Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 26, 2024, 10:25 a.m.	June 26, 2024, 10:27 a.m.

Size	3.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d59e32eefe00e9bf9e0f5dafe68903fb`
SHA256	`e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145`
CRC32	`E541C0E0`
ssdeep	`98304:MxtVPnq1y5tQOM33ZNqCtBixHl54Oyjes1bo5:uVPq1yLanrqTr43eSG`
Yara	Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

IMG001.exe "C:\Users\test22\AppData\Local\Temp\IMG001.exe"
2556
- cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
  2656
  - taskkill.exe taskkill /f /im tftp.exe
    2716
- tftp.exe "C:\Users\test22\AppData\Local\Temp\tftp.exe"
  2864
- IMG001.exe "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
  2980
  - cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
    3044
    - taskkill.exe taskkill /f /im tftp.exe
      940
  - tftp.exe "C:\Users\test22\AppData\Local\Temp\tftp.exe"
    152
  - cmd.exe "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
    2212
    - reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
      2688
  - cmd.exe "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
    2240
    - schtasks.exe schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
      2732
  - cmd.exe "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
    2448
    - schtasks.exe schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
      2704
  - cmd.exe "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
    2548
    - powercfg.exe powercfg /CHANGE -standby-timeout-ac 0
      1080
    - powercfg.exe powercfg /CHANGE -hibernate-timeout-ac 0
      504
    - powercfg.exe Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
      1456
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
stafftest.ru

IP Address	Status	Action
1.235.75.4	Active	Moloch
100.158.111.7	Active	Moloch
100.187.100.2	Active	Moloch
100.203.165.1	Active	Moloch
101.140.174.3	Active	Moloch
101.167.207.2	Active	Moloch
101.178.251.3	Active	Moloch
101.65.120.0	Active	Moloch
101.98.205.0	Active	Moloch
102.227.222.6	Active	Moloch
102.45.108.7	Active	Moloch
102.49.154.7	Active	Moloch
103.244.146.1	Active	Moloch
104.1.38.5	Active	Moloch
104.127.135.1	Active	Moloch
104.182.225.7	Active	Moloch
104.228.42.4	Active	Moloch
104.32.211.6	Active	Moloch
105.55.141.0	Active	Moloch
106.136.223.4	Active	Moloch
106.181.76.3	Active	Moloch
106.21.59.2	Active	Moloch
106.239.186.3	Active	Moloch
106.70.168.2	Active	Moloch
107.8.69.1	Active	Moloch
108.13.45.0	Active	Moloch
108.40.84.3	Active	Moloch
109.106.145.5	Active	Moloch
109.139.133.0	Active	Moloch
109.186.209.1	Active	Moloch
109.240.241.7	Active	Moloch
109.255.202.7	Active	Moloch
109.65.245.6	Active	Moloch
109.87.170.7	Active	Moloch
109.98.160.4	Active	Moloch
11.70.253.6	Active	Moloch
110.167.84.6	Active	Moloch
110.57.169.4	Active	Moloch
110.64.184.1	Active	Moloch
110.90.74.2	Active	Moloch
111.219.91.1	Active	Moloch
111.223.14.2	Active	Moloch
112.214.247.4	Active	Moloch
112.52.114.2	Active	Moloch
113.113.218.3	Active	Moloch
113.14.170.5	Active	Moloch
113.173.174.4	Active	Moloch
113.219.23.2	Active	Moloch
114.125.254.6	Active	Moloch
114.131.124.0	Active	Moloch
114.140.131.1	Active	Moloch
114.155.228.5	Active	Moloch
114.183.161.5	Active	Moloch
114.213.150.1	Active	Moloch
114.213.212.0	Active	Moloch
116.203.17.7	Active	Moloch
116.79.123.3	Active	Moloch
117.113.51.7	Active	Moloch
117.31.48.6	Active	Moloch
118.228.153.1	Active	Moloch
118.47.212.4	Active	Moloch
119.120.5.1	Active	Moloch
119.93.148.0	Active	Moloch
119.96.84.1	Active	Moloch
12.209.32.2	Active	Moloch
12.243.176.0	Active	Moloch
12.4.101.5	Active	Moloch
120.27.154.1	Active	Moloch
121.112.234.2	Active	Moloch
121.186.69.3	Active	Moloch
121.226.5.0	Active	Moloch
122.119.0.6	Active	Moloch
123.174.249.7	Active	Moloch
123.243.226.5	Active	Moloch
124.230.76.1	Active	Moloch
124.50.35.5	Active	Moloch
125.99.183.1	Active	Moloch
126.115.92.2	Active	Moloch
126.150.49.3	Active	Moloch
126.231.111.1	Active	Moloch
126.96.238.5	Active	Moloch
128.109.131.4	Active	Moloch
128.224.196.4	Active	Moloch
128.244.87.1	Active	Moloch
129.143.220.5	Active	Moloch
129.203.48.4	Active	Moloch
129.71.55.3	Active	Moloch
13.115.48.6	Active	Moloch
13.168.3.0	Active	Moloch
13.185.59.6	Active	Moloch
13.202.40.0	Active	Moloch
13.38.143.1	Active	Moloch
130.212.184.4	Active	Moloch
131.121.162.7	Active	Moloch
131.30.153.2	Active	Moloch
131.90.97.2	Active	Moloch
132.216.37.0	Active	Moloch
132.39.69.7	Active	Moloch
133.17.35.1	Active	Moloch
133.198.127.1	Active	Moloch
134.112.69.7	Active	Moloch
134.31.13.4	Active	Moloch
135.191.15.4	Active	Moloch
135.197.181.0	Active	Moloch
135.208.216.0	Active	Moloch
135.38.78.5	Active	Moloch
136.124.180.6	Active	Moloch
137.148.121.1	Active	Moloch
137.184.109.7	Active	Moloch
137.19.153.7	Active	Moloch
137.226.200.7	Active	Moloch
137.27.69.0	Active	Moloch
137.6.100.6	Active	Moloch
137.70.134.5	Active	Moloch
138.18.138.2	Active	Moloch
138.2.219.3	Active	Moloch
138.5.28.0	Active	Moloch
139.127.193.1	Active	Moloch
139.142.159.7	Active	Moloch
139.18.150.5	Active	Moloch
139.190.37.1	Active	Moloch
14.139.238.3	Active	Moloch
14.56.20.4	Active	Moloch
14.59.153.2	Active	Moloch
14.94.55.3	Active	Moloch
140.185.140.4	Active	Moloch
140.249.136.7	Active	Moloch
140.31.210.2	Active	Moloch
140.74.104.0	Active	Moloch
140.77.99.3	Active	Moloch
141.148.60.6	Active	Moloch
141.226.234.5	Active	Moloch
141.82.93.3	Active	Moloch
142.63.234.5	Active	Moloch
143.151.202.1	Active	Moloch
143.68.195.4	Active	Moloch
144.118.84.0	Active	Moloch
144.132.68.3	Active	Moloch
144.92.227.0	Active	Moloch
145.105.72.6	Active	Moloch
145.106.68.0	Active	Moloch
145.120.34.1	Active	Moloch
145.157.209.2	Active	Moloch
145.221.150.2	Active	Moloch
145.71.93.6	Active	Moloch
146.154.239.4	Active	Moloch
146.164.3.6	Active	Moloch
146.247.42.3	Active	Moloch
146.41.228.1	Active	Moloch
146.42.149.7	Active	Moloch
147.74.98.1	Active	Moloch
148.120.102.3	Active	Moloch
148.37.71.6	Active	Moloch
149.0.208.3	Active	Moloch
15.173.45.7	Active	Moloch
15.177.51.6	Active	Moloch
15.190.69.5	Active	Moloch
15.79.232.1	Active	Moloch
15.88.247.3	Active	Moloch
150.136.211.5	Active	Moloch
150.169.42.2	Active	Moloch
150.174.221.2	Active	Moloch
150.34.234.3	Active	Moloch
150.47.158.1	Active	Moloch
150.87.156.5	Active	Moloch
151.17.47.2	Active	Moloch
151.194.231.2	Active	Moloch
151.244.48.5	Active	Moloch
151.40.43.2	Active	Moloch
151.47.145.2	Active	Moloch
151.54.205.3	Active	Moloch
152.189.196.3	Active	Moloch
152.209.124.3	Active	Moloch
152.227.8.3	Active	Moloch
152.228.98.7	Active	Moloch
152.37.21.6	Active	Moloch
153.193.41.0	Active	Moloch
153.194.191.4	Active	Moloch
153.225.252.0	Active	Moloch
154.226.148.7	Active	Moloch
156.175.191.7	Active	Moloch
156.232.249.2	Active	Moloch
156.31.244.6	Active	Moloch
156.81.158.7	Active	Moloch
156.82.46.0	Active	Moloch
157.215.206.5	Active	Moloch
157.232.68.7	Active	Moloch
157.78.175.4	Active	Moloch
158.155.154.4	Active	Moloch
158.172.227.7	Active	Moloch
158.191.118.5	Active	Moloch
158.206.112.1	Active	Moloch
158.219.127.0	Active	Moloch
158.248.239.4	Active	Moloch
158.55.212.6	Active	Moloch
158.85.177.2	Active	Moloch
158.92.83.1	Active	Moloch
159.131.6.5	Active	Moloch
159.188.230.0	Active	Moloch
16.140.135.5	Active	Moloch
16.243.68.6	Active	Moloch
16.47.221.2	Active	Moloch
16.50.247.5	Active	Moloch
160.27.178.0	Active	Moloch
161.134.141.7	Active	Moloch
161.159.30.6	Active	Moloch
162.103.195.7	Active	Moloch
162.151.65.1	Active	Moloch
162.157.48.0	Active	Moloch
162.251.243.7	Active	Moloch
163.157.114.3	Active	Moloch
163.206.85.3	Active	Moloch
164.124.101.2	Active	Moloch
164.88.250.0	Active	Moloch
165.141.253.0	Active	Moloch
165.158.187.0	Active	Moloch
165.232.202.3	Active	Moloch
166.176.155.2	Active	Moloch
166.182.145.6	Active	Moloch
166.220.31.2	Active	Moloch
166.37.126.3	Active	Moloch
167.102.223.3	Active	Moloch
167.125.44.2	Active	Moloch
167.147.129.6	Active	Moloch
167.177.24.2	Active	Moloch
167.226.44.3	Active	Moloch
168.29.72.5	Active	Moloch
168.42.29.6	Active	Moloch
169.115.110.2	Active	Moloch
169.151.168.2	Active	Moloch
169.167.211.1	Active	Moloch
169.182.148.0	Active	Moloch
169.213.178.2	Active	Moloch
17.109.8.6	Active	Moloch
17.139.210.4	Active	Moloch
17.182.117.1	Active	Moloch
17.192.94.1	Active	Moloch
170.176.225.1	Active	Moloch
170.188.69.7	Active	Moloch
170.196.40.1	Active	Moloch
171.173.55.4	Active	Moloch
171.209.1.7	Active	Moloch
171.244.51.7	Active	Moloch
171.51.48.0	Active	Moloch
172.117.173.2	Active	Moloch
172.161.221.6	Active	Moloch
172.51.44.3	Active	Moloch
173.100.23.4	Active	Moloch
173.144.51.1	Active	Moloch
173.188.187.3	Active	Moloch
173.232.201.6	Active	Moloch
173.5.217.6	Active	Moloch
173.93.240.4	Active	Moloch
174.11.152.3	Active	Moloch
174.219.175.3	Active	Moloch
174.33.85.2	Active	Moloch
175.203.223.4	Active	Moloch
175.247.84.5	Active	Moloch
175.87.163.1	Active	Moloch
176.149.246.4	Active	Moloch
177.119.12.1	Active	Moloch
177.163.61.2	Active	Moloch
177.232.150.6	Active	Moloch
177.250.135.6	Active	Moloch
178.112.45.2	Active	Moloch
178.49.102.5	Active	Moloch
178.98.40.6	Active	Moloch
179.130.246.5	Active	Moloch
18.146.186.3	Active	Moloch
18.46.212.4	Active	Moloch
18.6.109.6	Active	Moloch
18.97.141.4	Active	Moloch
180.112.249.6	Active	Moloch
180.141.42.6	Active	Moloch
180.213.185.1	Active	Moloch
180.248.6.2	Active	Moloch
180.31.112.7	Active	Moloch
180.69.46.7	Active	Moloch
181.202.215.5	Active	Moloch
181.225.220.5	Active	Moloch
181.76.181.1	Active	Moloch
182.188.85.7	Active	Moloch
183.189.137.5	Active	Moloch
183.192.41.0	Active	Moloch
183.246.186.0	Active	Moloch
184.130.205.6	Active	Moloch
184.172.153.7	Active	Moloch
184.183.119.3	Active	Moloch
185.15.108.3	Active	Moloch
185.197.149.6	Active	Moloch
185.21.112.5	Active	Moloch
185.25.140.5	Active	Moloch
185.91.19.2	Active	Moloch
185.97.187.2	Active	Moloch
186.203.37.6	Active	Moloch
186.22.155.5	Active	Moloch
187.108.49.3	Active	Moloch
188.181.91.4	Active	Moloch
189.168.240.3	Active	Moloch
189.197.61.0	Active	Moloch
189.232.197.4	Active	Moloch
189.52.3.7	Active	Moloch
19.209.196.2	Active	Moloch
19.233.176.1	Active	Moloch
190.27.64.4	Active	Moloch
190.89.23.5	Active	Moloch
190.93.195.5	Active	Moloch
191.68.97.6	Active	Moloch
192.10.113.1	Active	Moloch
192.40.90.1	Active	Moloch
193.124.5.0	Active	Moloch
194.109.201.6	Active	Moloch
194.140.101.4	Active	Moloch
194.142.212.6	Active	Moloch
194.170.76.7	Active	Moloch
194.218.5.5	Active	Moloch
194.238.53.4	Active	Moloch
195.54.200.0	Active	Moloch
195.68.142.4	Active	Moloch
196.113.219.5	Active	Moloch
196.141.69.7	Active	Moloch
196.185.125.3	Active	Moloch
196.97.217.3	Active	Moloch
197.106.116.5	Active	Moloch
197.202.247.5	Active	Moloch
198.130.230.5	Active	Moloch
198.137.71.2	Active	Moloch
198.24.171.7	Active	Moloch
199.133.163.4	Active	Moloch
199.14.46.7	Active	Moloch
199.167.240.3	Active	Moloch
199.75.140.3	Active	Moloch
2.163.95.0	Active	Moloch
2.164.27.1	Active	Moloch
2.251.198.4	Active	Moloch
20.58.129.7	Active	Moloch
200.110.149.4	Active	Moloch
200.137.230.6	Active	Moloch
200.144.167.0	Active	Moloch
200.187.112.5	Active	Moloch
200.81.217.3	Active	Moloch
201.174.206.0	Active	Moloch
201.229.174.1	Active	Moloch
201.245.94.1	Active	Moloch
201.80.75.6	Active	Moloch
202.113.42.4	Active	Moloch
202.114.1.5	Active	Moloch
202.194.33.0	Active	Moloch
202.59.35.4	Active	Moloch
203.206.127.3	Active	Moloch
204.10.111.1	Active	Moloch
204.104.82.6	Active	Moloch
204.142.151.6	Active	Moloch
204.20.227.7	Active	Moloch
204.222.28.7	Active	Moloch
204.253.19.5	Active	Moloch
205.148.208.7	Active	Moloch
205.248.152.7	Active	Moloch
206.107.48.3	Active	Moloch
206.254.103.1	Active	Moloch
206.68.42.5	Active	Moloch
206.77.241.5	Active	Moloch
207.117.43.7	Active	Moloch
207.144.147.7	Active	Moloch
207.179.116.0	Active	Moloch
207.84.206.5	Active	Moloch
208.253.169.4	Active	Moloch
209.196.206.5	Active	Moloch
209.31.187.4	Active	Moloch
209.62.194.3	Active	Moloch
21.107.146.4	Active	Moloch
21.130.90.2	Active	Moloch
21.214.246.7	Active	Moloch
21.242.14.2	Active	Moloch
210.128.101.4	Active	Moloch
210.148.110.4	Active	Moloch
210.25.42.3	Active	Moloch
210.27.243.5	Active	Moloch
210.38.160.5	Active	Moloch
211.203.15.0	Active	Moloch
211.79.142.7	Active	Moloch
212.241.155.5	Active	Moloch
212.73.146.6	Active	Moloch
212.78.5.1	Active	Moloch
213.132.185.4	Active	Moloch
213.185.177.7	Active	Moloch
213.230.228.1	Active	Moloch
213.98.138.1	Active	Moloch
214.176.33.3	Active	Moloch
214.251.23.7	Active	Moloch
215.120.179.7	Active	Moloch
215.172.174.7	Active	Moloch
215.172.65.2	Active	Moloch
215.28.41.5	Active	Moloch
215.53.151.2	Active	Moloch
215.55.30.3	Active	Moloch
216.127.98.7	Active	Moloch
216.139.23.3	Active	Moloch
216.172.247.2	Active	Moloch
216.188.55.5	Active	Moloch
216.192.82.0	Active	Moloch
216.211.81.2	Active	Moloch
216.32.181.0	Active	Moloch
216.99.70.3	Active	Moloch
217.160.225.4	Active	Moloch
217.212.59.6	Active	Moloch
218.206.174.1	Active	Moloch
218.245.253.2	Active	Moloch
218.248.202.7	Active	Moloch
218.92.196.2	Active	Moloch
219.16.227.3	Active	Moloch
219.253.131.3	Active	Moloch
219.59.35.2	Active	Moloch
219.91.167.3	Active	Moloch
22.128.65.5	Active	Moloch
22.194.27.1	Active	Moloch
22.6.251.7	Active	Moloch
22.64.78.4	Active	Moloch
220.134.66.2	Active	Moloch
220.155.111.0	Active	Moloch
220.242.99.1	Active	Moloch
220.245.129.7	Active	Moloch
221.119.80.2	Active	Moloch
221.130.232.4	Active	Moloch
221.17.48.3	Active	Moloch
221.241.66.4	Active	Moloch
222.232.100.2	Active	Moloch
222.244.5.7	Active	Moloch
222.29.201.4	Active	Moloch
223.15.187.7	Active	Moloch
223.200.60.6	Active	Moloch
223.69.210.1	Active	Moloch
23.221.228.5	Active	Moloch
23.55.106.6	Active	Moloch
24.10.226.2	Active	Moloch
24.30.79.3	Active	Moloch
24.41.139.3	Active	Moloch
24.9.254.4	Active	Moloch
25.128.41.5	Active	Moloch
25.14.214.0	Active	Moloch
25.225.35.1	Active	Moloch
26.209.94.6	Active	Moloch
26.249.238.4	Active	Moloch
27.13.30.1	Active	Moloch
27.142.224.5	Active	Moloch
27.4.181.2	Active	Moloch
27.76.84.5	Active	Moloch
28.18.112.1	Active	Moloch
28.86.16.1	Active	Moloch
29.101.254.6	Active	Moloch
29.21.227.3	Active	Moloch
29.231.57.0	Active	Moloch
29.8.10.5	Active	Moloch
3.16.116.2	Active	Moloch
3.165.47.3	Active	Moloch
3.27.20.0	Active	Moloch
30.183.23.0	Active	Moloch
31.202.191.4	Active	Moloch
32.228.73.5	Active	Moloch
32.73.213.2	Active	Moloch
32.76.205.0	Active	Moloch
32.8.245.7	Active	Moloch
32.9.31.6	Active	Moloch
33.119.36.2	Active	Moloch
33.54.151.3	Active	Moloch
33.66.3.1	Active	Moloch
33.78.204.0	Active	Moloch
34.100.142.7	Active	Moloch
34.170.22.4	Active	Moloch
34.192.45.1	Active	Moloch
34.203.64.3	Active	Moloch
34.74.38.2	Active	Moloch
35.51.45.2	Active	Moloch
36.253.163.5	Active	Moloch
36.67.217.6	Active	Moloch
36.79.163.5	Active	Moloch
37.218.113.7	Active	Moloch
37.49.234.7	Active	Moloch
38.11.73.3	Active	Moloch
38.181.18.5	Active	Moloch
39.12.232.2	Active	Moloch
39.77.224.2	Active	Moloch
4.191.68.7	Active	Moloch
4.215.46.4	Active	Moloch
4.81.106.0	Active	Moloch
40.119.209.6	Active	Moloch
40.120.249.3	Active	Moloch
40.124.85.0	Active	Moloch
40.130.40.5	Active	Moloch
40.152.54.0	Active	Moloch
40.192.53.0	Active	Moloch
40.193.229.5	Active	Moloch
41.111.40.2	Active	Moloch
41.254.97.1	Active	Moloch
41.40.17.6	Active	Moloch
43.147.153.7	Active	Moloch
43.159.223.2	Active	Moloch
43.16.210.5	Active	Moloch
43.54.104.5	Active	Moloch
43.7.126.1	Active	Moloch
44.163.71.0	Active	Moloch
44.202.71.4	Active	Moloch
44.48.220.3	Active	Moloch
45.199.114.5	Active	Moloch
45.216.149.5	Active	Moloch
45.226.163.6	Active	Moloch
46.120.176.7	Active	Moloch
46.201.141.3	Active	Moloch
46.95.68.6	Active	Moloch
47.68.179.2	Active	Moloch
47.72.208.0	Active	Moloch
48.142.186.7	Active	Moloch
48.176.108.3	Active	Moloch
48.182.125.6	Active	Moloch
48.25.10.7	Active	Moloch
48.51.29.1	Active	Moloch
48.77.253.2	Active	Moloch
48.87.231.5	Active	Moloch
49.0.212.5	Active	Moloch
49.133.25.5	Active	Moloch
49.20.107.3	Active	Moloch
5.196.187.6	Active	Moloch
5.23.144.7	Active	Moloch
50.166.90.5	Active	Moloch
50.80.142.1	Active	Moloch
51.123.82.0	Active	Moloch
51.161.32.3	Active	Moloch
51.162.38.4	Active	Moloch
51.211.125.2	Active	Moloch
51.3.142.0	Active	Moloch
52.118.120.7	Active	Moloch
52.186.162.2	Active	Moloch
52.192.39.0	Active	Moloch
52.9.11.6	Active	Moloch
53.160.52.2	Active	Moloch
53.197.74.5	Active	Moloch
53.21.121.7	Active	Moloch
54.44.64.5	Active	Moloch
54.6.184.4	Active	Moloch
55.164.210.7	Active	Moloch
55.172.89.4	Active	Moloch
55.178.230.0	Active	Moloch
55.54.26.0	Active	Moloch
56.11.199.3	Active	Moloch
56.136.159.2	Active	Moloch
56.231.200.3	Active	Moloch
56.54.184.4	Active	Moloch
56.90.214.4	Active	Moloch
57.103.211.5	Active	Moloch
57.104.168.1	Active	Moloch
57.127.153.4	Active	Moloch
57.211.178.7	Active	Moloch
57.240.19.4	Active	Moloch
57.86.146.1	Active	Moloch
58.118.167.5	Active	Moloch
58.133.18.4	Active	Moloch
59.31.179.1	Active	Moloch
59.33.136.7	Active	Moloch
59.87.121.1	Active	Moloch
6.20.34.4	Active	Moloch
6.51.184.6	Active	Moloch
60.111.191.4	Active	Moloch
60.14.202.0	Active	Moloch
60.228.239.3	Active	Moloch
61.10.64.5	Active	Moloch
61.116.102.2	Active	Moloch
61.234.43.5	Active	Moloch
62.232.77.0	Active	Moloch
63.178.129.3	Active	Moloch
63.20.1.2	Active	Moloch
63.49.119.2	Active	Moloch
63.88.236.6	Active	Moloch
64.224.251.0	Active	Moloch
64.51.26.0	Active	Moloch
64.79.145.6	Active	Moloch
64.90.149.0	Active	Moloch
65.156.214.3	Active	Moloch
65.187.123.7	Active	Moloch
65.190.30.3	Active	Moloch
65.44.92.7	Active	Moloch
65.98.77.1	Active	Moloch
66.243.13.3	Active	Moloch
66.3.211.0	Active	Moloch
66.8.244.6	Active	Moloch
67.174.34.2	Active	Moloch
67.203.26.6	Active	Moloch
67.214.97.4	Active	Moloch
68.125.68.2	Active	Moloch
68.61.74.0	Active	Moloch
69.191.103.7	Active	Moloch
69.56.4.6	Active	Moloch
7.115.242.5	Active	Moloch
7.216.137.4	Active	Moloch
7.48.125.6	Active	Moloch
7.8.94.0	Active	Moloch
70.89.190.5	Active	Moloch
70.90.21.3	Active	Moloch
71.153.118.1	Active	Moloch
71.29.183.7	Active	Moloch
72.15.230.1	Active	Moloch
73.129.33.1	Active	Moloch
73.151.228.6	Active	Moloch
73.197.191.2	Active	Moloch
73.253.76.6	Active	Moloch
73.55.58.4	Active	Moloch
73.67.251.7	Active	Moloch
74.175.245.3	Active	Moloch
74.52.61.5	Active	Moloch
75.168.236.3	Active	Moloch
75.203.25.3	Active	Moloch
75.204.81.6	Active	Moloch
75.207.225.0	Active	Moloch
75.232.121.4	Active	Moloch
75.242.104.3	Active	Moloch
75.82.156.6	Active	Moloch
76.119.154.0	Active	Moloch
76.154.104.4	Active	Moloch
76.255.123.0	Active	Moloch
77.136.111.4	Active	Moloch
77.165.118.6	Active	Moloch
77.168.2.3	Active	Moloch
77.249.89.1	Active	Moloch
78.133.232.4	Active	Moloch
78.145.131.5	Active	Moloch
78.173.108.2	Active	Moloch
78.187.80.6	Active	Moloch
78.199.25.0	Active	Moloch
78.247.252.3	Active	Moloch
79.223.168.2	Active	Moloch
79.53.216.7	Active	Moloch
8.117.77.6	Active	Moloch
8.197.30.3	Active	Moloch
80.153.39.7	Active	Moloch
80.183.13.7	Active	Moloch
80.21.83.6	Active	Moloch
81.140.110.0	Active	Moloch
81.18.82.4	Active	Moloch
81.185.246.2	Active	Moloch
81.200.217.2	Active	Moloch
81.64.137.7	Active	Moloch
81.66.137.5	Active	Moloch
82.211.253.1	Active	Moloch
82.95.187.4	Active	Moloch
83.152.6.0	Active	Moloch
83.252.113.0	Active	Moloch
84.116.249.6	Active	Moloch
84.118.125.2	Active	Moloch
84.130.161.4	Active	Moloch
84.156.62.1	Active	Moloch
84.211.230.7	Active	Moloch
85.126.26.3	Active	Moloch
85.148.116.6	Active	Moloch
85.209.93.1	Active	Moloch
85.250.69.2	Active	Moloch
86.154.30.4	Active	Moloch
86.34.120.1	Active	Moloch
87.119.93.1	Active	Moloch
87.161.73.5	Active	Moloch
87.222.118.7	Active	Moloch
87.6.225.4	Active	Moloch
88.137.104.0	Active	Moloch
88.192.237.7	Active	Moloch
88.21.61.2	Active	Moloch
88.42.175.6	Active	Moloch
88.67.109.4	Active	Moloch
89.113.95.4	Active	Moloch
89.119.94.3	Active	Moloch
89.16.65.2	Active	Moloch
89.73.62.6	Active	Moloch
89.75.216.1	Active	Moloch
9.113.123.4	Active	Moloch
9.145.149.1	Active	Moloch
9.213.219.4	Active	Moloch
9.44.144.0	Active	Moloch
9.80.230.6	Active	Moloch
9.96.12.0	Active	Moloch
90.145.78.4	Active	Moloch
91.191.166.0	Active	Moloch
91.54.98.2	Active	Moloch
92.35.213.0	Active	Moloch
92.77.131.0	Active	Moloch
93.14.25.3	Active	Moloch
93.146.72.1	Active	Moloch
93.249.27.3	Active	Moloch
94.10.130.0	Active	Moloch
94.138.45.5	Active	Moloch
94.237.243.4	Active	Moloch
94.60.195.3	Active	Moloch
95.2.116.5	Active	Moloch
95.224.75.2	Active	Moloch
95.75.107.2	Active	Moloch
96.159.186.1	Active	Moloch
96.180.117.2	Active	Moloch
96.211.44.3	Active	Moloch
96.234.178.2	Active	Moloch
96.27.133.0	Active	Moloch
97.139.222.0	Active	Moloch
97.188.3.7	Active	Moloch
97.240.86.6	Active	Moloch
97.61.171.0	Active	Moloch
97.84.139.0	Active	Moloch
98.200.236.6	Active	Moloch
99.106.69.6	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 156.232.249.2:21 -> 192.168.56.101:49469	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 216.139.23.3:21 -> 192.168.56.101:49536	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 26, 2024, 10:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent June 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent June 26, 2024, 10:26 a.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 26, 2024, 10:25 a.m.	buffer: 'tskill' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 26, 2024, 10:25 a.m.	buffer: ERROR: The process "tftp.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW June 26, 2024, 10:26 a.m.	buffer: 'tskill' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW June 26, 2024, 10:26 a.m.	buffer: SUCCESS: The process "tftp.exe" with PID 2864 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW June 26, 2024, 10:26 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW June 26, 2024, 10:26 a.m.	buffer: SUCCESS: The scheduled task "UAC" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW June 26, 2024, 10:26 a.m.	buffer: INFO: The schedule task "UAC" will be created under user name ("NT AUTHORITY\SYSTEM"). console_handle: 0x00000007	1	1
WriteConsoleW June 26, 2024, 10:26 a.m.	buffer: SUCCESS: The scheduled task "UAC" has successfully been created. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 26, 2024, 10:25 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

stafftest.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 26, 2024, 10:19 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory June 26, 2024, 10:27 a.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c92000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\nsn3F05.tmp\inetc.dll
file	C:\Users\test22\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe
file	C:\Users\test22\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk
file	C:\Users\test22\AppData\Local\Temp\tftp.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk

Creates a suspicious process (12 events)

cmdline	"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
cmdline	"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	C:\Windows\System32\cmd.exe /c taskkill /f /im tftp.exe & tskill tftp.exe
cmdline	"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
cmdline	C:\Windows\System32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
cmdline	C:\Windows\System32\cmd.exe /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	C:\Windows\System32\cmd.exe /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
cmdline	schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	C:\Windows\System32\cmd.exe /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\tftp.exe

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe
file	C:\Users\test22\AppData\Local\Temp\nsn3F05.tmp\inetc.dll
file	C:\Users\test22\AppData\Local\Temp\tftp.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tftp.exe")

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 26, 2024, 10:25 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c taskkill /f /im tftp.exe & tskill tftp.exe filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW June 26, 2024, 10:25 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\tftp.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\tftp.exe	1	1
ShellExecuteExW June 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe parameters: filepath: C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe	1	1
ShellExecuteExW June 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c taskkill /f /im tftp.exe & tskill tftp.exe filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW June 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\tftp.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\tftp.exe	1	1
ShellExecuteExW June 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW June 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW June 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW June 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 filepath: C:\Windows\System32\cmd.exe	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000fc00', u'virtual_address': u'0x00406000', u'entropy': 7.024571488635182, u'name': u'.rsrc', u'virtual_size': u'0x0000fbd8'}

entropy

7.02457148864

description

A section with a high entropy has been found

entropy

0.688524590164

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 26, 2024, 10:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 26, 2024, 10:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 26, 2024, 10:26 a.m.	status_code: 0x00000001 process_identifier: 2864 process_handle: 0x00000188		0	0
NtTerminateProcess June 26, 2024, 10:26 a.m.	status_code: 0x00000001 process_identifier: 2864 process_handle: 0x00000188	1	0	0

Uses Windows utilities for basic Windows functionality (12 events)

cmdline	"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
cmdline	"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	C:\Windows\System32\cmd.exe /c taskkill /f /im tftp.exe & tskill tftp.exe
cmdline	C:\Windows\System32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
cmdline	taskkill /f /im tftp.exe
cmdline	reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
cmdline	C:\Windows\System32\cmd.exe /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	C:\Windows\System32\cmd.exe /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"

Communicates with host for which no DNS query was performed (50 out of 702 events)

host	1.235.75.4
host	100.158.111.7
host	100.187.100.2
host	100.203.165.1
host	101.140.174.3
host	101.167.207.2
host	101.178.251.3
host	101.65.120.0
host	101.98.205.0
host	102.227.222.6
host	102.45.108.7
host	102.49.154.7
host	103.244.146.1
host	104.1.38.5
host	104.127.135.1
host	104.182.225.7
host	104.228.42.4
host	104.32.211.6
host	105.55.141.0
host	106.136.223.4
host	106.181.76.3
host	106.21.59.2
host	106.239.186.3
host	106.70.168.2
host	107.8.69.1
host	108.13.45.0
host	108.40.84.3
host	109.106.145.5
host	109.139.133.0
host	109.186.209.1
host	109.240.241.7
host	109.255.202.7
host	109.65.245.6
host	109.87.170.7
host	109.98.160.4
host	11.70.253.6
host	110.167.84.6
host	110.57.169.4
host	110.64.184.1
host	110.90.74.2
host	111.219.91.1
host	111.223.14.2
host	112.214.247.4
host	112.52.114.2
host	113.113.218.3
host	113.14.170.5
host	113.173.174.4
host	113.219.23.2
host	114.125.254.6
host	114.131.124.0

Installs itself for autorun at Windows startup (10 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default)	reg_value	C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\(Default)	reg_value	C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk
file	C:\Windows\Tasks\UAC.job
cmdline	"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	C:\Windows\System32\cmd.exe /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	C:\Windows\System32\cmd.exe /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"

Network activity contains more than one unique useragent (2 events)

process	IMG001.exe				useragent	NSIS_Inetc (Mozilla)
process	tftp.exe				useragent

Creates known Napolar files, registry keys and/or mutexes (3 events)

mutex	gcc-shmem-tdm2-use_fc_key
mutex	gcc-shmem-tdm2-sjlj_once
mutex	gcc-shmem-tdm2-fc_key

Uses Sysinternals tools in order to add additional command line functionality (3 events)

cmdline	"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	C:\Windows\System32\cmd.exe /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"
cmdline	schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\test22\AppData\Roaming\NsMiner\IMG001.exe"

Generates some ICMP traffic

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.NSIS.Miner.SD
Skyhigh	BehavesLike.Win32.Wanex.wc
McAfee	Artemis!D59E32EEFE00
Cylance	Unsafe
VIPRE	Trojan.GenericKD.37723270
Sangfor	CoinMiner.Win32.Agent.Vvm2
K7AntiVirus	Trojan ( 004da88f1 )
Alibaba	Trojan:Win32/CoinMiner.b11ec691
K7GW	Trojan ( 004da88f1 )
Cybereason	malicious.efe00e
Baidu	Multi.Threats.InArchive
VirIT	Trojan.Win32.Generic.AAVT
Symantec	Trojan.Gen.NPE
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Coinminer-6622864-0
Kaspersky	Trojan.NSIS.Agent.pf
BitDefender	Trojan.GenericKD.37723270
NANO-Antivirus	Trojan.Script.MLW.edxafr
SUPERAntiSpyware	Hack.Tool/Gen-BitCoinMiner
MicroWorld-eScan	Trojan.GenericKD.37723270
Rising	Trojan.PhotoMiner/NSIS!1.CB15 (CLASSIC)
Emsisoft	Trojan.GenericKD.37723270 (B)
F-Secure	Trojan:VBS/Agent.DWHS
DrWeb	Trojan.BtcMine.815
Zillya	Trojan.Agent.Win32.671765
TrendMicro	Coinminer.Win32.MALXMR.TIAOODHK
McAfeeD	ti!E06AA8CE984B
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.d59e32eefe00e9bf
Sophos	VBS/Dwnldr-MDQ
Ikarus	Worm.Win32.Crytes
Jiangmin	TrojanDownloader.VBS.qf
Webroot	W32.Bitcoin.Miner
Avira	TR/Dropper.Gen
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Win32.TSGeneric
Kingsoft	Win32.HeurC.KVM007.a
Gridinsoft	Malware.Win32.GenericMC.cc
Xcitium	Malware@#31wl9wj4588tl
Arcabit	Trojan.Generic.D23F9C86
ViRobot	Trojan.Win32.Z.Coinminer.3553626
ZoneAlarm	Trojan.NSIS.Agent.pf
GData	Win32.Riskware.CoinMiner.DQ (2x)
Google	Detected

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 61 events)

dead_host	192.168.56.101:49303
dead_host	192.168.56.101:49322
dead_host	192.168.56.101:49787
dead_host	137.184.109.7:21
dead_host	194.218.5.5:21
dead_host	151.244.48.5:21
dead_host	173.232.201.6:21
dead_host	192.168.56.101:49464
dead_host	192.168.56.101:49783
dead_host	59.31.179.1:21
dead_host	210.38.160.5:21
dead_host	50.80.142.1:21
dead_host	192.168.56.101:49454
dead_host	121.186.69.3:21
dead_host	192.168.56.101:49731
dead_host	86.34.120.1:21
dead_host	192.168.56.101:49833
dead_host	78.199.25.0:21
dead_host	222.232.100.2:21
dead_host	41.40.17.6:21
dead_host	192.168.56.101:49744
dead_host	192.168.56.101:49567
dead_host	137.226.200.7:21
dead_host	192.168.56.101:49310
dead_host	185.15.108.3:21
dead_host	89.75.216.1:21
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49931
dead_host	38.181.18.5:21
dead_host	80.153.39.7:21
dead_host	57.86.146.1:21
dead_host	192.168.56.101:49242
dead_host	192.168.56.101:49753
dead_host	96.234.178.2:21
dead_host	92.35.213.0:21
dead_host	192.168.56.101:49450
dead_host	192.168.56.101:49296
dead_host	192.168.56.101:49755
dead_host	221.119.80.2:21
dead_host	192.168.56.101:49419
dead_host	64.224.251.0:21
dead_host	118.47.212.4:21
dead_host	192.168.56.101:49654
dead_host	192.168.56.101:49737
dead_host	180.112.249.6:21
dead_host	192.168.56.101:49319
dead_host	139.18.150.5:21
dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49298
dead_host	45.199.114.5:21

IMG001.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All