88b22745ab9b1deeffcae3bcd127f14cadc814a24d2395ce1c525c807fda8ba8

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

154c69fad254a8ec147bf6b68f36ac0c.exe
Size

59KB
MD5

154c69fad254a8ec147bf6b68f36ac0c
SHA1

092cb820e189f17255d6931210de9f860177d05c
SHA256

88b22745ab9b1deeffcae3bcd127f14cadc814a24d2395ce1c525c807fda8ba8
SHA512

ebf29dca93389210619dfba208a7bf0c8eb582a6f48057f15c610ce98c05f77e0a61eca4de3f29c128183f2d430dcb172b4ce043603c23b6dbd3fc80a4045019
SSDEEP

1536:GUI3CPJoiyOAaQurqjlbCX9bYFD50g7t46k4TvcyKfh2LSpO:GUI3MJiRIgdqcYO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	154c69fad254a8ec147bf6b68f36ac0c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	154c69fad254a8ec147bf6b68f36ac0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe

Executes dropped EXE 11 IoCs

pid	Process
4808	Nqiogp32.exe
5044	Ngcgcjnc.exe
4212	Nkncdifl.exe
1136	Nnmopdep.exe
2076	Ndghmo32.exe
3004	Ngedij32.exe
5092	Njcpee32.exe
452	Nbkhfc32.exe
4488	Nqmhbpba.exe
4460	Nggqoj32.exe
228	Nkcmohbg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	154c69fad254a8ec147bf6b68f36ac0c.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	154c69fad254a8ec147bf6b68f36ac0c.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	154c69fad254a8ec147bf6b68f36ac0c.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3572	228	WerFault.exe	94

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	154c69fad254a8ec147bf6b68f36ac0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	154c69fad254a8ec147bf6b68f36ac0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	154c69fad254a8ec147bf6b68f36ac0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	154c69fad254a8ec147bf6b68f36ac0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	154c69fad254a8ec147bf6b68f36ac0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	154c69fad254a8ec147bf6b68f36ac0c.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4808	5112	154c69fad254a8ec147bf6b68f36ac0c.exe	89
PID 5112 wrote to memory of 4808	5112	154c69fad254a8ec147bf6b68f36ac0c.exe	89
PID 5112 wrote to memory of 4808	5112	154c69fad254a8ec147bf6b68f36ac0c.exe	89
PID 4808 wrote to memory of 5044	4808	Nqiogp32.exe	90
PID 4808 wrote to memory of 5044	4808	Nqiogp32.exe	90
PID 4808 wrote to memory of 5044	4808	Nqiogp32.exe	90
PID 5044 wrote to memory of 4212	5044	Ngcgcjnc.exe	91
PID 5044 wrote to memory of 4212	5044	Ngcgcjnc.exe	91
PID 5044 wrote to memory of 4212	5044	Ngcgcjnc.exe	91
PID 4212 wrote to memory of 1136	4212	Nkncdifl.exe	92
PID 4212 wrote to memory of 1136	4212	Nkncdifl.exe	92
PID 4212 wrote to memory of 1136	4212	Nkncdifl.exe	92
PID 1136 wrote to memory of 2076	1136	Nnmopdep.exe	93
PID 1136 wrote to memory of 2076	1136	Nnmopdep.exe	93
PID 1136 wrote to memory of 2076	1136	Nnmopdep.exe	93
PID 2076 wrote to memory of 3004	2076	Ndghmo32.exe	105
PID 2076 wrote to memory of 3004	2076	Ndghmo32.exe	105
PID 2076 wrote to memory of 3004	2076	Ndghmo32.exe	105
PID 3004 wrote to memory of 5092	3004	Ngedij32.exe	104
PID 3004 wrote to memory of 5092	3004	Ngedij32.exe	104
PID 3004 wrote to memory of 5092	3004	Ngedij32.exe	104
PID 5092 wrote to memory of 452	5092	Njcpee32.exe	103
PID 5092 wrote to memory of 452	5092	Njcpee32.exe	103
PID 5092 wrote to memory of 452	5092	Njcpee32.exe	103
PID 452 wrote to memory of 4488	452	Nbkhfc32.exe	102
PID 452 wrote to memory of 4488	452	Nbkhfc32.exe	102
PID 452 wrote to memory of 4488	452	Nbkhfc32.exe	102
PID 4488 wrote to memory of 4460	4488	Nqmhbpba.exe	101
PID 4488 wrote to memory of 4460	4488	Nqmhbpba.exe	101
PID 4488 wrote to memory of 4460	4488	Nqmhbpba.exe	101
PID 4460 wrote to memory of 228	4460	Nggqoj32.exe	94
PID 4460 wrote to memory of 228	4460	Nggqoj32.exe	94
PID 4460 wrote to memory of 228	4460	Nggqoj32.exe	94

C:\Users\Admin\AppData\Local\Temp\154c69fad254a8ec147bf6b68f36ac0c.exe
"C:\Users\Admin\AppData\Local\Temp\154c69fad254a8ec147bf6b68f36ac0c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\SysWOW64\Nqiogp32.exe
  C:\Windows\system32\Nqiogp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\Ngcgcjnc.exe
    C:\Windows\system32\Ngcgcjnc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\Nkncdifl.exe
      C:\Windows\system32\Nkncdifl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
      - C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
- Executes dropped EXE
PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 400
  2⤵
  - Program crash
  PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 228 -ip 228
1⤵
PID:3968

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
59KB

MD5
a3d883ea0ea88c771d3c27f001f46ac5

SHA1
56a03c29ad863be344c305a98582d4780257be4b

SHA256
833810c9b3d2df4e4f00cd6e42f867d09833113f13f2f248f302940d1e21255e

SHA512
b7243ea53bb32f9144d80d16235504c7992c036fa6f05e7caf6f209adeec3f3c61104aa6583be6a7ca715f6b8c518789dc63c7a1760fc9f9af2e6fa88a0498e7

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
59KB

MD5
b84de6a163e651f4b823a30bdf1a86a4

SHA1
af3df2314cf8988337f19b492e64bd8ec9f58b40

SHA256
6135bb5befcebb461eda90d7f454b9d04af8ea4ea5c0f0959ca12797e30b1ec3

SHA512
72f6b56c7d5fcc1edbe1d1621c1b7ebb544ee119a3c6b934d0e95eab37e7d33ddad7bfa1a483acb351466e8fdf6f1c48a34c239e61887ff31c1b6b8c7909cc03

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
59KB

MD5
eecdd22a6319d2cfed4c7e15bd065715

SHA1
b5df9308c6d1e9dd18cb2ac7ece5a1fc6c24f8d3

SHA256
26cccd8f644b4533395260c2c4dfa4ae050b2d8b6039d00c8d314ddcae3dea7e

SHA512
2c75a3862f419a21c06db47c462c8720b20108c8707c830d93496f80d743a8c63bbca620b6528f83f3926a163b16d944eed2e85c425e1c4887b8cfe51178dc76

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
59KB

MD5
88d249dbeefb73b2f4cb935d2fec9f89

SHA1
3b6ab80a02a864898e1d9f08b586fdfeb929f0ba

SHA256
1361af2b7a9b645f139c665223e7d1ab2c163080d9cf0713daafe9404fb36ee2

SHA512
79e87d9b6a17556f8c09cdc8560f41572ebcc3dd6ca66b0623c3c6f9e4ba089061ad778fa17f51376e39666e09691f8e0a4c94db9659c50c4d47311f304993b5

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
59KB

MD5
78a5be4c5788bdf0b1e2190c71683896

SHA1
c77ad90d39398f13a814d6978d7bd168c2288e4f

SHA256
3fc915600d8f5baf23fd32781a420aeb7d3973152249f28666cdc8b0893afba4

SHA512
fbe45d1148a233b61d8f7bd80153035bc7e89efe692be483f6ed8d530d24a0d4a0ac6c5786be285f541ebd3fe730339222139f58a312c49731cbfa9cd4784b21

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
59KB

MD5
18ec5caf0f863f7fb61be9d9c804ca30

SHA1
0547b456c3282cca72ab874ee1ba2311ebf95e74

SHA256
69f19afb7733f882c95b0393cde5ded4313b71756a98ff027871f6653657704a

SHA512
2f4cdb10dc123d423bbc7837c49604cd34f6438a118fb70d855fe77be3bf7417b0627c78021d5c783dc53f310d2c63dc2a2f08326cec176b27caa69c599d5717

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
59KB

MD5
b94bf42075b5c842129293b11f29fba6

SHA1
9238d4cc7692b136e603101c52c3ba4a265a020c

SHA256
3ed3a25244b8814901c5cfc4ca8138dd3f234bdf74c9be436ba701dd5a785099

SHA512
d5f10ccd28022df9b47ecbd236e4038f52abae7197e36de2f16a0812f9474ec868219d15af85b63798c21bebfab509dbb97b701b8b65794cae1aa3e25e2f6067

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
59KB

MD5
fc2d5f87331d04a53fde7d6b2beea2e6

SHA1
b48e7782ad0a9f7598047f29f7d92fc4363984b4

SHA256
1178a768fd5bdaa77dfa9d91842032b9e078721ee78e39d17a33efcf020b4a79

SHA512
0f3127cdf8d6353f75912ae26f86b6a30f6431dca4e576061184c069b662d697daf193e9eb2631e9f0f2374415aa08fff4c68cc4ea1e9dbd6a8d290e88883cea

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
59KB

MD5
0dac49f97920d21b8f56a156dec42a9b

SHA1
e6ff65a47b57a9e700a19276208a9940eab075a6

SHA256
aec1101eaec03546bd0df4e066bb7b7e6ef69686c975974c342379ae06b94fa7

SHA512
8bcb3e6f14f2080dfb1c53bac284a9f54ecc233417e83e80b03c5e62f757f66c073664bdbc19b2e1089ebd1c71ab80e34e7668da34da382432c33b593eaa11a7

Download Submit
memory/228-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads