511dce9bd269792976444137a9598d72bc3f0c75d98b78bca99f359535f8dd12

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2023 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2756c983fcdfd42b1261fa74bca84971.exe
Size

896KB
MD5

2756c983fcdfd42b1261fa74bca84971
SHA1

b9d1d91903a8161e7d1b165da2992c164297311b
SHA256

511dce9bd269792976444137a9598d72bc3f0c75d98b78bca99f359535f8dd12
SHA512

e2ccdf003160c5e8ecf39332c1e58d88157b931b789efd7b7d02b04f9a743eaed2bb8fc9840639e744b0fe8a944c49c0d2d5df449f2043378fbd4c571b3e1626
SSDEEP

24576:6BR6Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+5:IWbazR0vp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nbhkac32.exeNgedij32.exeNjcpee32.exeNkncdifl.exeNbkhfc32.exeNqmhbpba.exeNcldnkae.exeNdghmo32.exe2756c983fcdfd42b1261fa74bca84971.exeNnmopdep.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2756c983fcdfd42b1261fa74bca84971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2756c983fcdfd42b1261fa74bca84971.exe

Executes dropped EXE 10 IoCs

Processes:

Nkncdifl.exeNnmopdep.exeNbhkac32.exeNdghmo32.exeNgedij32.exeNjcpee32.exeNbkhfc32.exeNqmhbpba.exeNcldnkae.exeNkcmohbg.exe

pid	process
1492	Nkncdifl.exe
4388	Nnmopdep.exe
3156	Nbhkac32.exe
4436	Ndghmo32.exe
2744	Ngedij32.exe
1480	Njcpee32.exe
2412	Nbkhfc32.exe
4700	Nqmhbpba.exe
4844	Ncldnkae.exe
4352	Nkcmohbg.exe

Drops file in System32 directory 30 IoCs

Processes:

2756c983fcdfd42b1261fa74bca84971.exeNdghmo32.exeNbkhfc32.exeNnmopdep.exeNbhkac32.exeNjcpee32.exeNcldnkae.exeNkncdifl.exeNgedij32.exeNqmhbpba.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Nkncdifl.exe	2756c983fcdfd42b1261fa74bca84971.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	2756c983fcdfd42b1261fa74bca84971.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	2756c983fcdfd42b1261fa74bca84971.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2748 4352 WerFault.exe

pid	pid_target	process
2748	4352	WerFault.exe

Modifies registry class 33 IoCs

Processes:

Ngedij32.exeNqmhbpba.exeNdghmo32.exeNbkhfc32.exeNcldnkae.exe2756c983fcdfd42b1261fa74bca84971.exeNbhkac32.exeNnmopdep.exeNkncdifl.exeNjcpee32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2756c983fcdfd42b1261fa74bca84971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2756c983fcdfd42b1261fa74bca84971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	2756c983fcdfd42b1261fa74bca84971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2756c983fcdfd42b1261fa74bca84971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2756c983fcdfd42b1261fa74bca84971.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2756c983fcdfd42b1261fa74bca84971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2756c983fcdfd42b1261fa74bca84971.exeNkncdifl.exeNnmopdep.exeNbhkac32.exeNdghmo32.exeNgedij32.exeNjcpee32.exeNbkhfc32.exeNqmhbpba.exeNcldnkae.exe

description	pid	process	target process
PID 3336 wrote to memory of 1492	3336	2756c983fcdfd42b1261fa74bca84971.exe	Nkncdifl.exe
PID 3336 wrote to memory of 1492	3336	2756c983fcdfd42b1261fa74bca84971.exe	Nkncdifl.exe
PID 3336 wrote to memory of 1492	3336	2756c983fcdfd42b1261fa74bca84971.exe	Nkncdifl.exe
PID 1492 wrote to memory of 4388	1492	Nkncdifl.exe	Nnmopdep.exe
PID 1492 wrote to memory of 4388	1492	Nkncdifl.exe	Nnmopdep.exe
PID 1492 wrote to memory of 4388	1492	Nkncdifl.exe	Nnmopdep.exe
PID 4388 wrote to memory of 3156	4388	Nnmopdep.exe	Nbhkac32.exe
PID 4388 wrote to memory of 3156	4388	Nnmopdep.exe	Nbhkac32.exe
PID 4388 wrote to memory of 3156	4388	Nnmopdep.exe	Nbhkac32.exe
PID 3156 wrote to memory of 4436	3156	Nbhkac32.exe	Ndghmo32.exe
PID 3156 wrote to memory of 4436	3156	Nbhkac32.exe	Ndghmo32.exe
PID 3156 wrote to memory of 4436	3156	Nbhkac32.exe	Ndghmo32.exe
PID 4436 wrote to memory of 2744	4436	Ndghmo32.exe	Ngedij32.exe
PID 4436 wrote to memory of 2744	4436	Ndghmo32.exe	Ngedij32.exe
PID 4436 wrote to memory of 2744	4436	Ndghmo32.exe	Ngedij32.exe
PID 2744 wrote to memory of 1480	2744	Ngedij32.exe	Njcpee32.exe
PID 2744 wrote to memory of 1480	2744	Ngedij32.exe	Njcpee32.exe
PID 2744 wrote to memory of 1480	2744	Ngedij32.exe	Njcpee32.exe
PID 1480 wrote to memory of 2412	1480	Njcpee32.exe	Nbkhfc32.exe
PID 1480 wrote to memory of 2412	1480	Njcpee32.exe	Nbkhfc32.exe
PID 1480 wrote to memory of 2412	1480	Njcpee32.exe	Nbkhfc32.exe
PID 2412 wrote to memory of 4700	2412	Nbkhfc32.exe	Nqmhbpba.exe
PID 2412 wrote to memory of 4700	2412	Nbkhfc32.exe	Nqmhbpba.exe
PID 2412 wrote to memory of 4700	2412	Nbkhfc32.exe	Nqmhbpba.exe
PID 4700 wrote to memory of 4844	4700	Nqmhbpba.exe	Ncldnkae.exe
PID 4700 wrote to memory of 4844	4700	Nqmhbpba.exe	Ncldnkae.exe
PID 4700 wrote to memory of 4844	4700	Nqmhbpba.exe	Ncldnkae.exe
PID 4844 wrote to memory of 4352	4844	Ncldnkae.exe	Nkcmohbg.exe
PID 4844 wrote to memory of 4352	4844	Ncldnkae.exe	Nkcmohbg.exe
PID 4844 wrote to memory of 4352	4844	Ncldnkae.exe	Nkcmohbg.exe

C:\Users\Admin\AppData\Local\Temp\2756c983fcdfd42b1261fa74bca84971.exe
"C:\Users\Admin\AppData\Local\Temp\2756c983fcdfd42b1261fa74bca84971.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4352 -ip 4352
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 400
1⤵
- Program crash
PID:2748

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
896KB

MD5
1cd10c017b6347741f477306dfa684bc

SHA1
f380c34f7d184b5b3add5be49c059c11652640a5

SHA256
62c95902e93e8d3cc09841e6cd7a1f4067e1f96ea92f83d30b7fa11d0e2603f0

SHA512
07b7bca2ab644a806b2c6c3226cd89ac0e4dd8649873be7d9b5574dbc6fdfe0496f5c90d2f8cf0fb5b4330051be7e3aa90daca7f95b66b773a2ec0e746fe9056

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
896KB

MD5
1cd10c017b6347741f477306dfa684bc

SHA1
f380c34f7d184b5b3add5be49c059c11652640a5

SHA256
62c95902e93e8d3cc09841e6cd7a1f4067e1f96ea92f83d30b7fa11d0e2603f0

SHA512
07b7bca2ab644a806b2c6c3226cd89ac0e4dd8649873be7d9b5574dbc6fdfe0496f5c90d2f8cf0fb5b4330051be7e3aa90daca7f95b66b773a2ec0e746fe9056

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
896KB

MD5
16df7cdbb169f4b6596ba984ddc77754

SHA1
87b5ee2030c229e85b296851bbc4fb781f719bcb

SHA256
66585ff6fecc532c95b7645688bb348149e5ca3fbbb0a2be83019a2656ed7017

SHA512
0bcf603bc5c491edb61f6de4e677c0dabb5d77044db6445b57360bf1d7c81cbd67ec4faab8d9be1c6b8cdd95c0149994a267ae763b63d4390a36b0e3f5b62c93

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
896KB

MD5
a3348e1da7f19cee3720947c1e7b0f3c

SHA1
64777e339e7d523c7a363b03de1dda14ce509d95

SHA256
8f89886b36da3be00e3677604e299179d5da3062d4fde92694af43c49329a9ef

SHA512
dd99f68d62ba3aebf248b190fa5c31f9bd02a75544facd659e414d03684bc096c552798eecdfb7720cfba76bd9ebd40c6460f1bda1e36cb1215c837e177fcfb4

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
896KB

MD5
a3348e1da7f19cee3720947c1e7b0f3c

SHA1
64777e339e7d523c7a363b03de1dda14ce509d95

SHA256
8f89886b36da3be00e3677604e299179d5da3062d4fde92694af43c49329a9ef

SHA512
dd99f68d62ba3aebf248b190fa5c31f9bd02a75544facd659e414d03684bc096c552798eecdfb7720cfba76bd9ebd40c6460f1bda1e36cb1215c837e177fcfb4

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
896KB

MD5
494eba58cc2488d3238f6d217ad6d8b6

SHA1
97547e67a95a80f109b39eaff0d41892d3725f30

SHA256
4aee0298a246855b43691a35b6e5cc88f3e28a67b80c687a401ae4308cf4635a

SHA512
307cb12d150bf6dffb7f364b60f00743519b5478834f864afe97aa811add669d37181c0aa485d1b7531f2a8afecc949e2988af2da26ca95c0d461ebd50c554dd

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
896KB

MD5
6bffd01e2a6a9356180ad968f37d9247

SHA1
b46256c6fbb87c99e8eb56aec4688f65c29d86e8

SHA256
6dd424165afe66b7521b35b25c38014752d6c66232c3d35c6986154a6c2281e1

SHA512
fd1ee6c56dcb56e736a39741cf869a9ac0c5f56199148c50158e17a498a14952364a934ae5abde87f8e646919a030e49112821f22a6ff65fc43d60366ab58f52

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
896KB

MD5
6bffd01e2a6a9356180ad968f37d9247

SHA1
b46256c6fbb87c99e8eb56aec4688f65c29d86e8

SHA256
6dd424165afe66b7521b35b25c38014752d6c66232c3d35c6986154a6c2281e1

SHA512
fd1ee6c56dcb56e736a39741cf869a9ac0c5f56199148c50158e17a498a14952364a934ae5abde87f8e646919a030e49112821f22a6ff65fc43d60366ab58f52

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
896KB

MD5
5645575c2515f38aa8a89c747b7b7116

SHA1
2daefd889453970b94f79238a542f6fa60887603

SHA256
2399bc398fd0240bbbb98d7a149d31d267fe5dfb2e95a21327d9ccd8ff57bf49

SHA512
a934e8c2d6a4438e4a671a79df86020e0d77b6638cdfa4165c6509164d10c2584ce9f6032c0a4a22404c005bdc3834510ec0d357c03ffd1ee1aa63f0b95bebdb

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
896KB

MD5
5645575c2515f38aa8a89c747b7b7116

SHA1
2daefd889453970b94f79238a542f6fa60887603

SHA256
2399bc398fd0240bbbb98d7a149d31d267fe5dfb2e95a21327d9ccd8ff57bf49

SHA512
a934e8c2d6a4438e4a671a79df86020e0d77b6638cdfa4165c6509164d10c2584ce9f6032c0a4a22404c005bdc3834510ec0d357c03ffd1ee1aa63f0b95bebdb

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
896KB

MD5
9defe1857e6cea398c0924bbcd9d150d

SHA1
a353679a6b45fd757ad91036f335ddddbfdff4e7

SHA256
403cc27c8726c163fba7579c85bdc21fc73563f4681f5fa4e139b92af6130428

SHA512
63cd5b3f296e0dc5685158bf9945173f90ebfcb92d95eccd55b0ef692c646096d457de56b7f25f7b35d139a82644b1bba4411e68446d4d621f30c51c07303bfb

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
896KB

MD5
9defe1857e6cea398c0924bbcd9d150d

SHA1
a353679a6b45fd757ad91036f335ddddbfdff4e7

SHA256
403cc27c8726c163fba7579c85bdc21fc73563f4681f5fa4e139b92af6130428

SHA512
63cd5b3f296e0dc5685158bf9945173f90ebfcb92d95eccd55b0ef692c646096d457de56b7f25f7b35d139a82644b1bba4411e68446d4d621f30c51c07303bfb

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
896KB

MD5
16df7cdbb169f4b6596ba984ddc77754

SHA1
87b5ee2030c229e85b296851bbc4fb781f719bcb

SHA256
66585ff6fecc532c95b7645688bb348149e5ca3fbbb0a2be83019a2656ed7017

SHA512
0bcf603bc5c491edb61f6de4e677c0dabb5d77044db6445b57360bf1d7c81cbd67ec4faab8d9be1c6b8cdd95c0149994a267ae763b63d4390a36b0e3f5b62c93

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
896KB

MD5
16df7cdbb169f4b6596ba984ddc77754

SHA1
87b5ee2030c229e85b296851bbc4fb781f719bcb

SHA256
66585ff6fecc532c95b7645688bb348149e5ca3fbbb0a2be83019a2656ed7017

SHA512
0bcf603bc5c491edb61f6de4e677c0dabb5d77044db6445b57360bf1d7c81cbd67ec4faab8d9be1c6b8cdd95c0149994a267ae763b63d4390a36b0e3f5b62c93

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
896KB

MD5
a9d9c309484b023a50f3c8834ec8cec6

SHA1
09c6ee9acc2953f7fed7b4f3838977e420170855

SHA256
b963017f67e5aac4ba0ae691ed9486dab3144d45150713f22b1c06396fa32c1d

SHA512
83cfb26cb2ae823ba9cec08226c84f4e294b1aed5b81c4a4898e1380ea347b0796192fbc56eb2e7bf2d7785adb58b31a92a299a9c15dda2500e9c11a2ebcfa87

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
896KB

MD5
a9d9c309484b023a50f3c8834ec8cec6

SHA1
09c6ee9acc2953f7fed7b4f3838977e420170855

SHA256
b963017f67e5aac4ba0ae691ed9486dab3144d45150713f22b1c06396fa32c1d

SHA512
83cfb26cb2ae823ba9cec08226c84f4e294b1aed5b81c4a4898e1380ea347b0796192fbc56eb2e7bf2d7785adb58b31a92a299a9c15dda2500e9c11a2ebcfa87

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
896KB

MD5
31d5d665998035fdac7bd41c5bc02f9e

SHA1
53d00ca96199d5e31fae8e491fdd3c85b082e373

SHA256
d9eca97811a69489dc623e8138dfe144237629627e7c83466d6363e0a2a198e4

SHA512
1971464ff5af0d80d29021705c81c06c2ff250fedcc1e61c1206a3146182aa846540d54cbe963f727c4646e30fd02519b8fe2053a6e73bda61ccf8fb0dcae1e8

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
896KB

MD5
31d5d665998035fdac7bd41c5bc02f9e

SHA1
53d00ca96199d5e31fae8e491fdd3c85b082e373

SHA256
d9eca97811a69489dc623e8138dfe144237629627e7c83466d6363e0a2a198e4

SHA512
1971464ff5af0d80d29021705c81c06c2ff250fedcc1e61c1206a3146182aa846540d54cbe963f727c4646e30fd02519b8fe2053a6e73bda61ccf8fb0dcae1e8

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
896KB

MD5
dd767916871d8512919b008c2521866c

SHA1
aa08f359e54c8630a5d73c939c020e3c32805cec

SHA256
f336d793b18f134712cc2fc7b414899f6b9e3592ebb1e6e3ff7be050cfb1f896

SHA512
21e94d33851e01a85e26494e01517c32e3936bddfaaf35b6800e46b08ae568416076689a62551999eafdc9f80d3f9434253d9982943da6177b0e146e80f6dc13

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
896KB

MD5
dd767916871d8512919b008c2521866c

SHA1
aa08f359e54c8630a5d73c939c020e3c32805cec

SHA256
f336d793b18f134712cc2fc7b414899f6b9e3592ebb1e6e3ff7be050cfb1f896

SHA512
21e94d33851e01a85e26494e01517c32e3936bddfaaf35b6800e46b08ae568416076689a62551999eafdc9f80d3f9434253d9982943da6177b0e146e80f6dc13

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
896KB

MD5
494eba58cc2488d3238f6d217ad6d8b6

SHA1
97547e67a95a80f109b39eaff0d41892d3725f30

SHA256
4aee0298a246855b43691a35b6e5cc88f3e28a67b80c687a401ae4308cf4635a

SHA512
307cb12d150bf6dffb7f364b60f00743519b5478834f864afe97aa811add669d37181c0aa485d1b7531f2a8afecc949e2988af2da26ca95c0d461ebd50c554dd

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
896KB

MD5
494eba58cc2488d3238f6d217ad6d8b6

SHA1
97547e67a95a80f109b39eaff0d41892d3725f30

SHA256
4aee0298a246855b43691a35b6e5cc88f3e28a67b80c687a401ae4308cf4635a

SHA512
307cb12d150bf6dffb7f364b60f00743519b5478834f864afe97aa811add669d37181c0aa485d1b7531f2a8afecc949e2988af2da26ca95c0d461ebd50c554dd

Download Submit
memory/1480-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download