Sample File: MD5 hash: 8ac61890b22ca596db61d0f74da67b5d SHA1 hash: 2132beb454eaffd9b970015dcaa7d73a989d53ed SHA256 hash: 4c603d763a2b79e36492413ff788e1dd795bc09c67b2f4eccad5f339ebe44e89 SSDEEP hash: 24576:PjgCLkNHOU+dS88agRuBvYS3EXiCOLIKmV5rw:PjgvfR/HdCmXE Filename(s): nstpeer.exe Filetype: Windows Exe (x86-32) Mutex IOCs: Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} Local\{FB999B87-1EC7-E503-005F-32E93403862D} {02F1C55C-79FC-84FB-1356-BDF8F7EA41AC} {AE35B69A-3501-1021-2FC2-3944D3167DB8} {CA459827-A1FA-8CD3-7B9E-6580DFB269B4} {CEF02F91-D541-3029-CFE2-D96473361DD8} Registry Key IOCs: Clsid CurVer FileAssociations\.flv HKEY_CLASSES_ROOT\.flv HKEY_CLASSES_ROOT\.flv\PerceivedType HKEY_CLASSES_ROOT\.ods HKEY_CLASSES_ROOT\.ods\PerceivedType HKEY_CLASSES_ROOT\SystemFileAssociations\.flv\PerceivedType HKEY_CURRENT_USER\Control Panel\Desktop\AutoColorization HKEY_CURRENT_USER\Control Panel\Desktop\PaintDesktopVersion HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TokenBroker\DefaultAccount\providerId HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Client HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Ini HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Install HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Scr HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\{111F6A44-3C4D-6BC7-CED5-30CFE2D96473} HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GameDVR\VKToggleGameBar HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDisconnect HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cabilipc HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\SearchboxTaskbarMode HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\UseApp HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOption HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductID HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\DisplayVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings\ShowHibernateOption HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings\ShowSleepOption HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Launcher\AllowAutoAppRestartOnCrash HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDisconnect HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.ods HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\SystemPropertyHandlers\.ods HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOption HKEY_USERS HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Client HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Install HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run\cabilipc InprocHandler InprocHandler32 ShellEx\LibraryDescriptionHandler ShellEx\PropertyHandler ShellEx\{000214F9-0000-0000-C000-000000000046} ShellEx\{973810AE-9599-4B88-9E4D-6EE98C9552DA} TreatAs W32:000000000004022C\VirtualDesktop command\DelegateExecute Domain IOCs: - None - IP IOCs: - None - URL IOCs: - None - File IOCs: Filenames: "C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C.tmp C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.tmp C:\Users\CIIHMN~1\Desktop\nstpeer.exe C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe C:\Users\CIiHmnxMn6Ps\Desktop C:\Users\CIiHmnxMn6Ps\Desktop\nstpeer.exe C:\Windows\SYSTEM32\ntdll.dll C:\Windows\system32\c_1252.nls \??\C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat MD5 hashes: 6afb328a2dcc48343e0f9121f3cc8f23 8ac61890b22ca596db61d0f74da67b5d cac6528c8599238058c70902d8699e11 d41d8cd98f00b204e9800998ecf8427e SHA1 hashes: 2132beb454eaffd9b970015dcaa7d73a989d53ed 4b562bb710833310a5619f2f4486d01880265fc1 a6e1f8ef590b1ec7d1b4fbd49cb687ccf2a2956f da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 hashes: 4c603d763a2b79e36492413ff788e1dd795bc09c67b2f4eccad5f339ebe44e89 c88ddb4bc057412ffe3421a2de51dfc035b90467cb1720d9939dc8f5f467b60f d09d895a8e60365092c3c0343815a77442caab9ac5b827a05fa8c874e882c180 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDEEP hashes: 24576:PjgCLkNHOU+dS88agRuBvYS3EXiCOLIKmV5rw:PjgvfR/HdCmXE 24576:sjgCLkNHOU+dS88agRuBvYS3EXiCOLIKmV5rw:sjgvfR/HdCmXE 3:: 3:ZMvMZLK6OWRNfeUeDGWmngU64vHXMJATkUExMv1GWl+n:yUrRheiWkvvHXMJ2d/sWIn