remcos | eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34

Analysis

max time kernel
7s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
Size

368KB
MD5

3b6f01867a856980aebf4bfefd580b05
SHA1

aabfde9fa7910ff59d6a2fd4de8f2280e4554695
SHA256

eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34
SHA512

df27c242f07c2ba0c8b2f526a189b3ba9fea78c75aa63da57f982c5d6a55ba73ba2e934f9f0ccbff68c9cb2795810f2d5f6b9f4bd6b87da4007f592512df77f7
SSDEEP

3072:tRFhJsebNVlW1NWgxLJOp6iJRejPoQKvHIbuduaqyuhjDxSIVbOfprMIYsMMgC6U:tRF3VoweHW0u8TDB4ty3huYu

Score

10^/10

remcos talentino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

Talentino

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-KG5D4I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	nas0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	nas0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	nas0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 24 IoCs

pid	Process
2448	nas0.exe
5248	nas0.exe
4776	remcos.exe
4284	nas0.exe
5280	remcos.exe
4732	nas0.exe
3504	nas0.exe
5552	remcos.exe
1416	nas0.exe
1456	nas0.exe
5904	remcos.exe
876	nas0.exe
1812	nas0.exe
2416	remcos.exe
3480	nas0.exe
836	nas0.exe
2596	remcos.exe
5020	remcos.exe
5036	nas0.exe
1316	nas0.exe
60	nas0.exe
5332	remcos.exe
1400	nas0.exe
5648	nas0.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 876 set thread context of 3248	876	nas0.exe	122

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	iexplore.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4EF04527-0C10-11F0-8310-52A34E82BBE0} = "0"	IEXPLORE.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	nas0.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	nas0.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	nas0.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
5932	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5932	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5108	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5108	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
2448	nas0.exe
2448	nas0.exe
5248	nas0.exe
5248	nas0.exe
4776	remcos.exe
4776	remcos.exe
4284	nas0.exe
4284	nas0.exe
5280	remcos.exe
5280	remcos.exe
4732	nas0.exe
4732	nas0.exe
3504	nas0.exe
3504	nas0.exe
5552	remcos.exe
5552	remcos.exe
1416	nas0.exe
1416	nas0.exe
1456	nas0.exe
1456	nas0.exe
5904	remcos.exe
5904	remcos.exe
876	nas0.exe
876	nas0.exe
3248	iexplore.exe
3248	iexplore.exe
2416	remcos.exe
1812	nas0.exe
2416	remcos.exe
1812	nas0.exe
3480	nas0.exe
3480	nas0.exe
5036	nas0.exe
5020	remcos.exe
5036	nas0.exe
5020	remcos.exe
836	nas0.exe
836	nas0.exe
2596	remcos.exe
2596	remcos.exe
1316	nas0.exe
1316	nas0.exe
60	nas0.exe
5332	remcos.exe
60	nas0.exe
5332	remcos.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
5932	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5932	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5108	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5108	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
2448	nas0.exe
2448	nas0.exe
5248	nas0.exe
5248	nas0.exe
4776	remcos.exe
4776	remcos.exe
4284	nas0.exe
4284	nas0.exe
5280	remcos.exe
5280	remcos.exe
4732	nas0.exe
4732	nas0.exe
3504	nas0.exe
3504	nas0.exe
5552	remcos.exe
5552	remcos.exe
1416	nas0.exe
1416	nas0.exe
1456	nas0.exe
1456	nas0.exe
5904	remcos.exe
5904	remcos.exe
876	nas0.exe
876	nas0.exe
3248	iexplore.exe
3248	iexplore.exe
2416	remcos.exe
1812	nas0.exe
2416	remcos.exe
1812	nas0.exe
3480	nas0.exe
3480	nas0.exe
5036	nas0.exe
5036	nas0.exe
5020	remcos.exe
5020	remcos.exe
836	nas0.exe
836	nas0.exe
2596	remcos.exe
2596	remcos.exe
1316	nas0.exe
1316	nas0.exe
60	nas0.exe
5332	remcos.exe
60	nas0.exe
5332	remcos.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
5932	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5108	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
2448	nas0.exe
5248	nas0.exe
4776	remcos.exe
4284	nas0.exe
5280	remcos.exe
4732	nas0.exe
3504	nas0.exe
5552	remcos.exe
1416	nas0.exe
1456	nas0.exe
5904	remcos.exe
876	nas0.exe
3248	iexplore.exe
1812	nas0.exe
2416	remcos.exe
3480	nas0.exe
5036	nas0.exe
5020	remcos.exe
836	nas0.exe
2596	remcos.exe
5972	IEXPLORE.EXE
5972	IEXPLORE.EXE
1316	nas0.exe
60	nas0.exe
5332	remcos.exe
836	nas0.exe
1400	nas0.exe
5648	nas0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5932 wrote to memory of 5108	5932	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	86
PID 5932 wrote to memory of 5108	5932	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	86
PID 5932 wrote to memory of 5108	5932	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	86
PID 5108 wrote to memory of 2448	5108	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	89
PID 5108 wrote to memory of 2448	5108	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	89
PID 5108 wrote to memory of 2448	5108	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	89
PID 2448 wrote to memory of 5248	2448	nas0.exe	90
PID 2448 wrote to memory of 5248	2448	nas0.exe	90
PID 2448 wrote to memory of 5248	2448	nas0.exe	90
PID 4824 wrote to memory of 4592	4824	cmd.exe	95
PID 4824 wrote to memory of 4592	4824	cmd.exe	95
PID 5248 wrote to memory of 4764	5248	nas0.exe	96
PID 5248 wrote to memory of 4764	5248	nas0.exe	96
PID 5248 wrote to memory of 4764	5248	nas0.exe	96
PID 4168 wrote to memory of 4776	4168	cmd.exe	97
PID 4168 wrote to memory of 4776	4168	cmd.exe	97
PID 4168 wrote to memory of 4776	4168	cmd.exe	97
PID 4592 wrote to memory of 4284	4592	wscript.exe	98
PID 4592 wrote to memory of 4284	4592	wscript.exe	98
PID 4592 wrote to memory of 4284	4592	wscript.exe	98
PID 4776 wrote to memory of 5280	4776	remcos.exe	99
PID 4776 wrote to memory of 5280	4776	remcos.exe	99
PID 4776 wrote to memory of 5280	4776	remcos.exe	99
PID 4284 wrote to memory of 4732	4284	nas0.exe	101
PID 4284 wrote to memory of 4732	4284	nas0.exe	101
PID 4284 wrote to memory of 4732	4284	nas0.exe	101
PID 5280 wrote to memory of 3504	5280	remcos.exe	106
PID 5280 wrote to memory of 3504	5280	remcos.exe	106
PID 5280 wrote to memory of 3504	5280	remcos.exe	106
PID 4732 wrote to memory of 5956	4732	nas0.exe	215
PID 4732 wrote to memory of 5956	4732	nas0.exe	215
PID 4732 wrote to memory of 5956	4732	nas0.exe	215
PID 4876 wrote to memory of 2440	4876	cmd.exe	265
PID 4876 wrote to memory of 2440	4876	cmd.exe	265
PID 5556 wrote to memory of 5552	5556	cmd.exe	109
PID 5556 wrote to memory of 5552	5556	cmd.exe	109
PID 5556 wrote to memory of 5552	5556	cmd.exe	109
PID 2440 wrote to memory of 1416	2440	wscript.exe	309
PID 2440 wrote to memory of 1416	2440	wscript.exe	309
PID 2440 wrote to memory of 1416	2440	wscript.exe	309
PID 3504 wrote to memory of 1456	3504	nas0.exe	111
PID 3504 wrote to memory of 1456	3504	nas0.exe	111
PID 3504 wrote to memory of 1456	3504	nas0.exe	111
PID 5552 wrote to memory of 5904	5552	remcos.exe	114
PID 5552 wrote to memory of 5904	5552	remcos.exe	114
PID 5552 wrote to memory of 5904	5552	remcos.exe	114
PID 1416 wrote to memory of 876	1416	nas0.exe	115
PID 1416 wrote to memory of 876	1416	nas0.exe	115
PID 1416 wrote to memory of 876	1416	nas0.exe	115
PID 1456 wrote to memory of 3740	1456	nas0.exe	213
PID 1456 wrote to memory of 3740	1456	nas0.exe	213
PID 1456 wrote to memory of 3740	1456	nas0.exe	213
PID 876 wrote to memory of 3248	876	nas0.exe	122
PID 876 wrote to memory of 3248	876	nas0.exe	122
PID 876 wrote to memory of 3248	876	nas0.exe	122
PID 876 wrote to memory of 3248	876	nas0.exe	122
PID 876 wrote to memory of 3248	876	nas0.exe	122
PID 876 wrote to memory of 3248	876	nas0.exe	122
PID 876 wrote to memory of 3248	876	nas0.exe	122
PID 876 wrote to memory of 3248	876	nas0.exe	122
PID 5904 wrote to memory of 1812	5904	remcos.exe	125
PID 5904 wrote to memory of 1812	5904	remcos.exe	125
PID 5904 wrote to memory of 1812	5904	remcos.exe	125
PID 1912 wrote to memory of 2416	1912	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
"C:\Users\Admin\AppData\Local\Temp\eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5932
- C:\Users\Admin\AppData\Local\Temp\eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
  "C:\Users\Admin\AppData\Local\Temp\eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5248
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5280
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3248
      - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5972
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5972 CREDAT:17410 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5556
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5552
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5904
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2256
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2416
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2992
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:1320
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5020
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5332
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4392
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5648
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5640
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4784
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:6096
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1504
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3488
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1192
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5396
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3236
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5272
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4380
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5848
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5036
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5612
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3996
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5792
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:6140
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5956
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2624
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:6096
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3300
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5676
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4420
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3664
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:428
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4984
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4844
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3440
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5520
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4876
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5524
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2440
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4300
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2256
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5968
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3576
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:704
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5540
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3504
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1416
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4464
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:6128
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4968
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5408
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3144
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5840
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1480
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1640
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3832
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1544
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:388
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5648
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4500
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4764
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5868
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3920
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5980
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5408
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5744
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5608
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:936
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5324
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5760
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5848
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5476
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:864
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2056
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3956
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:6064
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5520
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4104
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2932
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5212
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5404
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5028
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4380
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5728
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4056
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5652
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1196
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4428
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3956
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5348
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1192
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3468
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5244
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5960
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3488
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5664
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4772
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5428
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4656
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4948
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2376
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4516
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:64
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:864
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3996
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:552
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3264
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5552
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4300
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1892
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:6072
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5052
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5056
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:8
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4044
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1544
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5384
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4516
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4928
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:436
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3324
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4088
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3300
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:464
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4536
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5920
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1604
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2884
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I11VJ0E7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
538B

MD5
2c58c0b42c48de7ec75fae83d2125d63

SHA1
7bf3164d61b9eee6897a1393d52857fdbbaca9d3

SHA256
5f1251f6c291cc5613503102a9637bf7d10d7df5d4e3c032f536fd4ee4566a90

SHA512
37829161073e6e96e335863f98904d69bff0c477e2fabe7d2c24d53a4c9e619568619cf1ab9b6b50e6ac8f40390b8cf7447f15ebea3946e859e280d08667dde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nas0.exe

Filesize
368KB

MD5
55d309908ea8c683ae94e9c2a9c03df3

SHA1
ff990b1d1c5c1cb679dcc3d7a4217022def7c7a1

SHA256
fda4908eb13f6539b8c4eb000792de7f2cc6069c1edd7d68fdd39d41587792ad

SHA512
a45c32791980ead77f8cf1dce5a489d1f74309183eafb59305e050e2f9fb0ecd0f7ff82dae9370790348354ae3fc3ae6f4d7f4cd28633183a74908f5262d3634

Download Submit
C:\Users\Admin\AppData\Local\Temp\nas0.vbs

Filesize
93B

MD5
618ef975c35e622ebfa6ca4e11e6090f

SHA1
ede57936f2370771b54d0525761ac3d9d49d61c7

SHA256
1d626388ccbd2a2d69804bc81ef35af9e116e0100554e1771384ee7c3c3b13c9

SHA512
a394ca1784b6c572bb19ea1ffdce39b749d16b9ca16c129ebb5ee40fef08fdb0c8342b6a28a3ab06c2cdb710b68d8c624f80ffc7db060019fee6f62ee6dc7d6f

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
68B

MD5
c618af53ce2b2df7ca4d3b88e03f15d1

SHA1
b329d2f046d812135f373864c61dfa6d4b7eeb35

SHA256
288bf42ba253f7b70180b553b787d52a90edece36a02d47cb47111f16c86e9dc

SHA512
7779058b3a82cb7834051a443039ab4a61eddf2836bfba119c3dab0323a1acc7a8d8d4f4e9a807b20af84a0037d65b433e4f9052f42a4616597207078ef1d54d

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/60-190-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/60-186-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/680-276-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/680-274-0x0000000002060000-0x0000000002065000-memory.dmp

Filesize
20KB

Download
memory/680-272-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/836-166-0x0000000002040000-0x0000000002045000-memory.dmp

Filesize
20KB

Download
memory/836-164-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/876-113-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/876-120-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/876-115-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/1316-175-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1316-171-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1316-173-0x0000000002170000-0x0000000002175000-memory.dmp

Filesize
20KB

Download
memory/1456-103-0x0000000001FE0000-0x0000000001FE5000-memory.dmp

Filesize
20KB

Download
memory/1456-110-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1456-101-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2320-229-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2320-231-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/2320-234-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2968-223-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2968-219-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2968-221-0x00000000027B0000-0x00000000027B5000-memory.dmp

Filesize
20KB

Download
memory/3248-117-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4440-241-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4440-243-0x00000000020D0000-0x00000000020D5000-memory.dmp

Filesize
20KB

Download
memory/4440-246-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4732-66-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4732-76-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4732-68-0x0000000000540000-0x0000000000545000-memory.dmp

Filesize
20KB

Download
memory/4776-237-0x0000000000730000-0x0000000000735000-memory.dmp

Filesize
20KB

Download
memory/4776-239-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4776-235-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5108-13-0x0000000000730000-0x0000000000735000-memory.dmp

Filesize
20KB

Download
memory/5248-41-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5248-33-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5248-35-0x0000000002130000-0x0000000002135000-memory.dmp

Filesize
20KB

Download
memory/5568-251-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5568-247-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5932-2-0x0000000002380000-0x0000000002385000-memory.dmp

Filesize
20KB

Download
memory/5932-10-0x0000000002380000-0x0000000002385000-memory.dmp

Filesize
20KB

Download
memory/5932-5-0x0000000076F91000-0x00000000770B1000-memory.dmp

Filesize
1.1MB

Download
memory/5932-4-0x0000000076F91000-0x00000000770B1000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads