Analysis Overview
SHA256
e8f1e825cd1da794257a8f1f38f291835b31d45ded1cace17953b4a4f3bbf040
Threat Level: Known bad
The file Electron.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
DCRat payload
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies system certificate store
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 16:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 16:31
Reported
2024-05-31 16:33
Platform
win7-20240215-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/3004-0-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp
memory/3004-1-0x0000000000170000-0x0000000000188000-memory.dmp
memory/3004-2-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1D29.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/3004-120-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f6fbb6fe5ea4ce84e38b31b9bc1bf3a0 |
| SHA1 | aab43b30ae6832dab48d12d487b6281c09d748fb |
| SHA256 | 06369dc19031f4e88ffe00135509224199956995b8ffbdf016b64e10f0dc8334 |
| SHA512 | d756e824701d95c13184ccc04ecf9aa17f9a4b46f51863c4c66894248eab293f69d80690f35306cfcc8efa926a295d5e8320676181a12fe1b1fa1c810d294533 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eab8e8a8cfb6acc363e7368aaaa7a070 |
| SHA1 | b1c6ae5243d692771338d033dcffa70c614906ef |
| SHA256 | d0212d248ff28b41b2ecb1a9122ca2549e69babf2230c910de774a9ca6229a89 |
| SHA512 | a3b267e029d379d3186847372cf7eafe7831384bfd02f28013103ff0133e3efa2bbe15b83cc4db57d1de4a7e387224753ce0a28d1a76ccac7254cd9441a86463 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5ddccbaa244422308e3df4169035cab6 |
| SHA1 | e3819ca025f4ca647987ca1b92d640f5b5039a3f |
| SHA256 | 97873e39f3cefdd1fba4335bc22bd552bcc5cfe88ef6d092bb66ab95756f4dd8 |
| SHA512 | 1da64ab72f75e6ca4f9ed73da45a67eeb428575dd22b0387f0c444e51faf4b9f55f1e1f6c452b8df20a203f7e425eaefb36817c6c238fd77f8577012b1d5657c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2482a3ac9f316cc8950fef51336fe9f5 |
| SHA1 | 123f16777a60512d72a4a13f9ae7b494fb85afe3 |
| SHA256 | 013b3cf8635ad260c31004044ae41457bbf681c19d6361baa599e1890a476b04 |
| SHA512 | a93f522c802877ebaf9735329c0581dcedb47dc4d80b725e2350830d188105b9a0db3f0ee957003f55104d4b469555354f1592fd7fe809dbfa0ddf8fac05c690 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a1c209ab65d1a074dfc02dbe5a4683cb |
| SHA1 | 55f40929a5eee61fd4b23bd470a64a89178c76e6 |
| SHA256 | b352cc92d0d21daf7bde5a3b2271c851c08a78b3f426a890e117beb214ec39cb |
| SHA512 | f3a872fcce97df23bac12683537de46866a9e5774564fcfb4e25b8d12045d858ef796b953a0076ab15dfb9793c0812ad6ec228e3660f35eede417359d06d8982 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef92ad30724b8ba845f8f9e8579521f9 |
| SHA1 | 733a3ec85a2854280d03af72f742cbee6e2578f2 |
| SHA256 | bf67f00d10da50853f02dbaf04e415531b183c6e2ea342401bef895a1b68c080 |
| SHA512 | 09b24250d1dc36d5e853d577c21009f7e3b793889496a76b31bb019bf3fe4aa2fe5b1641398de201fd2a498fcca4fd324fa4df4af8c55ed155f007aaaa72a5a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ccceb156d85d75156f5e4fbb39c74822 |
| SHA1 | b62399d226050251559d39686cf05ca0dce8a12e |
| SHA256 | 57e03d31a33eb1322a3f8becf0ca1d66e9760e6cc14ef2f3081a135a310bf081 |
| SHA512 | 4fb954cd8c7748bdab5b3c21250db69e8f8709920a3c3da6357419572ab5a76110b1df5ecec73c72b5aa5f1295a8a5cb44806ef0c3519aadf655c932921aa044 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5fa4c25ed5696cb4d520d221d3f6e07 |
| SHA1 | d75823f7e1bb19311dc6ff0fa00713a82be22902 |
| SHA256 | 569cc29b60bc93c7c4600f2a85aab809d90e940012e22f8b3c5f07d9c511e2ef |
| SHA512 | b28fe76e9266faad20d708a36048cd7739199da7349453d5f4b873ea64d3bf4a9ee7c28b2e071e0c48963bcebb88fdb6e2cf1ba4ac8ba63da7c6b6156213dae6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef8ec28d90435a7a858ab612b34f995d |
| SHA1 | a1e3df77bd96dcece8ec39c540703a0b29b98415 |
| SHA256 | d1491ced1e65f50a457800e7830efbb8c6557afaf7bd800baeaf67d582d3f79a |
| SHA512 | 9c69e8c9a4c5fa48524e86134f296ffa85d74ce7569fedf0446929ee2a609f84119baa7b0f3bd59f8c0fda48f910730942dbef4d820a55cb3dd2c74ff31c7408 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0b430b798152ee7e72676b031816af18 |
| SHA1 | a570c4c65bf25a1aa116fe14ecc2743128652a46 |
| SHA256 | d757bc1f82fce89326f66729c3f8c2d5dfe25134fc146d14f7c4fcf7665716dd |
| SHA512 | 121b9ed79f2d02e33f28120bb1886b036e89426dc05ffbf07b99c8009ca006cfc5df1725af3230af4f508863fdaddc714018ca74c862e0f2447e7b08dd2e5347 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1fcf5655f11f0c29e39f2a18cb774e0b |
| SHA1 | 068e13813697b11a39bb4d2b1f5dfa3dec361955 |
| SHA256 | 843768d0a826edde08f859f7dfa493ef1c573c9e1a491f1df40c08cb98db3ca0 |
| SHA512 | 074141381a0e957497d1b5b4c92164748da43bb72c326fc295f8a54109ecf74cebc88fe37bdb4f0e8582281654fdd16ddf963cc42290d1533b9d4b257f77e360 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 04a547b6964b5f16961e45bb23f002de |
| SHA1 | e99fd018e841599b449b82ff157691caa03ddcda |
| SHA256 | cd565d97f22d86427dd78e7de766e3fdc0bedb2f652509f9e0f1847c9e979f36 |
| SHA512 | 977a8e7fbf630bbcc0c3e4711fbd239f43f2fdc11f1320f812f8efaa59b7c89ba2bc6b68b282b0909ad4478c7aa89b8a236d9bf7de5f70250101b6433b3aa066 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4b662aa3d4b8fef9bc6a0b8fddac42b |
| SHA1 | 7434bad3972299732b5f3efac41c5efb4543bcad |
| SHA256 | 5e34324fc41ead2d486e64cb6eb20e238f7f99a6b02ed5b4a705b468c75a5cc0 |
| SHA512 | df14561e13d602cb43abad6b72b9f776f79e5b4b4cff376164c47e6494c9b2a7bd610647bffc06953ed7e059873e12e075e7ae94194830dfaa9a007ab3596dbd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c44326210950720272f286aec755ae98 |
| SHA1 | d09411dc9b94199cce72b8457fffcdc80f9e8f19 |
| SHA256 | 801cb6774b95ff97a5e8a8080cad5e33ab0972b87860213aca1f0d31f67d5aba |
| SHA512 | 92c322aa052d193dd5ab4b18ac1895d309b70036e8ad74b50deeec28e5c65eacaf6848fe1dc3685723bd9a935670e0f20ccf31e345dc9d10e2f1a9c93f87b84a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce014b1dac48a35a068d88ce83a1240e |
| SHA1 | fb0a7c5b9f835dc7694b7294d1893b7566dbb84e |
| SHA256 | 44e36ea224ecd8a32bb0f7a8f3631b88548a83225976a0201a312d42eaf7191f |
| SHA512 | 0e2f7d78d32a8e7e0576963b20967c4960e3907c383e00e5000d73ed20662a0199ac1ba07bad9235dad170ed29f4f2cf1ef9fb54c21d6cfa36074fda5458a509 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c8f1b409433be7acb1a63f30c98edce7 |
| SHA1 | c12190ee586f406fbcb06f9edcbd910986c1a10c |
| SHA256 | 0b63d6f06cfe1c2e48d7675b00160329c84c70f996a244dba0689534a5b73584 |
| SHA512 | b4054258033934014a4e11630e7c63915045cecef2e305eb5c3a02c6eaef89e1fc8e70cf07f05440e692632461cdbfc8a0d8b944aef2d117075684bafa29d015 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0be71e12d49b6a541af6f5b2af0e2e0e |
| SHA1 | 3b40f4928e54e32d316b970fca1a4d8a5475c6dc |
| SHA256 | d20db2ae48e272d17e0c742ff38bcae52d11533dbf3d8a0008094ccae72b1e45 |
| SHA512 | db8cd6589b8b7d90a74c157bea3bdeef8db79e4138d6a15effd8a63af8354bf221e470f54924dceb7bb2f388c1a6efc71a1b2ca9f5fe3a32889c9f74341d2689 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed6ccf8af4484851ae5425868d9f009b |
| SHA1 | 8acd39311b3bc8438b2072603b56f2c4e2c6ddb5 |
| SHA256 | 3a975b8c4cb6c68513c3b17d2bd55bd8b5c0b981924305191dca5d39ed045464 |
| SHA512 | 1046a6058021801cba5d718e240de81171fb222ea4be5028061f621a32e5257d81071fc52866549a899b1932314dc6d499a06ad476936e2b128b9de9472b6cb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 544aaf6028d502e36f3ec5b4d139aff9 |
| SHA1 | f868632e18e13d78106a6a2a5424d105fcc66696 |
| SHA256 | 04d3eff7861d7b78021c2abf192f170429d36e5658967e0a80d36b24595b7e60 |
| SHA512 | 38cdfc8d1547e5cf171c6a56a8c8f8785a6b6d662ab872376442ee82a890acfb80c287503d325b0ce829dab185c8bfb6ca936b6e66421be0de0cefc253d44b48 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50d56e795ae43d60d12a6f85b5814b09 |
| SHA1 | 6221e2dda8bb0bd3895572eb36d0574a2b37759d |
| SHA256 | 9fff0f4ca0b53de5fcec9fbf5b7ae80db6511de4833261d732c8b19b534ab507 |
| SHA512 | a81b555ac36a2d58d1229493853e7382e2e4286725d847469c4601fbac427b292f4269683b9bafbf8de26de9a53924239bc1c66ebe0d9098148f69cff607a19d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b391ac04aedabbe0cfa6511ce2636e40 |
| SHA1 | 68b8639124e0055428a206a3b7e6626044dc0cd1 |
| SHA256 | 5f6de3f28316a2c885bc1c65ffbcd297b7a3fc9687dbf36796c11766d1b59488 |
| SHA512 | d94d30a46fb5d6df67f11c0beec02aab187a943c635daaa3ffb646b608e4f04b38650bc0dab7cc44358d383d0e7a4b0ba78d75bee42da1ffb38a99d6f3848dd3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7731ceafcd9663a92ce79c5ab157abf |
| SHA1 | 9c37908639777b8cbe18679a229164b3f06ed4f6 |
| SHA256 | 4fb8a3453e29983b96d0964416953017ffafd89d476e5dc6ac4509b5dbb2a7df |
| SHA512 | e3ca623ab3c085340a8e98a20de20bca1ace27f6543e61e576beef8a86f12aa5a21a86450d594dc413f1440833246a0a747489f6fd9ad647c087e5c65470b8e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 609da5e15f95e98b640fbce2aafb9b68 |
| SHA1 | 21c5637239140b91a348d154c2a3f1fffeea4d16 |
| SHA256 | c908d980e782cf63e638dd74f6e8f8459e37706bb56f832b1aaf3fcb59d9dbfe |
| SHA512 | a5ba8b92af25e77e76057e5f45dfe68c4187f9d7cfa748884e03d672879e5c44f780913afa03e3306c554e02ab0ab8f54acc5e1d957b1a93e40f9186d05fc360 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17b53df560a01123269333d103c6f276 |
| SHA1 | 0a0f82c3223aad5d221296fa52683698920b4ba4 |
| SHA256 | 0d585e37959186d33f35844aead29a7a4f7b87d574fa640c61dcfaea9c173747 |
| SHA512 | ccb3e013d2db8e0c2874d76d680714b84825f25eb648b4028b9e8a0f609fea5d9accecef8d2d93eabafe99f91761d924b7f90df64dfdee38f646acf893d5de36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f1a59be49bc04c8d6c3939b63e072a6 |
| SHA1 | 6d35e3e7c885b9cd7d6a5368b903b7993515045a |
| SHA256 | ea1afa9f6de2ed494913b91f3082d2ec2e6a5f2ae8819e5db525cc895847f1b8 |
| SHA512 | f119b2a5b47708097237ad295e5a8f01e7f67ae87aa045b8c13f1b772eda65d973ee86db92477e2333f0b8feb63cbbcfcf04c672d59e8449ce55150be24d997f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5af30a1e3e8bbbbb84c3851bd7cbe62e |
| SHA1 | 72fd5cc25d1d0f3ac49dd241d7e474a8a6898162 |
| SHA256 | c4df4cae1f2d4682bb36afbfb4dd8afa003392bef6289ba1a410eb73d55f73a4 |
| SHA512 | c1ed3fbce1faa3d66d34ed8fb3da4f56cae4b99739e1e0b99809cfec757be1b17c9247794399e2de3251ce2306d5e7b6f1241d2407264eb2359bd1836d4cd61e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85ad07dfdb5b5864764c923235e90001 |
| SHA1 | a2660182a23654d051376331dffb0e4dd61d5255 |
| SHA256 | d28dff377632e0a8b7c10887e9821b7d8d6b58a601d2a54801c28aa88d180cf7 |
| SHA512 | a62c660815b9ff9be34c58a33801953fb7e1b9ed88d24142ed40b431073d53baa51621bdcd1e6d15d2639ea2b6156dc2006997ebf4ac06d0d793b793096323c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce8156805fef1a42e627041de2278748 |
| SHA1 | 614b9767d4190dea4b11078efb86dd1df0c8b40a |
| SHA256 | 5908e327feaf648a13fa38d4023009afec2a8ec35732df72c5e5bcab4182f5b4 |
| SHA512 | 2f48032036d4e0b998575a4e562be213c988ad1aa775feec06d550a9929150a740d6d63869e3c8a48d099ea8534e4939e47628c825a6a779f740cb9662d07f8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d71a99c40608b2d73415a4c2f9ab218 |
| SHA1 | 159acbc82c958bf0d37f694db27ba8beabb4aab1 |
| SHA256 | fc417fc283105f90fbe0ab030f2214651ecf6617a7edfdb6b56f19f765919fc0 |
| SHA512 | be4f2f139e477e347c8cab6a21491968615f57a72b4b8e1dcedffcf57f981c95b8cd018a7a58391444f51384bf718f43cd885975583f6e9931ff2345f9a40d2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33014538eb29200c19acf3fbec4ed4a7 |
| SHA1 | 03c8e5d0d82f8405f3c536c7392e326dece884ec |
| SHA256 | 16270d0d4c7772c52d7567e96f71e963e4599c8c7cce7ed74a22318b95bab5fb |
| SHA512 | 22041405916b060977e614d0ae7b6080be21805342ff69002098653f39f710bad98b2fcd7fe68f1c018f2ce7a3f93810ddac77d065c6bdada5da36fce98073fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e8c938541085578cc33c3d36dda6b8c |
| SHA1 | 3ac44421085e07698c07abffb9fc03a64f6a05e3 |
| SHA256 | ac11d444cc5b608d7165eb3da938ea95a137705704cace7435133bbc08190d69 |
| SHA512 | eb0c0c32b3b59bdda9db7f372cb931685b7ea7b9d77a04f4a47ed195cb620cbc849852734cb5124858c2227cf9843af983f0c85ae2bc111d80897d9c366f8454 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26ada5eb8ee26afe4ab283d274b52db2 |
| SHA1 | fa057cd61a74820f419a6c2464a23217cb8aea8d |
| SHA256 | 45bad966308e1060cc616506ce1e359206484936020a458042b39d344b4a7aca |
| SHA512 | 8d0f872be50cffdb3750d7e2892c5273c888691d4fd0c1fe55bccee6a88c99670b30bd1014d53517526f0075436e42bc8405423437380d0bf0167015e81f59d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2968c8f913331c6b16672ebad32c1c13 |
| SHA1 | 5189087075c91c2d0d59202b15c04084d30444aa |
| SHA256 | 35a163a1295c85062308e1df8afef2b971dcb529350bc1a2366d5d94206c45f5 |
| SHA512 | b6c3798360b28b5e687f3526b7fc2e4da674b1b787175cd58b759fd7e517beaa986f02c85905b0b88e6f2c9313321b714e59b4d767bd89886bc265fe0399412f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 715b09168e384d957b0004636c39f5e4 |
| SHA1 | 653f9b2e34baefa9cb0b2fe9130a8ca904b3e6d4 |
| SHA256 | 7907a88f6f9a19730e694ca12169a5cdaa036a22d7d76d959045ee967166f46f |
| SHA512 | 92120f07300ca80792f4941454c670ad17c6d6480141247e75a8f9cc615fcf3c0f14114b528e4b160033e6ad36a1da610a8169f13208066761a56a5757288b6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d68028782f4a458c7d1b6dbaee4364e |
| SHA1 | bba4a96d975db88ebfcb9077bfb6191eee79dfdd |
| SHA256 | a5466ac203ad031b7a91c758bd39bde2018e3cc915a2884c2f3f70644d5a2c4d |
| SHA512 | 465ca7c084a5de4b0278e5978092a8dab4b9d7c817c9e742d49a21b1fb873e2ac9b6039af50aaff664a73dfa2467112ce2120362ed33a05155ee30f585443ee8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dee4c559888033c5363a6f92fe74a803 |
| SHA1 | b929c0d7850aec2dc0e92e1164d8a72b09370ddf |
| SHA256 | 9f5ad16b3ac2481ab17f0cc2a9d628b564fcd38d3d040d072ea1953ba4c91c18 |
| SHA512 | 77a979583c3e8ade2ca6e7ac351d5c704ad98962a57ea073853673c84456eb8177cf7cad07c4b6935782ee03bf0aa5ce9632cfda060a2859ceeb0e9d51d34979 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ca1d09a06668a29c912c105b08229e4 |
| SHA1 | 7152cc00a2ee6d8c08ee48d44a80a03e98cb0518 |
| SHA256 | 3b7572d80fb35898fd680dc48527c98d59d3cab19eecfe76dd1f0a7d267527c0 |
| SHA512 | 37271296015e8f476b5504f74825dac371d6d2a445ed0626a50ca0fd4c30190030219a1fd85c69c7154cb74a6654b4a15fd037286d6a61d8ab33d89fde520b02 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 265b505d51e274fd8a010e75f3ca937b |
| SHA1 | 640caa1758302b2e67e3fdda7d39987dd0214db5 |
| SHA256 | cac3bc8412d914cd0bba7e7655cd4b2bb0c16ab368968097fe23568699a2b910 |
| SHA512 | 81c15bad56b61f96aec91bf00c39518d6d4cb7bec37e8828b6b6ac2c9dc40c9bd919279bda8e6dbf6fa46b6c5a5b9df336ee42d3cdc4948dae1e1defa961c884 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64dcfa64e0a69ab7c3b258f9e83fba54 |
| SHA1 | d83b17f183fd75dd209fe4ca5b5f00a4a277e105 |
| SHA256 | 843e4f6a26d4bdf0ddf74e6ec780a3b0d6528e88e224e5a86c2a100b4782d365 |
| SHA512 | 2fc2bf8f88c5da4fd272dfdb80fa27777dacbbb9941e5ce4316d6dfdc8d77781b56a7888c382e974e2eb6e3f58b943f9ae1209db2fdb3a710e9d1217f6253ef9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 16:31
Reported
2024-05-31 16:32
Platform
win10v2004-20240426-en
Max time kernel
4s
Max time network
37s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Wave.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Wave.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wave.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wave.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Wave.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Wave.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Wave.exe | N/A |
Modifies registry key
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Electron.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\intodll\upfc.exe'" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\intodll\upfc.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\intodll\upfc.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Searches\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bxb1a8eWE.bat"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\intodll\agentSaves.exe
"C:\intodll\agentSaves.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"
C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
memory/1344-1-0x00007FF90B123000-0x00007FF90B125000-memory.dmp
memory/1344-0-0x0000000000AA0000-0x0000000000AB8000-memory.dmp
memory/1344-2-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Wave.exe
| MD5 | 685ff3fd7d167e37b45bda7c65fe191e |
| SHA1 | b01fd735f75f2ac70fe78c30488cc19c0730378a |
| SHA256 | b93a75b91fc959841d58f93830d4759f52e48ad15c16af9a18dd4d015623427f |
| SHA512 | ae1389e64b5bf4ca6ced8a6ac1e17878684cd84ca8f342d8b3d2880129397d330838761c28e14327784fa627cedd1145036840af38dfe113e28208673d40a8b2 |
memory/1344-12-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Electron.exe.log
| MD5 | 66a0a4aa01208ed3d53a5e131a8d030a |
| SHA1 | ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1 |
| SHA256 | f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8 |
| SHA512 | 626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c |
memory/1248-13-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp
memory/1248-15-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp
memory/1248-24-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp
C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe
| MD5 | f1f4878ad9b863a501dc67c5abf778d8 |
| SHA1 | 4e4bc06616ac50f2a213cb110db76a48726d1f8d |
| SHA256 | 05293f26bbcaf3bcc4047490be599c8e3663cf06be1422651ea2a42291cf6218 |
| SHA512 | a84fcfa4947c52531a9ae500e81ef69bed6fabb714190e9328e328bec23ca9b30c562d565aaccd3085ca086ae0814802ed54634c51bccbc6d5b84d3c8a75fb2c |
C:\intodll\SNnEeg5Q2Cv9CjuPi.bat
| MD5 | 3bcbf28bfcd7d6834260c1bfe587f748 |
| SHA1 | 5903cf4f9af2c0fb7758d610cf55fca400681f31 |
| SHA256 | 2c3da80e897eeac43a7af3256ff0d7ace9f47409eb807d3ea927386a18bb50b0 |
| SHA512 | 1f3c27dfe1c4207a8e504e1e9fe05a00e411bf9391725d9606b189135d52896c6116d514ff339f1f825a27c283b19103725d8ada7ec3bd7337dd8ab8d1d004c4 |
C:\intodll\agentSaves.exe
| MD5 | 8ee83bf5811c7d6dfc440def46698e1b |
| SHA1 | ba308e644aa6da9c49b30cde55250bd21b46311d |
| SHA256 | 0829cf36a0c20e61d3b17d7567285d8c781956f11bcf5dfdf01bf7eec55639ee |
| SHA512 | 3b85bb9588e00962a3c6b7943682ea854dd07eb147328613a76ee12495182f293f8c9ca4e893a35998257308404d312dddeff5a2eb233f76d7360f86c0d9c61b |
memory/2316-39-0x0000000000C10000-0x0000000000CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5bxb1a8eWE.bat
| MD5 | e908357382a43049d50c6af3a2da45a4 |
| SHA1 | c67cb397e5c6f4001104e06549dac48570394cbb |
| SHA256 | 21aeaf625449f7c64a4f1f84cde49775c88a7b9122031bfcd680dcf2c7664883 |
| SHA512 | 418431430b431316dc0fc4f3387bb6c98962d92e92beef0f3e7c135407c794a2be5589cdf46131e11fdcbf01c8be04bea206958edeb646e39147dbe9adf4ae78 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentSaves.exe.log
| MD5 | 7f3c0ae41f0d9ae10a8985a2c327b8fb |
| SHA1 | d58622bf6b5071beacf3b35bb505bde2000983e3 |
| SHA256 | 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900 |
| SHA512 | 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125 |