be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 00:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Size

64KB
MD5

be73af6d344e6e5f8445fc1833c87404
SHA1

7668660d38ae133887a5b94111daa3fe73d48bc5
SHA256

be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8
SHA512

105a8f319d8a3a9744eabda245a2fedc85ba382894e1d6593ec84b317882cdafcf78c17ee2c29476bc25b9c59b0079cbb5053af21494dbcf2d956e6c80b07b5f
SSDEEP

768:DCWjdRMxLu1hdNVL8I8NH3MlNAt+yezYdQBMFtxZV1DzCFBo2EF191ieDxuHH2pm:DCWAChrQeBNE/XiGxX0XhV1iL+iALMH6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe

Executes dropped EXE 15 IoCs

pid	Process
632	Ngpjnkpf.exe
2288	Njogjfoj.exe
3064	Nafokcol.exe
2988	Nddkgonp.exe
536	Ngcgcjnc.exe
1356	Nkncdifl.exe
4100	Nnmopdep.exe
2992	Nbhkac32.exe
2768	Ndghmo32.exe
3088	Ncihikcg.exe
1908	Nkqpjidj.exe
4916	Nnolfdcn.exe
2308	Nqmhbpba.exe
4764	Ndidbn32.exe
2812	Nkcmohbg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1712	2812	WerFault.exe	98

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 632	1780	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe	84
PID 1780 wrote to memory of 632	1780	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe	84
PID 1780 wrote to memory of 632	1780	be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe	84
PID 632 wrote to memory of 2288	632	Ngpjnkpf.exe	85
PID 632 wrote to memory of 2288	632	Ngpjnkpf.exe	85
PID 632 wrote to memory of 2288	632	Ngpjnkpf.exe	85
PID 2288 wrote to memory of 3064	2288	Njogjfoj.exe	86
PID 2288 wrote to memory of 3064	2288	Njogjfoj.exe	86
PID 2288 wrote to memory of 3064	2288	Njogjfoj.exe	86
PID 3064 wrote to memory of 2988	3064	Nafokcol.exe	87
PID 3064 wrote to memory of 2988	3064	Nafokcol.exe	87
PID 3064 wrote to memory of 2988	3064	Nafokcol.exe	87
PID 2988 wrote to memory of 536	2988	Nddkgonp.exe	88
PID 2988 wrote to memory of 536	2988	Nddkgonp.exe	88
PID 2988 wrote to memory of 536	2988	Nddkgonp.exe	88
PID 536 wrote to memory of 1356	536	Ngcgcjnc.exe	89
PID 536 wrote to memory of 1356	536	Ngcgcjnc.exe	89
PID 536 wrote to memory of 1356	536	Ngcgcjnc.exe	89
PID 1356 wrote to memory of 4100	1356	Nkncdifl.exe	90
PID 1356 wrote to memory of 4100	1356	Nkncdifl.exe	90
PID 1356 wrote to memory of 4100	1356	Nkncdifl.exe	90
PID 4100 wrote to memory of 2992	4100	Nnmopdep.exe	91
PID 4100 wrote to memory of 2992	4100	Nnmopdep.exe	91
PID 4100 wrote to memory of 2992	4100	Nnmopdep.exe	91
PID 2992 wrote to memory of 2768	2992	Nbhkac32.exe	92
PID 2992 wrote to memory of 2768	2992	Nbhkac32.exe	92
PID 2992 wrote to memory of 2768	2992	Nbhkac32.exe	92
PID 2768 wrote to memory of 3088	2768	Ndghmo32.exe	93
PID 2768 wrote to memory of 3088	2768	Ndghmo32.exe	93
PID 2768 wrote to memory of 3088	2768	Ndghmo32.exe	93
PID 3088 wrote to memory of 1908	3088	Ncihikcg.exe	94
PID 3088 wrote to memory of 1908	3088	Ncihikcg.exe	94
PID 3088 wrote to memory of 1908	3088	Ncihikcg.exe	94
PID 1908 wrote to memory of 4916	1908	Nkqpjidj.exe	95
PID 1908 wrote to memory of 4916	1908	Nkqpjidj.exe	95
PID 1908 wrote to memory of 4916	1908	Nkqpjidj.exe	95
PID 4916 wrote to memory of 2308	4916	Nnolfdcn.exe	96
PID 4916 wrote to memory of 2308	4916	Nnolfdcn.exe	96
PID 4916 wrote to memory of 2308	4916	Nnolfdcn.exe	96
PID 2308 wrote to memory of 4764	2308	Nqmhbpba.exe	97
PID 2308 wrote to memory of 4764	2308	Nqmhbpba.exe	97
PID 2308 wrote to memory of 4764	2308	Nqmhbpba.exe	97
PID 4764 wrote to memory of 2812	4764	Ndidbn32.exe	98
PID 4764 wrote to memory of 2812	4764	Ndidbn32.exe	98
PID 4764 wrote to memory of 2812	4764	Ndidbn32.exe	98

C:\Users\Admin\AppData\Local\Temp\be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe
"C:\Users\Admin\AppData\Local\Temp\be8f5da78630702e382e60faf693d6bb949667a9092b7b605ce64e78aa338db8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\Ngpjnkpf.exe
  C:\Windows\system32\Ngpjnkpf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\Njogjfoj.exe
    C:\Windows\system32\Njogjfoj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\Nafokcol.exe
      C:\Windows\system32\Nafokcol.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        16⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 404
        17⤵
        Program crash
        
        PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 2812
1⤵
PID:4724

Network

DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR
DNS

178.223.142.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.223.142.52.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

140.71.91.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.71.91.104.in-addr.arpa

IN PTR

Response

140.71.91.104.in-addr.arpa

IN PTR

a104-91-71-140deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

No results found

8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

210 B
144 B
3
1

DNS Request

58.55.71.13.in-addr.arpa

DNS Request

58.55.71.13.in-addr.arpa

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

142 B
116 B
2
1

DNS Request

0.205.248.87.in-addr.arpa

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

178.223.142.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

178.223.142.52.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

146 B
144 B
2
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

140.71.91.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

140.71.91.104.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

216 B
137 B
3
1

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

13.227.111.52.in-addr.arpa

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nafokcol.exe

Filesize
64KB

MD5
96dc4349c1a66a2cb5a75b0e3c10b893

SHA1
1115d01843510aabada4874f7a9b52c7375e7efc

SHA256
582b142964f310d7514c6a34807589f11639274c7a425a1564b33e973a18576c

SHA512
ea016f1695d5be3f60c928142700fcd6b4fb88e9b80e002558eb9498528b7e06cb8592cb3c729dd74a34aad0ee492e6927ab126a9f3c6893284172826d4f0831

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
64KB

MD5
60ed03d3efcdaa27612e7da6a4bd5a36

SHA1
46261c7015e32c765d5d25318110fdd60ed2c4fc

SHA256
e40293b8582b26f3c6038d4a682b9eba1571e0da9d15663ecf72eea09eecee2b

SHA512
53fc8efe1668c4a87d9e557e173520e301e0cee97b90852963485d94f23f62869ce008ced4c048a42d6c2ae70e5aeaf49dc6c6ae86b1ba908a9baf5fcb4ae5bd

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
64KB

MD5
4970e11a404a97bee1d5bb1803d38c94

SHA1
b3edd54c88536c4437f4b944a8f5a80ae1b67cb9

SHA256
7105d1b62950d41a8de72ff978bed155f7a28d72aae73f8f147383005c384832

SHA512
840ed338f2964554dfd8b6b7d68cf6df7316ca409eb16d17505bb3946c1f74fc086b8ec3310ec2aee45a2e4e87e02a94dadc8621e25a6bbf6e337d484eb076a4

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
62KB

MD5
bdc5ca5c4b14a31efbd83e1478bb4c91

SHA1
c401383c74709085b1ef04214d3ffd20de35ba02

SHA256
8c0da6e712b83dc01467026c2173f16a796f0ed51e3f02036716074235ffc8c7

SHA512
48260186b933eaf27b9765702a168c7125271a3b717aa7e2c3bc0019d9e73896df0ce7e52062f0845a378c245d9684858aadf28e8acf2c258c28107c79eea2f4

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
64KB

MD5
2aa7d44965bc0334bb7aca83cceb282f

SHA1
db0b43b2d73fb049efba989425aac2b2a458d4ca

SHA256
b936c3533789c7adba67dcad4ecd432f8a62decd8f1276458de99b0741e33e30

SHA512
69ab8964ddc062b93dc0c61df172fe587f5d0e6da42305124baf75ae10d895a52126d1b08a796fe3257aa8ab7de1c97a70e792df80495de7c014edfcbd9e57f2

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
64KB

MD5
7948bbfe6155b418e69064ef18e460c9

SHA1
027a19876384cf53d1c83a28d828339c4ccddc59

SHA256
3f3f3f2281a1b6e05f7d8f72d193bcedda10b6887bbb3f8c0d9ad063bfc186ab

SHA512
7b4231982ee471301969d0106bd971b1e26f00167c51ee7ea07f49c9e2d9472122ccfb8c2adc88ddfef4e6536ba5fb1752e2799375c6d9a8cd3a30c0fc094421

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
64KB

MD5
a72d81f39e111d832aa6a567403289f1

SHA1
8aa4663358be2faf1b5b26a9f34bce97f43f11b3

SHA256
aa2c3915052ee65f736a3a43a36ee93f22865e05fa8516233d6af729d53d0fc6

SHA512
c37e3da5c797a5f6937401374598a1422a9bbc45f119aa8fd6c89c27119ebf755b75cb005c6d15f8c5bb5d19b2d5006ab2313222e493daea3c5e89fdf8007d77

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
64KB

MD5
fec0d7536de9488b1dd3cb0eed9d9dad

SHA1
ce37a34cde97585af8d937a0bd9b9fc19291fd06

SHA256
e62ac43cea047f555e68d9445ed40dee34d8d2408000f16a1c67bd37677867d3

SHA512
6772c5e8ee767cb84529235ace26d653ff2b4803c0354804f761fe1b92ab5481f2cc35d64ba730078a74cb4e319321709f0041fa34d082082705785049748d4a

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
64KB

MD5
0fd08fd44740bb013a55da11ccab2594

SHA1
d0038d2f1857a940f52f01a937d9051c528f6681

SHA256
2d4ad47afdbe26eba8b611abe86ce34c80f6ca2f46bbc35294aa70fe9d6e366f

SHA512
9586ca813a2502a03c3a5f2b050b3cc84c382c1d0347fd136edb17405895eff988d471a4e4561610f4f2dcfa03af424c63beb0794c8f55cbee5e124463a30bb0

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
64KB

MD5
bfa5aa8bde972f9209a33f589162f0e6

SHA1
eb03367e680b029805748d29dbd77e73809fe7be

SHA256
47cba7ea27ca7965f982fd7a47456d74a928d14bb10f5ba566690fd5c3f36b06

SHA512
2a659ba4c422722916e66361a539bc7929c067ab9c8617c7c8c414bd5ddc28d190ec81c9139adfe1c6cf06553813a0b68ca2b88a03b9c4ae9b6e14e1ab2a9e77

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
64KB

MD5
79a6117c304e10e309f4b25118484e86

SHA1
a0bc4f9db27785e83ef321e098378e03a63acac1

SHA256
e95835509433bc129f005aad811471bca1806378241ecad2ea4e2903d199d50e

SHA512
a261c3acf77cdea66b818fcf92bc2e3a9b3c358c8c43634ac9a7fb1f1b866fe6ca4aab5cb037dd3da5f7855c828759632de9d7774948110b1b6d132e88c38f81

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
64KB

MD5
bf844ed38b2c4cf3e07895c37a9d2485

SHA1
a574bdb86cf27184ee8f83ad0b3315a62bd75808

SHA256
ffb9c1da0e1caf0ba46016c6704b53b183034f410d27cdafddfb2bf720f1a46a

SHA512
2b9073ba167dafc65c586ff20a8a6ef8b285c7a747d0605f269554f37bf67e379518d906efac08548d61be3931346747f77d20accdb514172a4d82933d178234

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
64KB

MD5
44762895773615f70c3e6988cc6df8b4

SHA1
bf7a2ba1c35b54d905dc7c62889d0cea96c5b98a

SHA256
cfab649b73d13e531bf790dd60717a098bc033de7b55813cd12212641743d13f

SHA512
d2b3085ea35276577b114d7b97845f99d5541371e38e20ef0fbcbdf44fafcd0eb11a474d048e8bed070c61b810892889b9e7d80e21c8a48df4618bba32390648

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
64KB

MD5
376e87283d769f98f1dd034b2b54e26e

SHA1
a5e44452c34445bb71a96ef3489267d3c1b3e8b3

SHA256
b5abeaf9c89744b0e14c5060fdfa51e994f8bda6f727aba02e9741683579eec6

SHA512
4ad188e20a3e28f8819b009ac537c35655ac164ec7cc61d458aa70767fc6d919a1d47d05eb6ec5fdc1cf6d29fa29756aa80907b6af55f24c207f55d2606956a1

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
64KB

MD5
d078fd8a7df882ebee01dcc64e5130d8

SHA1
6754422124c9efb92a1053aaa99308e793a9bf6b

SHA256
41d263481422d5cba2aa17f6cea97ce95fac69ed7e76315b03807bc071f8ff9f

SHA512
285e5a25cc00225b1138c7c241d160e71ade5edc968d44f7fe3ff9f53e5f15fd33a832a949bf8abf0114d5b7f0cd6b2e29401f10fadcff2903dd218306a6984a

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
64KB

MD5
73034648c613deb6b592b31c11f10faa

SHA1
1c15d80ddde6167be5ef4e9151f445ff86ee5fae

SHA256
4efd620bb39ee7470617bab6f76ba55270a9f18872db489fdad2524191d3d783

SHA512
72e9f6d04c0bb6b7ab9c3f04a87dd73ce42f9b36dfd4b4eae08fb850b67d52640278e4c8b15699a8c86e9fdcee614cb2f041abbb150d9ffed15b7de6c03875a9

Download Submit
memory/536-131-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/536-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/632-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/632-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1356-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1356-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1780-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1780-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1908-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1908-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-128-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-122-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-121-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2988-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2988-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4100-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4100-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4764-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4764-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4916-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4916-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.