edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG001.exe
Size

3.5MB
MD5

87882046d21d2468ee993ea7c3159c4d
SHA1

525114e7e4bde3c2e9620f598dc21071888b44b6
SHA256

edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130
SHA512

bce07ca371c0a7aa6d214ff3ff3fb05c45891f56d1834c06a563b1adb0d1c3eee9829ac73b4652677ba916aa147913d135939d0d3a2f7af4aa1469af3389ffc6
SSDEEP

98304:M8LuVPnq1y5tQOM33ZNqCtBixHl54Oyjes1boo:KVPq1yLanrqTr43eSX

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

tftp.exeIMG001.exetftp.exe

pid process

796 tftp.exe
1580 IMG001.exe
1552 tftp.exe
Drops startup file 1 IoCs

Processes:

IMG001.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk IMG001.exe
Loads dropped DLL 9 IoCs

Processes:

IMG001.exeIMG001.exe

pid process

1048 IMG001.exe
1048 IMG001.exe
1048 IMG001.exe
1580 IMG001.exe
1580 IMG001.exe
1580 IMG001.exe
1580 IMG001.exe
1580 IMG001.exe
1580 IMG001.exe

pid	process
796	tftp.exe
1580	IMG001.exe
1552	tftp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk	IMG001.exe

pid	process
1048	IMG001.exe
1048	IMG001.exe
1048	IMG001.exe
1580	IMG001.exe
1580	IMG001.exe
1580	IMG001.exe
1580	IMG001.exe
1580	IMG001.exe
1580	IMG001.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMG001.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	IMG001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	IMG001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	reg.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

IMG001.exe

description ioc process

File opened (read-only) \??\E: IMG001.exe
Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\UAC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\E:	IMG001.exe

description	ioc	process
File created	C:\Windows\Tasks\UAC.job	schtasks.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1664 schtasks.exe
1260 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1792 taskkill.exe
552 taskkill.exe

pid	process
1664	schtasks.exe
1260	schtasks.exe

pid	process
1792	taskkill.exe
552	taskkill.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exetaskkill.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeShutdownPrivilege	1524	powercfg.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeShutdownPrivilege	1408	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

IMG001.execmd.exeIMG001.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 2016	1048	IMG001.exe	cmd.exe
PID 1048 wrote to memory of 2016	1048	IMG001.exe	cmd.exe
PID 1048 wrote to memory of 2016	1048	IMG001.exe	cmd.exe
PID 1048 wrote to memory of 2016	1048	IMG001.exe	cmd.exe
PID 2016 wrote to memory of 552	2016	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 552	2016	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 552	2016	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 552	2016	cmd.exe	taskkill.exe
PID 1048 wrote to memory of 796	1048	IMG001.exe	tftp.exe
PID 1048 wrote to memory of 796	1048	IMG001.exe	tftp.exe
PID 1048 wrote to memory of 796	1048	IMG001.exe	tftp.exe
PID 1048 wrote to memory of 796	1048	IMG001.exe	tftp.exe
PID 1048 wrote to memory of 1580	1048	IMG001.exe	IMG001.exe
PID 1048 wrote to memory of 1580	1048	IMG001.exe	IMG001.exe
PID 1048 wrote to memory of 1580	1048	IMG001.exe	IMG001.exe
PID 1048 wrote to memory of 1580	1048	IMG001.exe	IMG001.exe
PID 1580 wrote to memory of 884	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 884	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 884	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 884	1580	IMG001.exe	cmd.exe
PID 884 wrote to memory of 1792	884	cmd.exe	taskkill.exe
PID 884 wrote to memory of 1792	884	cmd.exe	taskkill.exe
PID 884 wrote to memory of 1792	884	cmd.exe	taskkill.exe
PID 884 wrote to memory of 1792	884	cmd.exe	taskkill.exe
PID 1580 wrote to memory of 1552	1580	IMG001.exe	tftp.exe
PID 1580 wrote to memory of 1552	1580	IMG001.exe	tftp.exe
PID 1580 wrote to memory of 1552	1580	IMG001.exe	tftp.exe
PID 1580 wrote to memory of 1552	1580	IMG001.exe	tftp.exe
PID 1580 wrote to memory of 1980	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1980	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1980	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1980	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1960	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1960	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1960	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1960	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1904	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1904	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1904	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1904	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1884	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1884	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1884	1580	IMG001.exe	cmd.exe
PID 1580 wrote to memory of 1884	1580	IMG001.exe	cmd.exe
PID 1980 wrote to memory of 972	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 972	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 972	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 972	1980	cmd.exe	reg.exe
PID 1960 wrote to memory of 1664	1960	cmd.exe	schtasks.exe
PID 1960 wrote to memory of 1664	1960	cmd.exe	schtasks.exe
PID 1960 wrote to memory of 1664	1960	cmd.exe	schtasks.exe
PID 1960 wrote to memory of 1664	1960	cmd.exe	schtasks.exe
PID 1884 wrote to memory of 1524	1884	cmd.exe	powercfg.exe
PID 1884 wrote to memory of 1524	1884	cmd.exe	powercfg.exe
PID 1884 wrote to memory of 1524	1884	cmd.exe	powercfg.exe
PID 1884 wrote to memory of 1524	1884	cmd.exe	powercfg.exe
PID 1904 wrote to memory of 1260	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 1260	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 1260	1904	cmd.exe	schtasks.exe
PID 1904 wrote to memory of 1260	1904	cmd.exe	schtasks.exe
PID 1884 wrote to memory of 1312	1884	cmd.exe	powercfg.exe
PID 1884 wrote to memory of 1312	1884	cmd.exe	powercfg.exe
PID 1884 wrote to memory of 1312	1884	cmd.exe	powercfg.exe
PID 1884 wrote to memory of 1312	1884	cmd.exe	powercfg.exe

C:\Users\Admin\AppData\Local\Temp\IMG001.exe
"C:\Users\Admin\AppData\Local\Temp\IMG001.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tftp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Users\Admin\AppData\Local\Temp\tftp.exe
"C:\Users\Admin\AppData\Local\Temp\tftp.exe"
2⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tftp.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\AppData\Local\Temp\tftp.exe
"C:\Users\Admin\AppData\Local\Temp\tftp.exe"
3⤵
- Executes dropped EXE
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
3⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
4⤵
- Adds Run key to start application
PID:972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
4⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\powercfg.exe
powercfg /CHANGE -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\powercfg.exe
powercfg /CHANGE -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\powercfg.exe
Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.htaccess
Filesize
114B

MD5
1cd7834fb975e468fccc8f027f69a528

SHA1
56275eef952e6559b86a2cba0b9d45b0307f9dae

SHA256
72e847a89d6a5e9e779ea2f6347b8780c0c0d72969f43777aa7ceb431bd3b024

SHA512
14e5fdc4ee4d961f1da2272847d31ddd1559a36415f00a032ae71400956d897dbd88fd8c8d03aadad29888e729d5c5077d8620aec8e179440b0d5dce511f3338

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.zip
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe
Filesize
275KB

MD5
7a4774111ad45d5b306c8ca8c5aca376

SHA1
06d41d4f1fb72de905904f380efa564d0badbb91

SHA256
dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039

SHA512
29acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe
Filesize
275KB

MD5
7a4774111ad45d5b306c8ca8c5aca376

SHA1
06d41d4f1fb72de905904f380efa564d0badbb91

SHA256
dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039

SHA512
29acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7

Download Submit
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
Filesize
3.5MB

MD5
87882046d21d2468ee993ea7c3159c4d

SHA1
525114e7e4bde3c2e9620f598dc21071888b44b6

SHA256
edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130

SHA512
bce07ca371c0a7aa6d214ff3ff3fb05c45891f56d1834c06a563b1adb0d1c3eee9829ac73b4652677ba916aa147913d135939d0d3a2f7af4aa1469af3389ffc6

Download Submit
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
Filesize
3.5MB

MD5
87882046d21d2468ee993ea7c3159c4d

SHA1
525114e7e4bde3c2e9620f598dc21071888b44b6

SHA256
edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130

SHA512
bce07ca371c0a7aa6d214ff3ff3fb05c45891f56d1834c06a563b1adb0d1c3eee9829ac73b4652677ba916aa147913d135939d0d3a2f7af4aa1469af3389ffc6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6CE9.tmp\inetc.dll
Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6CE9.tmp\inetc.dll
Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6CE9.tmp\inetc.dll
Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\tftp.exe
Filesize
275KB

MD5
7a4774111ad45d5b306c8ca8c5aca376

SHA1
06d41d4f1fb72de905904f380efa564d0badbb91

SHA256
dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039

SHA512
29acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7

Download Submit
\Users\Admin\AppData\Local\Temp\tftp.exe
Filesize
275KB

MD5
7a4774111ad45d5b306c8ca8c5aca376

SHA1
06d41d4f1fb72de905904f380efa564d0badbb91

SHA256
dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039

SHA512
29acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7

Download Submit
\Users\Admin\AppData\Local\Temp\tftp.exe
Filesize
275KB

MD5
7a4774111ad45d5b306c8ca8c5aca376

SHA1
06d41d4f1fb72de905904f380efa564d0badbb91

SHA256
dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039

SHA512
29acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7

Download Submit
\Users\Admin\AppData\Local\Temp\tftp.exe
Filesize
275KB

MD5
7a4774111ad45d5b306c8ca8c5aca376

SHA1
06d41d4f1fb72de905904f380efa564d0badbb91

SHA256
dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039

SHA512
29acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7

Download Submit
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
Filesize
3.5MB

MD5
87882046d21d2468ee993ea7c3159c4d

SHA1
525114e7e4bde3c2e9620f598dc21071888b44b6

SHA256
edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130

SHA512
bce07ca371c0a7aa6d214ff3ff3fb05c45891f56d1834c06a563b1adb0d1c3eee9829ac73b4652677ba916aa147913d135939d0d3a2f7af4aa1469af3389ffc6

Download Submit
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
Filesize
3.5MB

MD5
87882046d21d2468ee993ea7c3159c4d

SHA1
525114e7e4bde3c2e9620f598dc21071888b44b6

SHA256
edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130

SHA512
bce07ca371c0a7aa6d214ff3ff3fb05c45891f56d1834c06a563b1adb0d1c3eee9829ac73b4652677ba916aa147913d135939d0d3a2f7af4aa1469af3389ffc6

Download Submit
memory/552-56-0x0000000000000000-mapping.dmp

Download
memory/796-59-0x0000000000000000-mapping.dmp

Download
memory/884-66-0x0000000000000000-mapping.dmp

Download
memory/972-79-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1260-82-0x0000000000000000-mapping.dmp

Download
memory/1312-85-0x0000000000000000-mapping.dmp

Download
memory/1408-88-0x0000000000000000-mapping.dmp

Download
memory/1524-81-0x0000000000000000-mapping.dmp

Download
memory/1552-72-0x0000000000000000-mapping.dmp

Download
memory/1580-62-0x0000000000000000-mapping.dmp

Download
memory/1664-80-0x0000000000000000-mapping.dmp

Download
memory/1792-67-0x0000000000000000-mapping.dmp

Download
memory/1884-78-0x0000000000000000-mapping.dmp

Download
memory/1904-77-0x0000000000000000-mapping.dmp

Download
memory/1960-76-0x0000000000000000-mapping.dmp

Download
memory/1980-75-0x0000000000000000-mapping.dmp

Download
memory/2016-55-0x0000000000000000-mapping.dmp

Download