xmrig | 61660ffe382430717fccd0bc8b33e8e498665c72cf7b7f974fda9ec728ead713

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7v20210410
submitted
22-04-2021 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Agent WindowsR1.5.561.exe
Size

3.7MB
MD5

c01e9e0697a5fe89ea95010aef1ec9a0
SHA1

12c50eea01bfaf061bb1ed2daecdbe49bc1e2972
SHA256

61660ffe382430717fccd0bc8b33e8e498665c72cf7b7f974fda9ec728ead713
SHA512

58dcc3b5b5e60fdb2ce2407255f433ff4bc06827349f0c3b405750ab393a59061fcbef6735c8c287fef980ad57df4c2a439a2505ca0cc7fbb4115d971121353e

Score

10^/10

xmrig discovery evasion miner persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 10 IoCs

Processes:

agent windowsr1.5.561.exe agent windowsr1.5.561.tmpicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeAutoConvInstallPath.exeEMSAgentInstall.exeNNPOption.exe

pid	process
900	agent windowsr1.5.561.exe
1736	agent windowsr1.5.561.tmp
1784	icsys.icn.exe
1316	explorer.exe
1224	spoolsv.exe
932	svchost.exe
528	spoolsv.exe
1772	AutoConvInstallPath.exe
1608	EMSAgentInstall.exe
1992	NNPOption.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 27 IoCs

Processes:

Agent WindowsR1.5.561.exeagent windowsr1.5.561.exe agent windowsr1.5.561.tmpicsys.icn.exeexplorer.exespoolsv.exesvchost.exeAutoConvInstallPath.exeEMSAgentInstall.exeNNPOption.exe

pid	process
484	Agent WindowsR1.5.561.exe
900	agent windowsr1.5.561.exe
484	Agent WindowsR1.5.561.exe
484	Agent WindowsR1.5.561.exe
1736	agent windowsr1.5.561.tmp
1736	agent windowsr1.5.561.tmp
1784	icsys.icn.exe
1784	icsys.icn.exe
1316	explorer.exe
1316	explorer.exe
1224	spoolsv.exe
1224	spoolsv.exe
932	svchost.exe
932	svchost.exe
1736	agent windowsr1.5.561.tmp
1736	agent windowsr1.5.561.tmp
1736	agent windowsr1.5.561.tmp
1772	AutoConvInstallPath.exe
1772	AutoConvInstallPath.exe
1772	AutoConvInstallPath.exe
1736	agent windowsr1.5.561.tmp
1608	EMSAgentInstall.exe
1608	EMSAgentInstall.exe
1608	EMSAgentInstall.exe
1736	agent windowsr1.5.561.tmp
1736	agent windowsr1.5.561.tmp
1992	NNPOption.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

agent windowsr1.5.561.tmpAutoConvInstallPath.exe

description	ioc	process
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\ManagerMonitorLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\AgentMonitorLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-VVMA2.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\ChineseRc.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-F5LQ1.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\USBDetectorLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-B39UR.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-SABA6.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\OsLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-FTAF3.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-6LMP8.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-C4ATC.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\PerfCounterCheck.exe	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\conf\MasterAgent.conf_tmp	AutoConvInstallPath.exe
File created	C:\Program Files\NKIA\NNPAgent\utils\AutoUpdate\is-QQN5Q.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-VNEB3.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-MRT5J.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-4C0HK.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\etc\is-CJ6TQ.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-U0CO7.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\SchedLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-L3S3I.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\AutoUpdate\is-0RTDO.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-BQ0RC.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\RouteLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\ClusterInfoLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\psapi.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\NetstatLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\ServerLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-FSRT4.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\unins000.dat	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-K4S8N.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\MAgent\mfc42.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\NICLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\SMSAgentRestart.exe	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-MGACV.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-QR7LV.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\AutoUpdate\is-7CHRN.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-E6I50.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\CacheLabor.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-8O4DE.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-FIHBG.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-MBS3K.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\aproc\inv\is-TOJ8T.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\aproc\temp\is-0OUTF.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\NNPOption\is-AK2UA.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\conf\is-2G18S.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-0QH8M.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\UserEventLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\WEBLoggerCtl.exe	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\is-N2DON.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\MAgent\aproc\inv\is-V8GCV.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-0R8EN.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-CAJ2B.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\utils\etc\is-OEA30.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\othread2.dll	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-0O023.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\conf\is-NGP39.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\utils\AutoUpdate\NNPAutoUpdate.exe	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-8MNM1.tmp	agent windowsr1.5.561.tmp
File created	C:\Program Files\NKIA\NNPAgent\SMSAgent\is-285P6.tmp	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\ProcessLabor.dll	agent windowsr1.5.561.tmp
File opened for modification	C:\Program Files\NKIA\NNPAgent\SMSAgent\PageFileLabor.dll	agent windowsr1.5.561.tmp

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
1784	icsys.icn.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe
1316	explorer.exe
1316	explorer.exe
932	svchost.exe
932	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exeexplorer.exe

pid process

932 svchost.exe
1316 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

agent windowsr1.5.561.tmp

pid process

1736 agent windowsr1.5.561.tmp

pid	process
932	svchost.exe
1316	explorer.exe

pid	process
1736	agent windowsr1.5.561.tmp

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

Agent WindowsR1.5.561.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeNNPOption.exe

pid	process
484	Agent WindowsR1.5.561.exe
484	Agent WindowsR1.5.561.exe
1784	icsys.icn.exe
1784	icsys.icn.exe
1316	explorer.exe
1316	explorer.exe
1224	spoolsv.exe
1224	spoolsv.exe
932	svchost.exe
932	svchost.exe
528	spoolsv.exe
528	spoolsv.exe
1316	explorer.exe
1316	explorer.exe
1992	NNPOption.exe
1992	NNPOption.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Agent WindowsR1.5.561.exeagent windowsr1.5.561.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exeagent windowsr1.5.561.tmp

description	pid	process	target process
PID 484 wrote to memory of 900	484	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 484 wrote to memory of 900	484	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 484 wrote to memory of 900	484	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 484 wrote to memory of 900	484	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 484 wrote to memory of 900	484	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 484 wrote to memory of 900	484	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 484 wrote to memory of 900	484	Agent WindowsR1.5.561.exe	agent windowsr1.5.561.exe
PID 900 wrote to memory of 1736	900	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 900 wrote to memory of 1736	900	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 900 wrote to memory of 1736	900	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 900 wrote to memory of 1736	900	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 900 wrote to memory of 1736	900	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 900 wrote to memory of 1736	900	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 900 wrote to memory of 1736	900	agent windowsr1.5.561.exe	agent windowsr1.5.561.tmp
PID 484 wrote to memory of 1784	484	Agent WindowsR1.5.561.exe	icsys.icn.exe
PID 484 wrote to memory of 1784	484	Agent WindowsR1.5.561.exe	icsys.icn.exe
PID 484 wrote to memory of 1784	484	Agent WindowsR1.5.561.exe	icsys.icn.exe
PID 484 wrote to memory of 1784	484	Agent WindowsR1.5.561.exe	icsys.icn.exe
PID 1784 wrote to memory of 1316	1784	icsys.icn.exe	explorer.exe
PID 1784 wrote to memory of 1316	1784	icsys.icn.exe	explorer.exe
PID 1784 wrote to memory of 1316	1784	icsys.icn.exe	explorer.exe
PID 1784 wrote to memory of 1316	1784	icsys.icn.exe	explorer.exe
PID 1316 wrote to memory of 1224	1316	explorer.exe	spoolsv.exe
PID 1316 wrote to memory of 1224	1316	explorer.exe	spoolsv.exe
PID 1316 wrote to memory of 1224	1316	explorer.exe	spoolsv.exe
PID 1316 wrote to memory of 1224	1316	explorer.exe	spoolsv.exe
PID 1224 wrote to memory of 932	1224	spoolsv.exe	svchost.exe
PID 1224 wrote to memory of 932	1224	spoolsv.exe	svchost.exe
PID 1224 wrote to memory of 932	1224	spoolsv.exe	svchost.exe
PID 1224 wrote to memory of 932	1224	spoolsv.exe	svchost.exe
PID 932 wrote to memory of 528	932	svchost.exe	spoolsv.exe
PID 932 wrote to memory of 528	932	svchost.exe	spoolsv.exe
PID 932 wrote to memory of 528	932	svchost.exe	spoolsv.exe
PID 932 wrote to memory of 528	932	svchost.exe	spoolsv.exe
PID 932 wrote to memory of 1852	932	svchost.exe	at.exe
PID 932 wrote to memory of 1852	932	svchost.exe	at.exe
PID 932 wrote to memory of 1852	932	svchost.exe	at.exe
PID 932 wrote to memory of 1852	932	svchost.exe	at.exe
PID 1736 wrote to memory of 1772	1736	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 1736 wrote to memory of 1772	1736	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 1736 wrote to memory of 1772	1736	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 1736 wrote to memory of 1772	1736	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 1736 wrote to memory of 1772	1736	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 1736 wrote to memory of 1772	1736	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 1736 wrote to memory of 1772	1736	agent windowsr1.5.561.tmp	AutoConvInstallPath.exe
PID 1736 wrote to memory of 1608	1736	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 1736 wrote to memory of 1608	1736	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 1736 wrote to memory of 1608	1736	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 1736 wrote to memory of 1608	1736	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 1736 wrote to memory of 1608	1736	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 1736 wrote to memory of 1608	1736	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 1736 wrote to memory of 1608	1736	agent windowsr1.5.561.tmp	EMSAgentInstall.exe
PID 1736 wrote to memory of 1732	1736	agent windowsr1.5.561.tmp	netsh.exe
PID 1736 wrote to memory of 1732	1736	agent windowsr1.5.561.tmp	netsh.exe
PID 1736 wrote to memory of 1732	1736	agent windowsr1.5.561.tmp	netsh.exe
PID 1736 wrote to memory of 1732	1736	agent windowsr1.5.561.tmp	netsh.exe
PID 1736 wrote to memory of 524	1736	agent windowsr1.5.561.tmp	netsh.exe
PID 1736 wrote to memory of 524	1736	agent windowsr1.5.561.tmp	netsh.exe
PID 1736 wrote to memory of 524	1736	agent windowsr1.5.561.tmp	netsh.exe
PID 1736 wrote to memory of 524	1736	agent windowsr1.5.561.tmp	netsh.exe
PID 1736 wrote to memory of 1992	1736	agent windowsr1.5.561.tmp	NNPOption.exe
PID 1736 wrote to memory of 1992	1736	agent windowsr1.5.561.tmp	NNPOption.exe
PID 1736 wrote to memory of 1992	1736	agent windowsr1.5.561.tmp	NNPOption.exe
PID 1736 wrote to memory of 1992	1736	agent windowsr1.5.561.tmp	NNPOption.exe

C:\Users\Admin\AppData\Local\Temp\Agent WindowsR1.5.561.exe
"C:\Users\Admin\AppData\Local\Temp\Agent WindowsR1.5.561.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484

\??\c:\users\admin\appdata\local\temp\agent windowsr1.5.561.exe
"c:\users\admin\appdata\local\temp\agent windowsr1.5.561.exe "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\is-J693U.tmp\agent windowsr1.5.561.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J693U.tmp\agent windowsr1.5.561.tmp" /SL5="$10164,3391113,54272,c:\users\admin\appdata\local\temp\agent windowsr1.5.561.exe "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1736

C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe
"C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe" /path C:\Program Files\NKIA\NNPAgent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1772

C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe
"C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe" /path C:\Program Files\NKIA\NNPAgent /c 0|127.0.0.1
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name= "SMS Agent Service Port" dir=in action=allow protocol=tcp localport=21003
4⤵
PID:1732

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name= "SMS Agent Update Port" dir=out action=allow protocol=tcp localport=21080,21002
4⤵
PID:524

C:\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe
"C:\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\SysWOW64\at.exe
at 08:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1852

C:\Windows\SysWOW64\at.exe
at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1504

C:\Windows\SysWOW64\at.exe
at 08:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1780

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NKIA\NNPAgent\MAgent\conf\MasterAgent.conf
MD5
44778483f655eae5e904ae33f968a107

SHA1
3b4202318c3d26aef2d5738b9d86407cc3234566

SHA256
5ba912a94c4d32dbed15ea235f987104cb0503af4745836d960cd08a60039462

SHA512
7ef382c521366cecd0b103bdec389cc2f608d1aad67ef7692f4a8a269e5dff47a4cf1f2d62362d353de97c23181cf34430a98ddea06d6fc418e9c4aa827e02f0

Download Submit
C:\Program Files\NKIA\NNPAgent\MAgent\conf\MasterAgent.conf
MD5
44778483f655eae5e904ae33f968a107

SHA1
3b4202318c3d26aef2d5738b9d86407cc3234566

SHA256
5ba912a94c4d32dbed15ea235f987104cb0503af4745836d960cd08a60039462

SHA512
7ef382c521366cecd0b103bdec389cc2f608d1aad67ef7692f4a8a269e5dff47a4cf1f2d62362d353de97c23181cf34430a98ddea06d6fc418e9c4aa827e02f0

Download Submit
C:\Program Files\NKIA\NNPAgent\SMSAgent\conf\SMSAgent.conf
MD5
08bdd47ed2195ff1e2c01fa3540d0a7a

SHA1
54e2cca82d3e69dde64fdf3ff5c64d3b44a7363e

SHA256
9619e7b2dcec54f4ff372460d45b9412a97227345223a7ffb318dc54b80b7d0c

SHA512
8050bc96141dad00b47193b19392dd624ab10a7c71583e64751bbd83acf45d68a1fef47c2528d91e494e13e5972ceaa183160ae419bfed0e2efedbb30e9508b1

Download Submit
C:\Program Files\NKIA\NNPAgent\SMSAgent\conf\SMSAgent.conf
MD5
08bdd47ed2195ff1e2c01fa3540d0a7a

SHA1
54e2cca82d3e69dde64fdf3ff5c64d3b44a7363e

SHA256
9619e7b2dcec54f4ff372460d45b9412a97227345223a7ffb318dc54b80b7d0c

SHA512
8050bc96141dad00b47193b19392dd624ab10a7c71583e64751bbd83acf45d68a1fef47c2528d91e494e13e5972ceaa183160ae419bfed0e2efedbb30e9508b1

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe
MD5
fb4885dab976eb40753046c5bc3b1cec

SHA1
2fee806f7574efd2003dcea3b3b56ef5cc9ecaf3

SHA256
c3ae0e21731bdbf510aa4db899253ed31e2f31eebbfe1a0e293231b4cfaedf0a

SHA512
798139783c31c3660a6b0f67329c99d84b402d954a9f33f04d9666ded6933e6dfba47b0d8e2f1379c76004882dc175ad572b0d87dfe263c6d76080957b68f18b

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe
MD5
fb4885dab976eb40753046c5bc3b1cec

SHA1
2fee806f7574efd2003dcea3b3b56ef5cc9ecaf3

SHA256
c3ae0e21731bdbf510aa4db899253ed31e2f31eebbfe1a0e293231b4cfaedf0a

SHA512
798139783c31c3660a6b0f67329c99d84b402d954a9f33f04d9666ded6933e6dfba47b0d8e2f1379c76004882dc175ad572b0d87dfe263c6d76080957b68f18b

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe
MD5
5db50c05c4089b64cfc5093e0856b31c

SHA1
d56ba87b6f6052fa647b6fba1ce5f96ba47618bd

SHA256
d45361122b711e35b56dcab60fb9bb800263e8f78476a94e1a133367decb3ec4

SHA512
9e8b9f61d157afe74e5814cddeaf1f809647f7f4f852076467f8ec5f8b934c24a95fed31e62821d2d5dc0119ddc736554a6290699edf804808db0f606bb31d06

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe
MD5
5db50c05c4089b64cfc5093e0856b31c

SHA1
d56ba87b6f6052fa647b6fba1ce5f96ba47618bd

SHA256
d45361122b711e35b56dcab60fb9bb800263e8f78476a94e1a133367decb3ec4

SHA512
9e8b9f61d157afe74e5814cddeaf1f809647f7f4f852076467f8ec5f8b934c24a95fed31e62821d2d5dc0119ddc736554a6290699edf804808db0f606bb31d06

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\EnglishRc.dll
MD5
ef5ae434ec7d7048c17ab9d7cde7d124

SHA1
8238b8d9efa1db742e5f8f1214c17c7f71bc23b7

SHA256
fe88362b458e2a12b2a775415e4f13efe2d1f053a2717755cf6e706f57a346c5

SHA512
63febd1b1c2fe6547c9aefc6e2c895ac81b5a3a58839efa32aa0f106b1c1741de4666edca68203e7ab2b82613c1e186accb13c58a6ec9b9318e4a3b72485b30a

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\ModuleInfo.dat
MD5
369042d94faeb4507339d5ccd1978053

SHA1
2eb03bc074a09bd8c09a3da0dd2759b1c980de88

SHA256
410b889967ddf7b778544d95cd20e933f15e6220066e5c13cf8c61a3ebb26b25

SHA512
bdb6543db4b01ab938441008eba381300b1ad420f32a075533cc763a240eb3381ef6e9cd5ce440b96f187de1880f761c3fbfc726a799a2e808eb4253db08eacc

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe
MD5
411af7e042e16a421e4842fdfec59fc9

SHA1
1dc03ef6104f462b8d50677054c60d722a801d51

SHA256
098b678360c46020cdeac05faea508f3e97d8d8f2962d949589ea455315ed376

SHA512
53d27628ae01d4dfc8eedf517364c91db369afaa63683851875ae3bb9fa636189fc7d32cb2be8bdf42101a057fd9b41ea97cd92778cb31355b62ccefeb62cd9a

Download Submit
C:\Program Files\NKIA\NNPAgent\utils\NNPOption\language.dat
MD5
9cfefed8fb9497baa5cd519d7d2bb5d7

SHA1
094b0fe0e302854af1311afab85b5203ba457a3b

SHA256
dbd3a49d0d906b4ed9216b73330d2fb080ef2f758c12f3885068222e5e17151c

SHA512
41dd75307a2e7c49caf53fff15aada688275ef4d7950bedf028612b73f343ed45cf51fe1d4d27f58ed12e93e0fd0ae7f69428db169211554d1b380c91aa5cd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\agent windowsr1.5.561.exe
MD5
d3d52995d9e6b41bd5d4a4e307881e74

SHA1
de7cbf8e1fb8261bffd18acb8d6eb282416f1446

SHA256
077455ead959ce3cb558a90dadf6ecb12dd3c8042b274a27006b4a9368f3c73d

SHA512
dfe2403d7fbcb1ba36036c8f6b168be1769a770a67ccddec8c30da5a4faeba890f98f308d4366bf1b68ecc480f9e6a6ec2c0b84c20659ec438ef7e3c7a750f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J693U.tmp\agent windowsr1.5.561.tmp
MD5
15430669556c2062ceadd5b125e8cea7

SHA1
276c5f36876a783a01ef10b9df39fa0efe3e296a

SHA256
64db719c67988b106bf2d1a5b842445e8ff9b6436be28bcaa0b8876d330f8168

SHA512
2c2a87d34922d747827a2c77813ebfe9923bdd80cd4be909f8da3c8a4dc3a079c049db74c8bc36edd38663ee4635cdd0fda4f9cd2adc3b40d426066611206f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J693U.tmp\agent windowsr1.5.561.tmp
MD5
15430669556c2062ceadd5b125e8cea7

SHA1
276c5f36876a783a01ef10b9df39fa0efe3e296a

SHA256
64db719c67988b106bf2d1a5b842445e8ff9b6436be28bcaa0b8876d330f8168

SHA512
2c2a87d34922d747827a2c77813ebfe9923bdd80cd4be909f8da3c8a4dc3a079c049db74c8bc36edd38663ee4635cdd0fda4f9cd2adc3b40d426066611206f39

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
MD5
d62d7d5e9d93770ae8e1d01945cce086

SHA1
ccb899a2e929db969f994b3de124834dff761d28

SHA256
cc69a8dde123fc8223f8c97fec4806afd2485ec9ba2baa65e79f3f71558b0b4a

SHA512
543d086f788eeb382087d98220cb6fc7e7042763d7b65ce874d23b4e1b26633421ae3fa17093d3541100c000218e1560beb5f605c904d95b4d89d10f63771bf0

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
MD5
db039dc4da58e6386e2f2c2998dc7572

SHA1
62635ae8449086cd7b68c3e6f0d3548ca0fbc69c

SHA256
fc14d263faa4dd32eded7fb80552e10cfb97dd2e8a6d72dc7a864b7c60b9485e

SHA512
3a353c38d48f0daf02523b1ee74a9e0ba346d4fce23ff64cb746933ec571ea945a4e54138d6c96f9cd59c04cc4c933e3800f56cf63e2a11dc815db6c3f403d54

Download Submit
C:\Windows\system\explorer.exe
MD5
54cf0615669590467f37798eced628d4

SHA1
cd48f55991c8ae9e53b1cc77ad4072948fcd7963

SHA256
2cb0062096092d639d8f1fa8ea09dd22de9b04f4beb4633249b9fccaff798f82

SHA512
f80d269a169ee7f87089482f0d07d19846716acedc5c86175f0b4bdcf095b9cffb2c075ca5b9ebfd8121026cdb9e8867946f575b619f44fb8a42a8cca141f5ab

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ed3ad2a1143a74abc5d659e2eeeb4843

SHA1
fd762164bf8a4af25fd427b53ed6c867e92e3920

SHA256
7687f8d646a6da7f5341cc4a3ffc5deeb662216dd4c9671475b93085737f531b

SHA512
5618aaf14c9dc2bc68ec77da6286b74ef46df65205f4012802bdbc32d3bbdf1d0a93fa0a4e894a063ad0dcefc02d7b8f88b0061c162baeae452d27b4ea7daf4c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ed3ad2a1143a74abc5d659e2eeeb4843

SHA1
fd762164bf8a4af25fd427b53ed6c867e92e3920

SHA256
7687f8d646a6da7f5341cc4a3ffc5deeb662216dd4c9671475b93085737f531b

SHA512
5618aaf14c9dc2bc68ec77da6286b74ef46df65205f4012802bdbc32d3bbdf1d0a93fa0a4e894a063ad0dcefc02d7b8f88b0061c162baeae452d27b4ea7daf4c

Download Submit
C:\Windows\system\svchost.exe
MD5
aded92313c17bd6be01ad5e9588e724e

SHA1
85c714fbb3c90c6ce8553f9cbd68a491a79fb1d6

SHA256
ca1cec388e01ef8aaaebdfd1565bf92f95e2ac41e310212222f585f847eb41d2

SHA512
86702047cf28821c3192b59ebe35c58c4a4b5c54256adf15440df6689cdd84f20794d9646fe12719a7571a5795971826252a8860307e8f25fc0c5d7b4cb32a06

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe
MD5
d62d7d5e9d93770ae8e1d01945cce086

SHA1
ccb899a2e929db969f994b3de124834dff761d28

SHA256
cc69a8dde123fc8223f8c97fec4806afd2485ec9ba2baa65e79f3f71558b0b4a

SHA512
543d086f788eeb382087d98220cb6fc7e7042763d7b65ce874d23b4e1b26633421ae3fa17093d3541100c000218e1560beb5f605c904d95b4d89d10f63771bf0

Download Submit
\??\c:\users\admin\appdata\local\temp\agent windowsr1.5.561.exe
MD5
d3d52995d9e6b41bd5d4a4e307881e74

SHA1
de7cbf8e1fb8261bffd18acb8d6eb282416f1446

SHA256
077455ead959ce3cb558a90dadf6ecb12dd3c8042b274a27006b4a9368f3c73d

SHA512
dfe2403d7fbcb1ba36036c8f6b168be1769a770a67ccddec8c30da5a4faeba890f98f308d4366bf1b68ecc480f9e6a6ec2c0b84c20659ec438ef7e3c7a750f7a

Download Submit
\??\c:\windows\system\explorer.exe
MD5
54cf0615669590467f37798eced628d4

SHA1
cd48f55991c8ae9e53b1cc77ad4072948fcd7963

SHA256
2cb0062096092d639d8f1fa8ea09dd22de9b04f4beb4633249b9fccaff798f82

SHA512
f80d269a169ee7f87089482f0d07d19846716acedc5c86175f0b4bdcf095b9cffb2c075ca5b9ebfd8121026cdb9e8867946f575b619f44fb8a42a8cca141f5ab

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
ed3ad2a1143a74abc5d659e2eeeb4843

SHA1
fd762164bf8a4af25fd427b53ed6c867e92e3920

SHA256
7687f8d646a6da7f5341cc4a3ffc5deeb662216dd4c9671475b93085737f531b

SHA512
5618aaf14c9dc2bc68ec77da6286b74ef46df65205f4012802bdbc32d3bbdf1d0a93fa0a4e894a063ad0dcefc02d7b8f88b0061c162baeae452d27b4ea7daf4c

Download Submit
\??\c:\windows\system\svchost.exe
MD5
aded92313c17bd6be01ad5e9588e724e

SHA1
85c714fbb3c90c6ce8553f9cbd68a491a79fb1d6

SHA256
ca1cec388e01ef8aaaebdfd1565bf92f95e2ac41e310212222f585f847eb41d2

SHA512
86702047cf28821c3192b59ebe35c58c4a4b5c54256adf15440df6689cdd84f20794d9646fe12719a7571a5795971826252a8860307e8f25fc0c5d7b4cb32a06

Download Submit
\Program Files\NKIA\NNPAgent\unins000.exe
MD5
19f051c1578cd3c35aabad5c1568091d

SHA1
a6d3d386d30a7f1c8a2b1f2381cd51a56f7d6739

SHA256
8dc6104b024bb18cc248584c0ade3e61530d79035f6b659c33944bd4fa51cd3c

SHA512
c45a063f050877e5b033fb86fbee1197a9f8496973ca4140acef4962b10e1f1f029c8e8a0522c50529737f545b3a663b5961bb7f3d25db3b46b16c40c9674852

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe
MD5
fb4885dab976eb40753046c5bc3b1cec

SHA1
2fee806f7574efd2003dcea3b3b56ef5cc9ecaf3

SHA256
c3ae0e21731bdbf510aa4db899253ed31e2f31eebbfe1a0e293231b4cfaedf0a

SHA512
798139783c31c3660a6b0f67329c99d84b402d954a9f33f04d9666ded6933e6dfba47b0d8e2f1379c76004882dc175ad572b0d87dfe263c6d76080957b68f18b

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe
MD5
fb4885dab976eb40753046c5bc3b1cec

SHA1
2fee806f7574efd2003dcea3b3b56ef5cc9ecaf3

SHA256
c3ae0e21731bdbf510aa4db899253ed31e2f31eebbfe1a0e293231b4cfaedf0a

SHA512
798139783c31c3660a6b0f67329c99d84b402d954a9f33f04d9666ded6933e6dfba47b0d8e2f1379c76004882dc175ad572b0d87dfe263c6d76080957b68f18b

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe
MD5
fb4885dab976eb40753046c5bc3b1cec

SHA1
2fee806f7574efd2003dcea3b3b56ef5cc9ecaf3

SHA256
c3ae0e21731bdbf510aa4db899253ed31e2f31eebbfe1a0e293231b4cfaedf0a

SHA512
798139783c31c3660a6b0f67329c99d84b402d954a9f33f04d9666ded6933e6dfba47b0d8e2f1379c76004882dc175ad572b0d87dfe263c6d76080957b68f18b

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\AutoConvInstallPath.exe
MD5
fb4885dab976eb40753046c5bc3b1cec

SHA1
2fee806f7574efd2003dcea3b3b56ef5cc9ecaf3

SHA256
c3ae0e21731bdbf510aa4db899253ed31e2f31eebbfe1a0e293231b4cfaedf0a

SHA512
798139783c31c3660a6b0f67329c99d84b402d954a9f33f04d9666ded6933e6dfba47b0d8e2f1379c76004882dc175ad572b0d87dfe263c6d76080957b68f18b

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe
MD5
5db50c05c4089b64cfc5093e0856b31c

SHA1
d56ba87b6f6052fa647b6fba1ce5f96ba47618bd

SHA256
d45361122b711e35b56dcab60fb9bb800263e8f78476a94e1a133367decb3ec4

SHA512
9e8b9f61d157afe74e5814cddeaf1f809647f7f4f852076467f8ec5f8b934c24a95fed31e62821d2d5dc0119ddc736554a6290699edf804808db0f606bb31d06

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe
MD5
5db50c05c4089b64cfc5093e0856b31c

SHA1
d56ba87b6f6052fa647b6fba1ce5f96ba47618bd

SHA256
d45361122b711e35b56dcab60fb9bb800263e8f78476a94e1a133367decb3ec4

SHA512
9e8b9f61d157afe74e5814cddeaf1f809647f7f4f852076467f8ec5f8b934c24a95fed31e62821d2d5dc0119ddc736554a6290699edf804808db0f606bb31d06

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe
MD5
5db50c05c4089b64cfc5093e0856b31c

SHA1
d56ba87b6f6052fa647b6fba1ce5f96ba47618bd

SHA256
d45361122b711e35b56dcab60fb9bb800263e8f78476a94e1a133367decb3ec4

SHA512
9e8b9f61d157afe74e5814cddeaf1f809647f7f4f852076467f8ec5f8b934c24a95fed31e62821d2d5dc0119ddc736554a6290699edf804808db0f606bb31d06

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\EMSAgentInstall.exe
MD5
5db50c05c4089b64cfc5093e0856b31c

SHA1
d56ba87b6f6052fa647b6fba1ce5f96ba47618bd

SHA256
d45361122b711e35b56dcab60fb9bb800263e8f78476a94e1a133367decb3ec4

SHA512
9e8b9f61d157afe74e5814cddeaf1f809647f7f4f852076467f8ec5f8b934c24a95fed31e62821d2d5dc0119ddc736554a6290699edf804808db0f606bb31d06

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\EnglishRc.dll
MD5
ef5ae434ec7d7048c17ab9d7cde7d124

SHA1
8238b8d9efa1db742e5f8f1214c17c7f71bc23b7

SHA256
fe88362b458e2a12b2a775415e4f13efe2d1f053a2717755cf6e706f57a346c5

SHA512
63febd1b1c2fe6547c9aefc6e2c895ac81b5a3a58839efa32aa0f106b1c1741de4666edca68203e7ab2b82613c1e186accb13c58a6ec9b9318e4a3b72485b30a

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe
MD5
411af7e042e16a421e4842fdfec59fc9

SHA1
1dc03ef6104f462b8d50677054c60d722a801d51

SHA256
098b678360c46020cdeac05faea508f3e97d8d8f2962d949589ea455315ed376

SHA512
53d27628ae01d4dfc8eedf517364c91db369afaa63683851875ae3bb9fa636189fc7d32cb2be8bdf42101a057fd9b41ea97cd92778cb31355b62ccefeb62cd9a

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe
MD5
411af7e042e16a421e4842fdfec59fc9

SHA1
1dc03ef6104f462b8d50677054c60d722a801d51

SHA256
098b678360c46020cdeac05faea508f3e97d8d8f2962d949589ea455315ed376

SHA512
53d27628ae01d4dfc8eedf517364c91db369afaa63683851875ae3bb9fa636189fc7d32cb2be8bdf42101a057fd9b41ea97cd92778cb31355b62ccefeb62cd9a

Download Submit
\Program Files\NKIA\NNPAgent\utils\NNPOption\NNPOption.exe
MD5
411af7e042e16a421e4842fdfec59fc9

SHA1
1dc03ef6104f462b8d50677054c60d722a801d51

SHA256
098b678360c46020cdeac05faea508f3e97d8d8f2962d949589ea455315ed376

SHA512
53d27628ae01d4dfc8eedf517364c91db369afaa63683851875ae3bb9fa636189fc7d32cb2be8bdf42101a057fd9b41ea97cd92778cb31355b62ccefeb62cd9a

Download Submit
\Users\Admin\AppData\Local\Temp\agent windowsr1.5.561.exe
MD5
d3d52995d9e6b41bd5d4a4e307881e74

SHA1
de7cbf8e1fb8261bffd18acb8d6eb282416f1446

SHA256
077455ead959ce3cb558a90dadf6ecb12dd3c8042b274a27006b4a9368f3c73d

SHA512
dfe2403d7fbcb1ba36036c8f6b168be1769a770a67ccddec8c30da5a4faeba890f98f308d4366bf1b68ecc480f9e6a6ec2c0b84c20659ec438ef7e3c7a750f7a

Download Submit
\Users\Admin\AppData\Local\Temp\is-C7928.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-C7928.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-J693U.tmp\agent windowsr1.5.561.tmp
MD5
15430669556c2062ceadd5b125e8cea7

SHA1
276c5f36876a783a01ef10b9df39fa0efe3e296a

SHA256
64db719c67988b106bf2d1a5b842445e8ff9b6436be28bcaa0b8876d330f8168

SHA512
2c2a87d34922d747827a2c77813ebfe9923bdd80cd4be909f8da3c8a4dc3a079c049db74c8bc36edd38663ee4635cdd0fda4f9cd2adc3b40d426066611206f39

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
MD5
d62d7d5e9d93770ae8e1d01945cce086

SHA1
ccb899a2e929db969f994b3de124834dff761d28

SHA256
cc69a8dde123fc8223f8c97fec4806afd2485ec9ba2baa65e79f3f71558b0b4a

SHA512
543d086f788eeb382087d98220cb6fc7e7042763d7b65ce874d23b4e1b26633421ae3fa17093d3541100c000218e1560beb5f605c904d95b4d89d10f63771bf0

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
MD5
d62d7d5e9d93770ae8e1d01945cce086

SHA1
ccb899a2e929db969f994b3de124834dff761d28

SHA256
cc69a8dde123fc8223f8c97fec4806afd2485ec9ba2baa65e79f3f71558b0b4a

SHA512
543d086f788eeb382087d98220cb6fc7e7042763d7b65ce874d23b4e1b26633421ae3fa17093d3541100c000218e1560beb5f605c904d95b4d89d10f63771bf0

Download Submit
\Windows\system\explorer.exe
MD5
54cf0615669590467f37798eced628d4

SHA1
cd48f55991c8ae9e53b1cc77ad4072948fcd7963

SHA256
2cb0062096092d639d8f1fa8ea09dd22de9b04f4beb4633249b9fccaff798f82

SHA512
f80d269a169ee7f87089482f0d07d19846716acedc5c86175f0b4bdcf095b9cffb2c075ca5b9ebfd8121026cdb9e8867946f575b619f44fb8a42a8cca141f5ab

Download Submit
\Windows\system\explorer.exe
MD5
54cf0615669590467f37798eced628d4

SHA1
cd48f55991c8ae9e53b1cc77ad4072948fcd7963

SHA256
2cb0062096092d639d8f1fa8ea09dd22de9b04f4beb4633249b9fccaff798f82

SHA512
f80d269a169ee7f87089482f0d07d19846716acedc5c86175f0b4bdcf095b9cffb2c075ca5b9ebfd8121026cdb9e8867946f575b619f44fb8a42a8cca141f5ab

Download Submit
\Windows\system\spoolsv.exe
MD5
ed3ad2a1143a74abc5d659e2eeeb4843

SHA1
fd762164bf8a4af25fd427b53ed6c867e92e3920

SHA256
7687f8d646a6da7f5341cc4a3ffc5deeb662216dd4c9671475b93085737f531b

SHA512
5618aaf14c9dc2bc68ec77da6286b74ef46df65205f4012802bdbc32d3bbdf1d0a93fa0a4e894a063ad0dcefc02d7b8f88b0061c162baeae452d27b4ea7daf4c

Download Submit
\Windows\system\spoolsv.exe
MD5
ed3ad2a1143a74abc5d659e2eeeb4843

SHA1
fd762164bf8a4af25fd427b53ed6c867e92e3920

SHA256
7687f8d646a6da7f5341cc4a3ffc5deeb662216dd4c9671475b93085737f531b

SHA512
5618aaf14c9dc2bc68ec77da6286b74ef46df65205f4012802bdbc32d3bbdf1d0a93fa0a4e894a063ad0dcefc02d7b8f88b0061c162baeae452d27b4ea7daf4c

Download Submit
\Windows\system\spoolsv.exe
MD5
ed3ad2a1143a74abc5d659e2eeeb4843

SHA1
fd762164bf8a4af25fd427b53ed6c867e92e3920

SHA256
7687f8d646a6da7f5341cc4a3ffc5deeb662216dd4c9671475b93085737f531b

SHA512
5618aaf14c9dc2bc68ec77da6286b74ef46df65205f4012802bdbc32d3bbdf1d0a93fa0a4e894a063ad0dcefc02d7b8f88b0061c162baeae452d27b4ea7daf4c

Download Submit
\Windows\system\spoolsv.exe
MD5
ed3ad2a1143a74abc5d659e2eeeb4843

SHA1
fd762164bf8a4af25fd427b53ed6c867e92e3920

SHA256
7687f8d646a6da7f5341cc4a3ffc5deeb662216dd4c9671475b93085737f531b

SHA512
5618aaf14c9dc2bc68ec77da6286b74ef46df65205f4012802bdbc32d3bbdf1d0a93fa0a4e894a063ad0dcefc02d7b8f88b0061c162baeae452d27b4ea7daf4c

Download Submit
\Windows\system\svchost.exe
MD5
aded92313c17bd6be01ad5e9588e724e

SHA1
85c714fbb3c90c6ce8553f9cbd68a491a79fb1d6

SHA256
ca1cec388e01ef8aaaebdfd1565bf92f95e2ac41e310212222f585f847eb41d2

SHA512
86702047cf28821c3192b59ebe35c58c4a4b5c54256adf15440df6689cdd84f20794d9646fe12719a7571a5795971826252a8860307e8f25fc0c5d7b4cb32a06

Download Submit
\Windows\system\svchost.exe
MD5
aded92313c17bd6be01ad5e9588e724e

SHA1
85c714fbb3c90c6ce8553f9cbd68a491a79fb1d6

SHA256
ca1cec388e01ef8aaaebdfd1565bf92f95e2ac41e310212222f585f847eb41d2

SHA512
86702047cf28821c3192b59ebe35c58c4a4b5c54256adf15440df6689cdd84f20794d9646fe12719a7571a5795971826252a8860307e8f25fc0c5d7b4cb32a06

Download Submit
memory/484-63-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/524-151-0x0000000000000000-mapping.dmp

Download
memory/528-116-0x0000000000000000-mapping.dmp

Download
memory/900-65-0x0000000000000000-mapping.dmp

Download
memory/900-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/932-107-0x0000000000000000-mapping.dmp

Download
memory/1224-98-0x0000000000000000-mapping.dmp

Download
memory/1316-89-0x0000000000000000-mapping.dmp

Download
memory/1504-161-0x0000000000000000-mapping.dmp

Download
memory/1608-140-0x0000000000000000-mapping.dmp

Download
memory/1732-149-0x0000000000000000-mapping.dmp

Download
memory/1736-71-0x0000000000000000-mapping.dmp

Download
memory/1736-82-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1736-124-0x0000000074651000-0x0000000074653000-memory.dmp

Filesize
8KB

Download
memory/1772-129-0x0000000000000000-mapping.dmp

Download
memory/1780-163-0x0000000000000000-mapping.dmp

Download
memory/1784-76-0x0000000000000000-mapping.dmp

Download
memory/1852-121-0x0000000000000000-mapping.dmp

Download
memory/1992-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads