neshta | 3956258994c42b8394da2ca90e95313ad870f6611c0b2ce86c9cd247b57ae6f8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2023, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

3.4MB
MD5

825c1b8271c7a89060514ccb1ddfdd27
SHA1

75b4505c8275855a9e15497d0d364c800b9d15fe
SHA256

3956258994c42b8394da2ca90e95313ad870f6611c0b2ce86c9cd247b57ae6f8
SHA512

2371a056ed6524f331d3c771d2e71a46ce879068bd7174e1c82905c999d44647e8d0ba7817ea749b75f005e20beb83edb158a8995bfd4ad1e59fa4821b382ace
SSDEEP

98304:WRVPnq1y5tQOM33ZNqCtBixHl54Oyjes1boc9:IVPq1yLanrqTr43eSl

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 52 IoCs

resource	yara_rule
behavioral2/files/0x000600000002313b-144.dat	family_neshta
behavioral2/files/0x000600000002313b-145.dat	family_neshta
behavioral2/files/0x0004000000009f7a-153.dat	family_neshta
behavioral2/files/0x000500000001f403-155.dat	family_neshta
behavioral2/files/0x000500000001f403-156.dat	family_neshta
behavioral2/files/0x000700000001f067-160.dat	family_neshta
behavioral2/files/0x000200000001f07c-164.dat	family_neshta
behavioral2/files/0x0001000000021336-180.dat	family_neshta
behavioral2/files/0x0001000000022d3c-189.dat	family_neshta
behavioral2/files/0x00010000000167c3-213.dat	family_neshta
behavioral2/files/0x0001000000016920-230.dat	family_neshta
behavioral2/files/0x000100000001696e-235.dat	family_neshta
behavioral2/files/0x0001000000016915-239.dat	family_neshta
behavioral2/files/0x000500000001e085-238.dat	family_neshta
behavioral2/files/0x00020000000213e6-266.dat	family_neshta
behavioral2/files/0x0002000000000723-265.dat	family_neshta
behavioral2/files/0x000a00000001e853-272.dat	family_neshta
behavioral2/files/0x000f00000001e605-275.dat	family_neshta
behavioral2/files/0x000300000001e926-274.dat	family_neshta
behavioral2/files/0x000700000001e528-273.dat	family_neshta
behavioral2/files/0x000400000001e748-270.dat	family_neshta
behavioral2/files/0x000300000001e8d5-268.dat	family_neshta
behavioral2/files/0x000600000002313b-280.dat	family_neshta
behavioral2/memory/2228-298-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3032-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002313b-304.dat	family_neshta
behavioral2/memory/704-313-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002313b-314.dat	family_neshta
behavioral2/memory/1368-325-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2104-327-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2228-328-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3032-332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002313b-337.dat	family_neshta
behavioral2/memory/2228-354-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002313b-356.dat	family_neshta
behavioral2/files/0x000600000002313b-357.dat	family_neshta
behavioral2/memory/4516-374-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002313b-384.dat	family_neshta
behavioral2/memory/3408-392-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2664-393-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3764-391-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002313b-375.dat	family_neshta
behavioral2/memory/3032-396-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3916-397-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3032-400-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2228-403-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3032-404-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3916-405-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2228-407-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3032-408-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3032-411-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2228-414-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Contacts a large (896) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	IMG001.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk	IMG001.exe

Executes dropped EXE 13 IoCs

pid	Process
3980	tmp.exe
3032	svchost.com
2104	svchost.com
2176	tftp.exe
704	svchost.com
4604	IMG001.exe
1368	svchost.com
3916	svchost.com
3588	tftp.exe
4516	svchost.com
3764	svchost.com
2664	svchost.com
3408	svchost.com

Loads dropped DLL 3 IoCs

pid	Process
4604	IMG001.exe
4604	IMG001.exe
4604	IMG001.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows\CurrentVersion\Run	IMG001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	IMG001.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	IMG001.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	tmp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	tmp.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\Tasks\UAC.job	schtasks.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	tmp.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023134-137.dat	nsis_installer_1
behavioral2/files/0x0008000000023134-137.dat	nsis_installer_2
behavioral2/files/0x0008000000023134-139.dat	nsis_installer_1
behavioral2/files/0x0008000000023134-139.dat	nsis_installer_2
behavioral2/files/0x0008000000023134-141.dat	nsis_installer_1
behavioral2/files/0x0008000000023134-141.dat	nsis_installer_2
behavioral2/files/0x0006000000023141-309.dat	nsis_installer_1
behavioral2/files/0x0006000000023141-309.dat	nsis_installer_2
behavioral2/files/0x0006000000023141-312.dat	nsis_installer_1
behavioral2/files/0x0006000000023141-312.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4368	schtasks.exe
4716	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3488	taskkill.exe
560	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	IMG001.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
824	reg.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeShutdownPrivilege	4600	powercfg.exe
Token: SeCreatePagefilePrivilege	4600	powercfg.exe
Token: SeShutdownPrivilege	2160	powercfg.exe
Token: SeCreatePagefilePrivilege	2160	powercfg.exe
Token: SeShutdownPrivilege	828	powercfg.exe
Token: SeCreatePagefilePrivilege	828	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3980	2228	tmp.exe	85
PID 2228 wrote to memory of 3980	2228	tmp.exe	85
PID 2228 wrote to memory of 3980	2228	tmp.exe	85
PID 3980 wrote to memory of 3032	3980	tmp.exe	86
PID 3980 wrote to memory of 3032	3980	tmp.exe	86
PID 3980 wrote to memory of 3032	3980	tmp.exe	86
PID 3032 wrote to memory of 244	3032	svchost.com	87
PID 3032 wrote to memory of 244	3032	svchost.com	87
PID 3032 wrote to memory of 244	3032	svchost.com	87
PID 244 wrote to memory of 3488	244	cmd.exe	89
PID 244 wrote to memory of 3488	244	cmd.exe	89
PID 244 wrote to memory of 3488	244	cmd.exe	89
PID 3980 wrote to memory of 2104	3980	tmp.exe	93
PID 3980 wrote to memory of 2104	3980	tmp.exe	93
PID 3980 wrote to memory of 2104	3980	tmp.exe	93
PID 2104 wrote to memory of 2176	2104	svchost.com	94
PID 2104 wrote to memory of 2176	2104	svchost.com	94
PID 2104 wrote to memory of 2176	2104	svchost.com	94
PID 3980 wrote to memory of 704	3980	tmp.exe	98
PID 3980 wrote to memory of 704	3980	tmp.exe	98
PID 3980 wrote to memory of 704	3980	tmp.exe	98
PID 704 wrote to memory of 4604	704	svchost.com	99
PID 704 wrote to memory of 4604	704	svchost.com	99
PID 704 wrote to memory of 4604	704	svchost.com	99
PID 4604 wrote to memory of 1368	4604	IMG001.exe	100
PID 4604 wrote to memory of 1368	4604	IMG001.exe	100
PID 4604 wrote to memory of 1368	4604	IMG001.exe	100
PID 1368 wrote to memory of 2304	1368	svchost.com	101
PID 1368 wrote to memory of 2304	1368	svchost.com	101
PID 1368 wrote to memory of 2304	1368	svchost.com	101
PID 2304 wrote to memory of 560	2304	cmd.exe	103
PID 2304 wrote to memory of 560	2304	cmd.exe	103
PID 2304 wrote to memory of 560	2304	cmd.exe	103
PID 4604 wrote to memory of 3916	4604	IMG001.exe	104
PID 4604 wrote to memory of 3916	4604	IMG001.exe	104
PID 4604 wrote to memory of 3916	4604	IMG001.exe	104
PID 3916 wrote to memory of 3588	3916	svchost.com	105
PID 3916 wrote to memory of 3588	3916	svchost.com	105
PID 3916 wrote to memory of 3588	3916	svchost.com	105
PID 4604 wrote to memory of 4516	4604	IMG001.exe	107
PID 4604 wrote to memory of 4516	4604	IMG001.exe	107
PID 4604 wrote to memory of 4516	4604	IMG001.exe	107
PID 4604 wrote to memory of 3764	4604	IMG001.exe	108
PID 4604 wrote to memory of 3764	4604	IMG001.exe	108
PID 4604 wrote to memory of 3764	4604	IMG001.exe	108
PID 4516 wrote to memory of 5032	4516	svchost.com	109
PID 4516 wrote to memory of 5032	4516	svchost.com	109
PID 4516 wrote to memory of 5032	4516	svchost.com	109
PID 4604 wrote to memory of 2664	4604	IMG001.exe	118
PID 4604 wrote to memory of 2664	4604	IMG001.exe	118
PID 4604 wrote to memory of 2664	4604	IMG001.exe	118
PID 3764 wrote to memory of 2124	3764	svchost.com	111
PID 3764 wrote to memory of 2124	3764	svchost.com	111
PID 3764 wrote to memory of 2124	3764	svchost.com	111
PID 4604 wrote to memory of 3408	4604	IMG001.exe	110
PID 4604 wrote to memory of 3408	4604	IMG001.exe	110
PID 4604 wrote to memory of 3408	4604	IMG001.exe	110
PID 2664 wrote to memory of 2300	2664	svchost.com	117
PID 2664 wrote to memory of 2300	2664	svchost.com	117
PID 2664 wrote to memory of 2300	2664	svchost.com	117
PID 3408 wrote to memory of 3912	3408	svchost.com	116
PID 3408 wrote to memory of 3912	3408	svchost.com	116
PID 3408 wrote to memory of 3912	3408	svchost.com	116
PID 2300 wrote to memory of 4368	2300	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:244
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      C:\Users\Admin\AppData\Local\Temp\tftp.exe
      4⤵
      Executes dropped EXE
      PID:2176
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Enumerates connected drives
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im tftp.exe & tskill tftp.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tftp.exe
        6⤵
        Executes dropped EXE
        
        PID:3588
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v /d C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe /t REG_SZ
        6⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v /d C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe /t REG_SZ
        7⤵
        Modifies registry key
        
        PID:824
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn UAC /SC ONLOGON /F /RL HIGHEST /TR C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        6⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn UAC /SC ONLOGON /F /RL HIGHEST /TR C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
        7⤵
        Creates scheduled task(s)
        
        PID:4716
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        6⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn UAC /RU SYSTEM /SC ONLOGON /F /V1 /RL HIGHEST /TR C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn UAC /RU SYSTEM /SC ONLOGON /F /V1 /RL HIGHEST /TR C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Network Service Scanning

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

Filesize
982KB

MD5
4e8c731e3175d6d2f5085fe55974e1db

SHA1
74604823bd1e5af86d66e4986c1203f2bf26e657

SHA256
8a8d0905d868bc8b3bbd3545de42b459b3b517bb874365f911ff05ae71f90325

SHA512
a058948f7a82ca4c14ea41527c66918e7737776f7af65b00888f3c39de416397821861ba4e77cdb8a738bc0136462d1256bc6447f0d105d929831a2b47c87485

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

Filesize
248KB

MD5
6a57dc8a285dc9738c88e78fba506d22

SHA1
6c7fbb72d162b60ae27df884aa379c9e41ecbf9d

SHA256
b3c0c2c2eba96fb385979636c2593d7322ef3d72a6d67cad4bb9ef64f7eb4699

SHA512
4d559ded8758ce92b4f2bb7ad819873aa6fcb4f351e1aec820d49ba87cb840a593f9c6dca6f5244bbe4748b9f1c623e981ba0e77ad57e1364a1876f6fc3a88f1

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

Filesize
1.7MB

MD5
4754ef85cf5992c484e75c0859cd0c12

SHA1
199b550e52f74d5a9932b1210979bc79a9b8f6fd

SHA256
da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330

SHA512
22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE

Filesize
317KB

MD5
7e116dae10827703962b7314c99238ca

SHA1
3244df55057e3e590982652ba721565145aec09e

SHA256
77fd9e44a46878853cbb67d49154363fb41199f93b5aa77cd6012a63b1231831

SHA512
f3a4283ba3690e223379ba7a2d1737933d6b95e88a3a2db75594de105b6edef72f92de07f220e81a4e7d03656bf41f05eef7488206aee0b0c08abcc45746ced3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13173~1.45\MICROS~1.EXE

Filesize
1.6MB

MD5
6f46dbdeebd36491a4298ba2ad64a40e

SHA1
431a0f0e3f070f4f01a3443a10b8b29fa68a2ab6

SHA256
d093bfc63f915f9f7c905babf8eef31b5ef7c9d1ce6c5803c1290f89455db41a

SHA512
ee49e342644302d64925615a03731343f99fc4795983e8893417a702e845d1ef9f647ff1c0356e8387c9ad6bc3260c03769029e382abc94b46a4cdc5c3ed87b3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
290KB

MD5
23b1708cd5e7409832fe36f125844e7a

SHA1
39ec7d4322cf4ccea82ee65343d05459c5eb3f3e

SHA256
03e0297166fcd0b5a439d974080fbd5efbb48dfe3b019ab11faa89ecc372765f

SHA512
d6291f0a98f1dfedd81589f07d219df23a9e734680975d5e2d91553767927bd2b7ed915e6f5974767277fb813e14f8549caf57f96912ea3cebe28b73ca3ec62e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE

Filesize
1.1MB

MD5
188427035abdcfe851a88f9f64f758ac

SHA1
56ce77858707c45d2d4192f6effd8d1abefd0a6a

SHA256
b71438fa2312dfd2a65277703cc1eacc080cd7e953de519ba9c54cc081ae51b1

SHA512
416ca0aee94276d6076355fb42dacfffbecf9b210e981ba52e4720e09bb3a5372db3ce27e1682355011e1777c138e785c16821d530c443ff646e724b31e370fa

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
413ec51a9880e79324c712c0548674c1

SHA1
032d114c78c8df6d98186eeffd9cba24589e93bb

SHA256
80eee8d364db4b281b1643a1a52a5dd1c334b4f20c2519c5e0ba7aa9a49c2bd7

SHA512
4a1f74751793c32729ebe1e01b8b79ffe1a812e6972a21c17a688f52ea828c9d179151026597cae202b3cc46ecd0909d78b47cba5b3e2dc954832cd378657555

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
24179b4581907abfef8a55ab41c97999

SHA1
e4de417476f43da4405f4340ebf6044f6b094337

SHA256
a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7

SHA512
6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
06366e48936df8d5556435c9820e9990

SHA1
0e3ed1da26a0c96f549720684e87352f1b58ef45

SHA256
cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612

SHA512
bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe

Filesize
3.4MB

MD5
b4cbcba4649efb6f33b78bc5a9deb7d9

SHA1
c68acfa70120f84558a33149b184e0ab3bc7130f

SHA256
e553644443fd1227f8badbfe40caca852c3bde006519daf95eb4e6716384676a

SHA512
5efb63c28a15aa8906ccd90b77b62c092489251d1827903933962e9e9d38a419113b68aadcca2a999094965b2bc9d3c658ca5b8622f3fe1a8c990d0a02a63347

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe

Filesize
3.4MB

MD5
b4cbcba4649efb6f33b78bc5a9deb7d9

SHA1
c68acfa70120f84558a33149b184e0ab3bc7130f

SHA256
e553644443fd1227f8badbfe40caca852c3bde006519daf95eb4e6716384676a

SHA512
5efb63c28a15aa8906ccd90b77b62c092489251d1827903933962e9e9d38a419113b68aadcca2a999094965b2bc9d3c658ca5b8622f3fe1a8c990d0a02a63347

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe

Filesize
3.4MB

MD5
b4cbcba4649efb6f33b78bc5a9deb7d9

SHA1
c68acfa70120f84558a33149b184e0ab3bc7130f

SHA256
e553644443fd1227f8badbfe40caca852c3bde006519daf95eb4e6716384676a

SHA512
5efb63c28a15aa8906ccd90b77b62c092489251d1827903933962e9e9d38a419113b68aadcca2a999094965b2bc9d3c658ca5b8622f3fe1a8c990d0a02a63347

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.zip

Filesize
1KB

MD5
8604e0f263922501f749cfca447b041a

SHA1
85c712bdeaceb78e2785e1f63811b0c4a50f952d

SHA256
52ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed

SHA512
496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE735.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE735.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE735.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE735.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
7434d7d84af2d670a4727b9a20f0189a

SHA1
40c6e7fbf631bda37f4b76b2b65dcadb2871d869

SHA256
a7f9c14c314680c077ebc2ab0fcb19ecde98a39da4690a13be33799cb32052ad

SHA512
5d7e2ed138a083b4e8788b1803ee65825b429759862335f188419f80f0bd7f53168365bc73fa0d93d01c9531463d20778c040d3679b73137d0922fbe9d0c251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
7434d7d84af2d670a4727b9a20f0189a

SHA1
40c6e7fbf631bda37f4b76b2b65dcadb2871d869

SHA256
a7f9c14c314680c077ebc2ab0fcb19ecde98a39da4690a13be33799cb32052ad

SHA512
5d7e2ed138a083b4e8788b1803ee65825b429759862335f188419f80f0bd7f53168365bc73fa0d93d01c9531463d20778c040d3679b73137d0922fbe9d0c251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
7434d7d84af2d670a4727b9a20f0189a

SHA1
40c6e7fbf631bda37f4b76b2b65dcadb2871d869

SHA256
a7f9c14c314680c077ebc2ab0fcb19ecde98a39da4690a13be33799cb32052ad

SHA512
5d7e2ed138a083b4e8788b1803ee65825b429759862335f188419f80f0bd7f53168365bc73fa0d93d01c9531463d20778c040d3679b73137d0922fbe9d0c251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
7434d7d84af2d670a4727b9a20f0189a

SHA1
40c6e7fbf631bda37f4b76b2b65dcadb2871d869

SHA256
a7f9c14c314680c077ebc2ab0fcb19ecde98a39da4690a13be33799cb32052ad

SHA512
5d7e2ed138a083b4e8788b1803ee65825b429759862335f188419f80f0bd7f53168365bc73fa0d93d01c9531463d20778c040d3679b73137d0922fbe9d0c251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
7434d7d84af2d670a4727b9a20f0189a

SHA1
40c6e7fbf631bda37f4b76b2b65dcadb2871d869

SHA256
a7f9c14c314680c077ebc2ab0fcb19ecde98a39da4690a13be33799cb32052ad

SHA512
5d7e2ed138a083b4e8788b1803ee65825b429759862335f188419f80f0bd7f53168365bc73fa0d93d01c9531463d20778c040d3679b73137d0922fbe9d0c251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
7434d7d84af2d670a4727b9a20f0189a

SHA1
40c6e7fbf631bda37f4b76b2b65dcadb2871d869

SHA256
a7f9c14c314680c077ebc2ab0fcb19ecde98a39da4690a13be33799cb32052ad

SHA512
5d7e2ed138a083b4e8788b1803ee65825b429759862335f188419f80f0bd7f53168365bc73fa0d93d01c9531463d20778c040d3679b73137d0922fbe9d0c251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
f5ac99245457c0f3701be66fda41a4cd

SHA1
98a8a07a3f37b7f75fbe4275979053b08334a92d

SHA256
8e3cb1c69fa3d2d964385535d528b191c87f5c1bea19237e34b837813c86ecd8

SHA512
ee358125fa9c7eb20ac48106c2e5a46bfb1dca7ae6e99bf1860c8045b88d16589b849d14223488500d3565488e2e56ce73674b0299e8832099aa67e5490bc656

Download Submit
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

Filesize
3.4MB

MD5
b4cbcba4649efb6f33b78bc5a9deb7d9

SHA1
c68acfa70120f84558a33149b184e0ab3bc7130f

SHA256
e553644443fd1227f8badbfe40caca852c3bde006519daf95eb4e6716384676a

SHA512
5efb63c28a15aa8906ccd90b77b62c092489251d1827903933962e9e9d38a419113b68aadcca2a999094965b2bc9d3c658ca5b8622f3fe1a8c990d0a02a63347

Download Submit
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

Filesize
3.4MB

MD5
b4cbcba4649efb6f33b78bc5a9deb7d9

SHA1
c68acfa70120f84558a33149b184e0ab3bc7130f

SHA256
e553644443fd1227f8badbfe40caca852c3bde006519daf95eb4e6716384676a

SHA512
5efb63c28a15aa8906ccd90b77b62c092489251d1827903933962e9e9d38a419113b68aadcca2a999094965b2bc9d3c658ca5b8622f3fe1a8c990d0a02a63347

Download Submit
C:\Windows\directx.sys

Filesize
39B

MD5
8cf01e9c44cab9069d724f95f6c53b4e

SHA1
10e31245fd1cdafea40438f078ffe24f5d7e0634

SHA256
452194223456f8badaad2c87c3d6b8fbc338ed2511f1ef02c1b4868fb0432f91

SHA512
ec4a7e9c903f68e0ef9615f195d214b9ca2b339b36a76e226b7c6b42ff315b783998b26f4e22049f9ddbe5d281cc584044d84ad231c788f80aee4c986ae15053

Download Submit
C:\Windows\directx.sys

Filesize
44B

MD5
46cc8cd816c08f6c055558a700aa3935

SHA1
14aade27ab909239f3b76849ff68417e69df27fc

SHA256
53a1453924c326229bd5d2c1ac6dcb366be1dc25ece759101574f1e0ab0a80b5

SHA512
51d4ec525bd6132b638236e9ae2dd1d5171374c002f4264dd2458e5a7ede5c887a6dc72466e739ad2241c5d6dae32441c93600c10b03c6152391fc2dcb726ed9

Download Submit
C:\Windows\directx.sys

Filesize
44B

MD5
46cc8cd816c08f6c055558a700aa3935

SHA1
14aade27ab909239f3b76849ff68417e69df27fc

SHA256
53a1453924c326229bd5d2c1ac6dcb366be1dc25ece759101574f1e0ab0a80b5

SHA512
51d4ec525bd6132b638236e9ae2dd1d5171374c002f4264dd2458e5a7ede5c887a6dc72466e739ad2241c5d6dae32441c93600c10b03c6152391fc2dcb726ed9

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
2fc007de9775aef55bc0a330ca15d0ae

SHA1
1816c4bb1060d3328f85097440656016dae486c1

SHA256
d8d052b5fc09a48edbf43352b04ff23e5d06812bd13f7c64ac19986e723a141d

SHA512
4ba0af1095724994839b300ba2b5343707c988cbffb48a7357e544a9fd89ae8e3eb15df007d5c0a161def702ebf218a06003514c198c1a02445a35527243468c

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
2fc007de9775aef55bc0a330ca15d0ae

SHA1
1816c4bb1060d3328f85097440656016dae486c1

SHA256
d8d052b5fc09a48edbf43352b04ff23e5d06812bd13f7c64ac19986e723a141d

SHA512
4ba0af1095724994839b300ba2b5343707c988cbffb48a7357e544a9fd89ae8e3eb15df007d5c0a161def702ebf218a06003514c198c1a02445a35527243468c

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
2fc007de9775aef55bc0a330ca15d0ae

SHA1
1816c4bb1060d3328f85097440656016dae486c1

SHA256
d8d052b5fc09a48edbf43352b04ff23e5d06812bd13f7c64ac19986e723a141d

SHA512
4ba0af1095724994839b300ba2b5343707c988cbffb48a7357e544a9fd89ae8e3eb15df007d5c0a161def702ebf218a06003514c198c1a02445a35527243468c

Download Submit
C:\Windows\directx.sys

Filesize
90B

MD5
7a6fdc24b755a35a165d9468fd639e76

SHA1
acddeb049c34599021b7e4fbc5ef57b74c1e6410

SHA256
960a713e20ba76b6bd224f9cb0f67d902b3ff29c6ebce6de7cf28631005d40ba

SHA512
f62623bc6045eacf8760093d596d29047249bc0adf591f8dc7b652f29fb26560381281b8dfd5514afe17c2e18c065f32b55c73566854e2a63f90bafbca18bbc7

Download Submit
C:\Windows\directx.sys

Filesize
95B

MD5
73fc5ce83268d7b1945bb238e247220d

SHA1
6f54a7119a97ae6902195b17d37ce1332b5bdfff

SHA256
120be85fed8a3efb45db44eceb0d64646c56b92b1d55516a48ec650106388418

SHA512
3e39599bc76b995d7b5617e5010fbd974c0a37833661c0993006f987d76a8716f724a1ac4cfc4d527c49e596bef4d3efee20f91140acab398a1dd187f0759996

Download Submit
C:\Windows\directx.sys

Filesize
95B

MD5
73fc5ce83268d7b1945bb238e247220d

SHA1
6f54a7119a97ae6902195b17d37ce1332b5bdfff

SHA256
120be85fed8a3efb45db44eceb0d64646c56b92b1d55516a48ec650106388418

SHA512
3e39599bc76b995d7b5617e5010fbd974c0a37833661c0993006f987d76a8716f724a1ac4cfc4d527c49e596bef4d3efee20f91140acab398a1dd187f0759996

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
2249364c42cc450a783354b64289a1af

SHA1
ea1ca92127cfdbd57851d44d699018176d5c68e7

SHA256
e2c7cce980a8af8910644b0f864783ebf7c4a119bff229f046c317bbc40a7cf9

SHA512
b75de78073e0de89566a1a7263cc860628b59943751be676a908bfa5177008dd809d8b23d212d9abc0d3b8402b769d7c865065ce20330d609b30cae300d63ab7

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
2249364c42cc450a783354b64289a1af

SHA1
ea1ca92127cfdbd57851d44d699018176d5c68e7

SHA256
e2c7cce980a8af8910644b0f864783ebf7c4a119bff229f046c317bbc40a7cf9

SHA512
b75de78073e0de89566a1a7263cc860628b59943751be676a908bfa5177008dd809d8b23d212d9abc0d3b8402b769d7c865065ce20330d609b30cae300d63ab7

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
2249364c42cc450a783354b64289a1af

SHA1
ea1ca92127cfdbd57851d44d699018176d5c68e7

SHA256
e2c7cce980a8af8910644b0f864783ebf7c4a119bff229f046c317bbc40a7cf9

SHA512
b75de78073e0de89566a1a7263cc860628b59943751be676a908bfa5177008dd809d8b23d212d9abc0d3b8402b769d7c865065ce20330d609b30cae300d63ab7

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
2249364c42cc450a783354b64289a1af

SHA1
ea1ca92127cfdbd57851d44d699018176d5c68e7

SHA256
e2c7cce980a8af8910644b0f864783ebf7c4a119bff229f046c317bbc40a7cf9

SHA512
b75de78073e0de89566a1a7263cc860628b59943751be676a908bfa5177008dd809d8b23d212d9abc0d3b8402b769d7c865065ce20330d609b30cae300d63ab7

Download Submit
C:\Windows\directx.sys

Filesize
80B

MD5
2249364c42cc450a783354b64289a1af

SHA1
ea1ca92127cfdbd57851d44d699018176d5c68e7

SHA256
e2c7cce980a8af8910644b0f864783ebf7c4a119bff229f046c317bbc40a7cf9

SHA512
b75de78073e0de89566a1a7263cc860628b59943751be676a908bfa5177008dd809d8b23d212d9abc0d3b8402b769d7c865065ce20330d609b30cae300d63ab7

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
96758900378012081e778753cdf20643

SHA1
decd19b19bb4857fb6d854d20d4b8497f6342ab0

SHA256
41b059fe5a1924c9b5f0c476deba8e18e6b12a5babc595b4d5f1d652a246ea29

SHA512
ef0be4816daff22184a8dadecdab8149e107f1d7c89c482c744ece41b02906e3a10dafa2d86ffcc7f81d080eea408e59caa2829337a17b2ac9179847046ad33f

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/704-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-327-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-326-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2228-328-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-407-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-354-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-414-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-403-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-298-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2664-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-400-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-396-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3032-408-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3408-392-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3588-402-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3588-398-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3764-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3916-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3916-397-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4516-374-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads