25eb648b4028b9e8a0f609fea5d9accecef8d2d93eabafe99f91761d924b7f90df64dfdee38f646acf893d5de36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f1a59be49bc04c8d6c3939b63e072a6
SHA1 6d35e3e7c885b9cd7d6a5368b903b7993515045a
SHA256 ea1afa9f6de2ed494913b91f3082d2ec2e6a5f2ae8819e5db525cc895847f1b8
SHA512 f119b2a5b47708097237ad295e5a8f01e7f67ae87aa045b8c13f1b772eda65d973ee86db92477e2333f0b8feb63cbbcfcf04c672d59e8449ce55150be24d997f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5af30a1e3e8bbbbb84c3851bd7cbe62e
SHA1 72fd5cc25d1d0f3ac49dd241d7e474a8a6898162
SHA256 c4df4cae1f2d4682bb36afbfb4dd8afa003392bef6289ba1a410eb73d55f73a4
SHA512 c1ed3fbce1faa3d66d34ed8fb3da4f56cae4b99739e1e0b99809cfec757be1b17c9247794399e2de3251ce2306d5e7b6f1241d2407264eb2359bd1836d4cd61e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85ad07dfdb5b5864764c923235e90001
SHA1 a2660182a23654d051376331dffb0e4dd61d5255
SHA256 d28dff377632e0a8b7c10887e9821b7d8d6b58a601d2a54801c28aa88d180cf7
SHA512 a62c660815b9ff9be34c58a33801953fb7e1b9ed88d24142ed40b431073d53baa51621bdcd1e6d15d2639ea2b6156dc2006997ebf4ac06d0d793b793096323c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce8156805fef1a42e627041de2278748
SHA1 614b9767d4190dea4b11078efb86dd1df0c8b40a
SHA256 5908e327feaf648a13fa38d4023009afec2a8ec35732df72c5e5bcab4182f5b4
SHA512 2f48032036d4e0b998575a4e562be213c988ad1aa775feec06d550a9929150a740d6d63869e3c8a48d099ea8534e4939e47628c825a6a779f740cb9662d07f8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d71a99c40608b2d73415a4c2f9ab218
SHA1 159acbc82c958bf0d37f694db27ba8beabb4aab1
SHA256 fc417fc283105f90fbe0ab030f2214651ecf6617a7edfdb6b56f19f765919fc0
SHA512 be4f2f139e477e347c8cab6a21491968615f57a72b4b8e1dcedffcf57f981c95b8cd018a7a58391444f51384bf718f43cd885975583f6e9931ff2345f9a40d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33014538eb29200c19acf3fbec4ed4a7
SHA1 03c8e5d0d82f8405f3c536c7392e326dece884ec
SHA256 16270d0d4c7772c52d7567e96f71e963e4599c8c7cce7ed74a22318b95bab5fb
SHA512 22041405916b060977e614d0ae7b6080be21805342ff69002098653f39f710bad98b2fcd7fe68f1c018f2ce7a3f93810ddac77d065c6bdada5da36fce98073fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e8c938541085578cc33c3d36dda6b8c
SHA1 3ac44421085e07698c07abffb9fc03a64f6a05e3
SHA256 ac11d444cc5b608d7165eb3da938ea95a137705704cace7435133bbc08190d69
SHA512 eb0c0c32b3b59bdda9db7f372cb931685b7ea7b9d77a04f4a47ed195cb620cbc849852734cb5124858c2227cf9843af983f0c85ae2bc111d80897d9c366f8454

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26ada5eb8ee26afe4ab283d274b52db2
SHA1 fa057cd61a74820f419a6c2464a23217cb8aea8d
SHA256 45bad966308e1060cc616506ce1e359206484936020a458042b39d344b4a7aca
SHA512 8d0f872be50cffdb3750d7e2892c5273c888691d4fd0c1fe55bccee6a88c99670b30bd1014d53517526f0075436e42bc8405423437380d0bf0167015e81f59d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2968c8f913331c6b16672ebad32c1c13
SHA1 5189087075c91c2d0d59202b15c04084d30444aa
SHA256 35a163a1295c85062308e1df8afef2b971dcb529350bc1a2366d5d94206c45f5
SHA512 b6c3798360b28b5e687f3526b7fc2e4da674b1b787175cd58b759fd7e517beaa986f02c85905b0b88e6f2c9313321b714e59b4d767bd89886bc265fe0399412f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 715b09168e384d957b0004636c39f5e4
SHA1 653f9b2e34baefa9cb0b2fe9130a8ca904b3e6d4
SHA256 7907a88f6f9a19730e694ca12169a5cdaa036a22d7d76d959045ee967166f46f
SHA512 92120f07300ca80792f4941454c670ad17c6d6480141247e75a8f9cc615fcf3c0f14114b528e4b160033e6ad36a1da610a8169f13208066761a56a5757288b6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d68028782f4a458c7d1b6dbaee4364e
SHA1 bba4a96d975db88ebfcb9077bfb6191eee79dfdd
SHA256 a5466ac203ad031b7a91c758bd39bde2018e3cc915a2884c2f3f70644d5a2c4d
SHA512 465ca7c084a5de4b0278e5978092a8dab4b9d7c817c9e742d49a21b1fb873e2ac9b6039af50aaff664a73dfa2467112ce2120362ed33a05155ee30f585443ee8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dee4c559888033c5363a6f92fe74a803
SHA1 b929c0d7850aec2dc0e92e1164d8a72b09370ddf
SHA256 9f5ad16b3ac2481ab17f0cc2a9d628b564fcd38d3d040d072ea1953ba4c91c18
SHA512 77a979583c3e8ade2ca6e7ac351d5c704ad98962a57ea073853673c84456eb8177cf7cad07c4b6935782ee03bf0aa5ce9632cfda060a2859ceeb0e9d51d34979

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ca1d09a06668a29c912c105b08229e4
SHA1 7152cc00a2ee6d8c08ee48d44a80a03e98cb0518
SHA256 3b7572d80fb35898fd680dc48527c98d59d3cab19eecfe76dd1f0a7d267527c0
SHA512 37271296015e8f476b5504f74825dac371d6d2a445ed0626a50ca0fd4c30190030219a1fd85c69c7154cb74a6654b4a15fd037286d6a61d8ab33d89fde520b02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 265b505d51e274fd8a010e75f3ca937b
SHA1 640caa1758302b2e67e3fdda7d39987dd0214db5
SHA256 cac3bc8412d914cd0bba7e7655cd4b2bb0c16ab368968097fe23568699a2b910
SHA512 81c15bad56b61f96aec91bf00c39518d6d4cb7bec37e8828b6b6ac2c9dc40c9bd919279bda8e6dbf6fa46b6c5a5b9df336ee42d3cdc4948dae1e1defa961c884

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64dcfa64e0a69ab7c3b258f9e83fba54
SHA1 d83b17f183fd75dd209fe4ca5b5f00a4a277e105
SHA256 843e4f6a26d4bdf0ddf74e6ec780a3b0d6528e88e224e5a86c2a100b4782d365
SHA512 2fc2bf8f88c5da4fd272dfdb80fa27777dacbbb9941e5ce4316d6dfdc8d77781b56a7888c382e974e2eb6e3f58b943f9ae1209db2fdb3a710e9d1217f6253ef9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 16:31

Reported

2024-05-31 16:32

Platform

win10v2004-20240426-en

Max time kernel

4s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1344 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1344 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1344 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\intodll\agentSaves.exe
PID 1344 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\intodll\agentSaves.exe
PID 1248 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1248 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1248 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 1248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 1248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Users\Admin\AppData\Local\Temp\Electron.exe
PID 2124 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 5052 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 5052 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 5052 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 2228 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\intodll\agentSaves.exe
PID 2228 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\intodll\agentSaves.exe
PID 2228 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\intodll\agentSaves.exe
PID 2228 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Windows\System32\Conhost.exe
PID 2228 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Electron.exe C:\Windows\System32\Conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\intodll\upfc.exe'" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\intodll\upfc.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\intodll\upfc.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bxb1a8eWE.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Local\Temp\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\Electron.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

memory/1344-1-0x00007FF90B123000-0x00007FF90B125000-memory.dmp

memory/1344-0-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

memory/1344-2-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wave.exe

MD5 685ff3fd7d167e37b45bda7c65fe191e
SHA1 b01fd735f75f2ac70fe78c30488cc19c0730378a
SHA256 b93a75b91fc959841d58f93830d4759f52e48ad15c16af9a18dd4d015623427f
SHA512 ae1389e64b5bf4ca6ced8a6ac1e17878684cd84ca8f342d8b3d2880129397d330838761c28e14327784fa627cedd1145036840af38dfe113e28208673d40a8b2

memory/1344-12-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Electron.exe.log

MD5 66a0a4aa01208ed3d53a5e131a8d030a
SHA1 ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256 f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512 626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

memory/1248-13-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

memory/1248-15-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

memory/1248-24-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe

MD5 f1f4878ad9b863a501dc67c5abf778d8
SHA1 4e4bc06616ac50f2a213cb110db76a48726d1f8d
SHA256 05293f26bbcaf3bcc4047490be599c8e3663cf06be1422651ea2a42291cf6218
SHA512 a84fcfa4947c52531a9ae500e81ef69bed6fabb714190e9328e328bec23ca9b30c562d565aaccd3085ca086ae0814802ed54634c51bccbc6d5b84d3c8a75fb2c

C:\intodll\SNnEeg5Q2Cv9CjuPi.bat

MD5 3bcbf28bfcd7d6834260c1bfe587f748
SHA1 5903cf4f9af2c0fb7758d610cf55fca400681f31
SHA256 2c3da80e897eeac43a7af3256ff0d7ace9f47409eb807d3ea927386a18bb50b0
SHA512 1f3c27dfe1c4207a8e504e1e9fe05a00e411bf9391725d9606b189135d52896c6116d514ff339f1f825a27c283b19103725d8ada7ec3bd7337dd8ab8d1d004c4

C:\intodll\agentSaves.exe

MD5 8ee83bf5811c7d6dfc440def46698e1b
SHA1 ba308e644aa6da9c49b30cde55250bd21b46311d
SHA256 0829cf36a0c20e61d3b17d7567285d8c781956f11bcf5dfdf01bf7eec55639ee
SHA512 3b85bb9588e00962a3c6b7943682ea854dd07eb147328613a76ee12495182f293f8c9ca4e893a35998257308404d312dddeff5a2eb233f76d7360f86c0d9c61b

memory/2316-39-0x0000000000C10000-0x0000000000CE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5bxb1a8eWE.bat

MD5 e908357382a43049d50c6af3a2da45a4
SHA1 c67cb397e5c6f4001104e06549dac48570394cbb
SHA256 21aeaf625449f7c64a4f1f84cde49775c88a7b9122031bfcd680dcf2c7664883
SHA512 418431430b431316dc0fc4f3387bb6c98962d92e92beef0f3e7c135407c794a2be5589cdf46131e11fdcbf01c8be04bea206958edeb646e39147dbe9adf4ae78

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentSaves.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125