Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2023 22:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
Resource
win7-20230220-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
-
Size
284KB
-
MD5
209a288c68207d57e0ce6e60ebf60729
-
SHA1
e654d39cd13414b5151e8cf0d8f5b166dddd45cb
-
SHA256
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
-
SHA512
ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3
-
SSDEEP
3072:rYXT8PUsMNL8V4tD2My/JAAbQoM29wlV58lbNnolY7VgsYiVTPtiTu/q:rowUsML8g2j0o9wb0bNoaKsYImui
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt ncmeebg.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CompleteUnregister.raw => C:\Users\Admin\Pictures\CompleteUnregister.raw.ecc ncmeebg.exe File renamed C:\Users\Admin\Pictures\EditSet.crw => C:\Users\Admin\Pictures\EditSet.crw.ecc ncmeebg.exe File renamed C:\Users\Admin\Pictures\SearchImport.png => C:\Users\Admin\Pictures\SearchImport.png.ecc ncmeebg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe -
Executes dropped EXE 1 IoCs
pid Process 4164 ncmeebg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run ncmeebg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crypto13 = "C:\\Users\\Admin\\AppData\\Roaming\\ncmeebg.exe" ncmeebg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\GroupSet\GroupSet.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\es-ES\MSFT_EnvironmentResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US\TestDtc.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\de-DE\PSDSCxMachine.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf ncmeebg.exe File opened for modification C:\Windows\SysWOW64\it-IT\lpeula.rtf ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\es-ES\AssignedAccessMsg.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\fr-FR\MSFT_WindowsOptionalFeature.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\it-IT\PSDSCxMachine.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\it-IT\RunAsHelper.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\it-IT\MSFT_ProcessResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\es-ES\MSFT_ScriptResourceStrings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\es-ES\RunAsHelper.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\en-US\ArchiveProvider.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\ja-JP\WindowsPackageCab.Strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\ja-JP\MSFT_UserResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\es-ES\ArchiveResources.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\fr-FR\MSFT_UserResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\it-IT\WindowsPackageCab.Strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr-FR\TestDtc.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ja-JP\RunAsHelper.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\MSFT_GroupResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\ja-JP\PackageProvider.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\es-ES\MSFT_UserResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\fr-FR\MSFT_RoleResourceStrings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\de-DE\MSFT_EnvironmentResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\de-DE\lpeula.rtf ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\de-DE\WindowsPackageCab.Strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\es-ES\MSFT_ProcessResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\es-ES\PSDesiredStateConfiguration.Resource.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\es-ES\MSFT_RegistryResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\it-IT\MSFT_ScriptResourceStrings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\de-DE\PSDesiredStateConfiguration.Resource.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\de-DE\MSFT_GroupResource.strings.psd1 ncmeebg.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\ja-JP\MSFT_GroupResource.strings.psd1 ncmeebg.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_TO_DECRYPT_YOUR_FILES.bmp" ncmeebg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-150.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-200.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v2.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-200_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreWideTile.scale-200.png ncmeebg.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-100.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png ncmeebg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg ncmeebg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small2x.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\WideTile.scale-125.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-lightunplated.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-100.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-125_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-100.png ncmeebg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\2.jpg ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-black.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\DefaultConfiguration.json ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-black.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-30.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-150.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\ui-strings.js ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\MedTile.scale-100.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-black.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-54_altform-unplated.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-256_altform-unplated.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-400.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-100_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\166.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-100_contrast-black.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30_altform-unplated.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-20.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MicrosoftLogo.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-36_altform-unplated_contrast-black.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-100.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter_dark.css ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-100.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-100_contrast-white.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-100.png ncmeebg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main-selector.css ncmeebg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit.svg ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-72_altform-unplated_contrast-black.png ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_es.json ncmeebg.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated.png ncmeebg.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\SquareTile44x44.scale-400.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\Apps.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\expandingListView.css ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\InputApp\Assets\SplashScreen.scale-125.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-printing-powershell_31bf3856ad364e35_10.0.19041.1_none_0c93bd5546c725bf\PrintManagement.psd1 ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oemRegistrationInfo.js ncmeebg.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\wide.TimeLanguage.png ncmeebg.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-48_contrast-white.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\addWatch.png ncmeebg.exe File opened for modification C:\Windows\diagnostics\system\IEBrowseWeb\en-US\RS_ResetCacheSize.psd1 ncmeebg.exe File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\PasswordExpiry.scale-150.png ncmeebg.exe File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\CellularToast.scale-200_contrast-white.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\OobeReboot.js ncmeebg.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft.certifica..ts.native.resources_31bf3856ad364e35_10.0.19041.1_es-es_8d6e5e4c112feaef.manifest ncmeebg.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\Gaming.png ncmeebg.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\controls\hubControls.js ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\SquareTile310x150.scale-200.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\htmlScriptFinder.js ncmeebg.exe File opened for modification C:\Windows\diagnostics\system\Power\es-ES\Power_Troubleshooter.psd1 ncmeebg.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\images\tsfileicon.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare71x71.scale-100.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ets.icons.searchapp_31bf3856ad364e35_10.0.19041.1_none_ceba36fd1b479c4c\MediumTile.scale-200.png ncmeebg.exe File opened for modification C:\Windows\diagnostics\system\Networking\fr-FR\LocalizationData.psd1 ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobesettings-multipage-vm.js ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\checkered_background.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.targetsize-24_contrast-black.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\RequestedDownloadsCloudIcon.contrast-black_scale-100.png ncmeebg.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\Css\CssFormatter.js ncmeebg.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobelocalaccount-vm.js ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelocalngc-vm.js ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.scale-400_contrast-black.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.153_none_51feabe070ab84f6\OkDone_80.contrast-white.png ncmeebg.exe File opened for modification C:\Windows\diagnostics\system\IESecurity\es-ES\RS_Blockpopups.psd1 ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobelanguage-vm.js ncmeebg.exe File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\SquareLogo150x150.scale-200.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oemregistrationHelper.js ncmeebg.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-40_altform-unplated_contrast-black.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\Splashscreen.scale-80.png ncmeebg.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\16.js ncmeebg.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\serviceworker\remote\serviceworkerRemote.bundle.js ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\Square71x71Logo.scale-125.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1_none_11b2da2074e7d6e4\StoreLogo.scale-100.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img8.jpg ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-search_31bf3856ad364e35_10.0.19041.1_none_ab0246b6c25f7d5c\logo.scale-80.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1240cd13c584c1c\SquareTile310x150.scale-400.png ncmeebg.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\DefaultPinTile.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-30_contrast-white.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\YourPhoneCallingToast.scale-400_contrast-black.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\OobeReboot.js ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPStoreLogo.scale-400_contrast-white.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-80_altform-unplated_contrast-black.png ncmeebg.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\EaseOfAccess.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.powershell.dscresources_31bf3856ad364e35_10.0.19041.1_none_505fc1443cf7d96e\WindowsFeatureSet.psd1 ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\TileSmall.scale-150.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\Square44x44Logo.targetsize-96_altform-unplated.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-a..sibility-experience_31bf3856ad364e35_10.0.19041.1_none_41b27ed425707c3a\ns.svg ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.19041.546_none_70569b662ddb706c\Square44x44Logo.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\breakAll.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_10.0.19041.964_none_d1ce1ea46e50a943\MicrosoftFamily.scale-100_contrast-black.png ncmeebg.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\headerrestore.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_9d61200c734f61dd\SplashScreen.contrast-white_scale-100.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square310x310Logo.contrast-black_scale-100.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\i_chartzoom_in_disabled.png ncmeebg.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.scale-100.png ncmeebg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop\WallpaperStyle = "0" ncmeebg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\Desktop\TileWallpaper = "0" ncmeebg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe 4164 ncmeebg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1724 wrote to memory of 4164 1724 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe 82 PID 1724 wrote to memory of 4164 1724 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe 82 PID 1724 wrote to memory of 4164 1724 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe 82 PID 1724 wrote to memory of 2356 1724 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe 83 PID 1724 wrote to memory of 2356 1724 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe 83 PID 1724 wrote to memory of 2356 1724 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\ncmeebg.exeC:\Users\Admin\AppData\Roaming\ncmeebg.exe2⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
PID:4164
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3372C1~1.EXE >> NUL2⤵PID:2356
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD5209a288c68207d57e0ce6e60ebf60729
SHA1e654d39cd13414b5151e8cf0d8f5b166dddd45cb
SHA2563372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
SHA512ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3
-
Filesize
284KB
MD5209a288c68207d57e0ce6e60ebf60729
SHA1e654d39cd13414b5151e8cf0d8f5b166dddd45cb
SHA2563372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
SHA512ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3