Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe
Resource
win10v2004-20240508-en
General
-
Target
6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe
-
Size
96KB
-
MD5
8bc84f1a067ff84303f0860dc363c2b9
-
SHA1
f9979035030504de3276a0f0e2297eceaeadc397
-
SHA256
6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26
-
SHA512
9443791c6696e6e2b457f5b998a87f6bcd5a5fd5be68d0756ed1b505a6c3a88461b2b1bb5f6aa07a02269a35885d67117dda75d9776b4c45b120fb9ea02dac15
-
SSDEEP
1536:tjc4vbrEXofKT1QXqclCclhiPMzB+e9MbinV39+ChnSdFFn7Elz45zFV3zMetM:64zrErHcT3iPm+AMbqV39ThSdn7Elz4K
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcgcjnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafokcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncihikcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkjjij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njcpee32.exe -
Executes dropped EXE 12 IoCs
pid Process 1236 Mpdelajl.exe 4652 Nkjjij32.exe 1072 Nnhfee32.exe 4780 Nceonl32.exe 4152 Njogjfoj.exe 2936 Nafokcol.exe 2992 Ngcgcjnc.exe 768 Nbhkac32.exe 1724 Ncihikcg.exe 1700 Njcpee32.exe 3324 Ndidbn32.exe 3820 Nkcmohbg.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File created C:\Windows\SysWOW64\Njogjfoj.exe Nceonl32.exe File created C:\Windows\SysWOW64\Nafokcol.exe Njogjfoj.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Nafokcol.exe File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe Ngcgcjnc.exe File opened for modification C:\Windows\SysWOW64\Ncihikcg.exe Nbhkac32.exe File opened for modification C:\Windows\SysWOW64\Njcpee32.exe Ncihikcg.exe File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Majknlkd.dll Nafokcol.exe File created C:\Windows\SysWOW64\Egqcbapl.dll Mpdelajl.exe File created C:\Windows\SysWOW64\Opbnic32.dll Njcpee32.exe File opened for modification C:\Windows\SysWOW64\Nafokcol.exe Njogjfoj.exe File created C:\Windows\SysWOW64\Gbbkdl32.dll 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Nceonl32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Nnhfee32.exe File created C:\Windows\SysWOW64\Njcpee32.exe Ncihikcg.exe File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe Njcpee32.exe File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe File created C:\Windows\SysWOW64\Hlmobp32.dll Nkjjij32.exe File created C:\Windows\SysWOW64\Jcoegc32.dll Njogjfoj.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Ndidbn32.exe File opened for modification C:\Windows\SysWOW64\Nkjjij32.exe Mpdelajl.exe File created C:\Windows\SysWOW64\Nbhkac32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Ipkobd32.dll Ngcgcjnc.exe File created C:\Windows\SysWOW64\Pkckjila.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Ddpfgd32.dll Ncihikcg.exe File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe Nceonl32.exe File created C:\Windows\SysWOW64\Nkjjij32.exe Mpdelajl.exe File created C:\Windows\SysWOW64\Nnhfee32.exe Nkjjij32.exe File created C:\Windows\SysWOW64\Mpdelajl.exe 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe File created C:\Windows\SysWOW64\Ngcgcjnc.exe Nafokcol.exe File created C:\Windows\SysWOW64\Ncihikcg.exe Nbhkac32.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Njcpee32.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Lfcbokki.dll Nceonl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 244 3820 WerFault.exe 92 -
Modifies registry class 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" Nkjjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdelajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcgcjnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" Nafokcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncihikcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkjjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnhfee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncihikcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nafokcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhfee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njogjfoj.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1236 2004 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe 81 PID 2004 wrote to memory of 1236 2004 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe 81 PID 2004 wrote to memory of 1236 2004 6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe 81 PID 1236 wrote to memory of 4652 1236 Mpdelajl.exe 82 PID 1236 wrote to memory of 4652 1236 Mpdelajl.exe 82 PID 1236 wrote to memory of 4652 1236 Mpdelajl.exe 82 PID 4652 wrote to memory of 1072 4652 Nkjjij32.exe 83 PID 4652 wrote to memory of 1072 4652 Nkjjij32.exe 83 PID 4652 wrote to memory of 1072 4652 Nkjjij32.exe 83 PID 1072 wrote to memory of 4780 1072 Nnhfee32.exe 84 PID 1072 wrote to memory of 4780 1072 Nnhfee32.exe 84 PID 1072 wrote to memory of 4780 1072 Nnhfee32.exe 84 PID 4780 wrote to memory of 4152 4780 Nceonl32.exe 85 PID 4780 wrote to memory of 4152 4780 Nceonl32.exe 85 PID 4780 wrote to memory of 4152 4780 Nceonl32.exe 85 PID 4152 wrote to memory of 2936 4152 Njogjfoj.exe 86 PID 4152 wrote to memory of 2936 4152 Njogjfoj.exe 86 PID 4152 wrote to memory of 2936 4152 Njogjfoj.exe 86 PID 2936 wrote to memory of 2992 2936 Nafokcol.exe 87 PID 2936 wrote to memory of 2992 2936 Nafokcol.exe 87 PID 2936 wrote to memory of 2992 2936 Nafokcol.exe 87 PID 2992 wrote to memory of 768 2992 Ngcgcjnc.exe 88 PID 2992 wrote to memory of 768 2992 Ngcgcjnc.exe 88 PID 2992 wrote to memory of 768 2992 Ngcgcjnc.exe 88 PID 768 wrote to memory of 1724 768 Nbhkac32.exe 89 PID 768 wrote to memory of 1724 768 Nbhkac32.exe 89 PID 768 wrote to memory of 1724 768 Nbhkac32.exe 89 PID 1724 wrote to memory of 1700 1724 Ncihikcg.exe 90 PID 1724 wrote to memory of 1700 1724 Ncihikcg.exe 90 PID 1724 wrote to memory of 1700 1724 Ncihikcg.exe 90 PID 1700 wrote to memory of 3324 1700 Njcpee32.exe 91 PID 1700 wrote to memory of 3324 1700 Njcpee32.exe 91 PID 1700 wrote to memory of 3324 1700 Njcpee32.exe 91 PID 3324 wrote to memory of 3820 3324 Ndidbn32.exe 92 PID 3324 wrote to memory of 3820 3324 Ndidbn32.exe 92 PID 3324 wrote to memory of 3820 3324 Ndidbn32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe"C:\Users\Admin\AppData\Local\Temp\6557c9680a90050bb1c517bbd663b5a07a94bd0a0e3799ff957933c6844f7f26.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe13⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 40014⤵
- Program crash
PID:244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3820 -ip 38201⤵PID:2476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD579b044874fdabab91930d70eff96b331
SHA18c5d518bb86fd708f67c201925c76fcffc220990
SHA256f73684f108a748caf04c1b625ed82e1fccfb2e43a8abc9a431de7062c60017e2
SHA512d36567fc65e3be52c857fd9219a4b1748970d49f7bbc8d45da6ace44a338371d61c204dd333299a762e13ceb57c3da67291b67bd006e2d68d7eb6104608ac884
-
Filesize
96KB
MD5244b45a63a54a9d1f356f4f3f81ce95e
SHA18ddacc03ba871fe644bbb8ce86ff0fbaf1189ff1
SHA2561af659e8d8040eb176f575f4ec3a508e1fc98207cc62c398f6e56ed0cec39e9d
SHA512dfe94cd46b70972fb14aaf0d00b0521cb9305b7d84401eaa800c07e1f2bb3dbc5afba74309a8f628c6e4a5e0aeae92eec4007ced5dc19ec11ea51bfaad1e622b
-
Filesize
96KB
MD59142148cb9834cf7ddc764d1d055d67d
SHA10bc25b7114fcaa2e0faf925ee8b22f3adeb66c1e
SHA2561cc87dfc688b28c2525d5911818b91974c33578c3acd2b67ea1a3d3f669584ad
SHA5125677e7f3e8e1bd8442bee1a4c468276bf89c9a821575e8ac21d038110c57d3450d1494beb73d94e87cd855dcd51661496a6ed746aee6705c4407352c99790559
-
Filesize
96KB
MD5de32cb124beaa46e06fb7e34b9052bc5
SHA1f8efdaf6bc64606a2fe499ab896d7cbde5a2d5ed
SHA2563aa07d89a829b20222d45d18f070123908c8fa3009ddd9bee3e0c48a9a8c39b6
SHA512a9bbcb934c21d20c60c608d20b5fec910f435b66ef9719611e33f05175f41f7995b9739ead2dd0620720d11ec7151e09397f96081fd6cd1946adaabb41fa0103
-
Filesize
96KB
MD566042d4b20cd4756ed34ef5a10d240d3
SHA1ef31887d2252650881b3fbff61f84485e9512631
SHA2568291412c538ce24308b1da14eacc617eb75af196189bdf27ae4c61b450207f15
SHA5127cbd06ee134030e5be3eff99cd3cd32aff548b8c7f269176185d7a79b92c17aa6f2e32bdf07a6d89660db0f1dec25ad98b66af8ab49d7031d3b66dda4d613842
-
Filesize
96KB
MD5b85a094dd4b6a41477d7b29332bbad42
SHA1cc553dbb0aedbfba6366e9a5915ae4b83717a94a
SHA256f418c7f6db6701ed474806c61662b7f212dc71dfac02d0f31ebe4d14b0d384b2
SHA512ea8787d67ebcd3dd537c6e8ac2033b68652d682caaddaaf60f4bdf319a862479070a8dcba85a4056b6c4285356044b62d888093fb7beb5a7f070325cba2ed74a
-
Filesize
96KB
MD5d1a8a94f77a09a8e2b15868e673d9d4f
SHA1c00b38ff6c376f91b8bca5abd2ac9771c5ade77e
SHA256cade64b49e6ba3c90da8262c0dcacd04c759153adfa284c2cdec335410d90db7
SHA5126148d8e3fb8dd4686e2c6ab87fba1911f8f0e33dc53127c52dad14357b5a432d35c3b0840a4fc2346b96927287c2ecc0f9a5c6249d0ae93694a02b3a429f6f8c
-
Filesize
96KB
MD5a4f4a3ae40be25f5380787270609d782
SHA15b2ee02ba76cd412beaafad88e9aba13fef60c0e
SHA256cb7126db3121e574a2c619a9513b6571c13ea8873b9cbd38f79b6140e54e3b73
SHA5125e7088a4ee9fbe2353f26563edae9c48103da8ab42ccd5b8e38cfc0e3e44f388d03dea12ac62a8674dad54ab2bf1c54e7323157b42fd69b13b459d0e8f4ef95f
-
Filesize
96KB
MD5d83584aa272553f4b14e3d35e4f1859c
SHA156b86de2e625687fd0828617f0d0a1b5d8b25084
SHA256654c2d839144e1d76d0cf26800d70e35f8c02c26d5533b69ee2d2a568c174a61
SHA512a4714a887bc6895f96eb1520006d2cd02ada8526d60b993e5b9f7b7388de86b2c9510fdd702b2e9ee34e58e048abd63df0d7463c669f279084d07a5b6226b543
-
Filesize
96KB
MD53c0faaf51ccc84646ba7f12b58e20cf4
SHA1e6ef6cf03536b098aaa6b429150aeda16dd51069
SHA256861b23bb28a2b50ca17715aa6ee40c9a6603ca3a64b0ab6ec6682cf810c1aa5a
SHA5126a6178696355008e6cc77cde96b92c42801e11168d9ae25bf091eb5331f8eef4d2f8439307333768cf538a90edf7fe5d75718557fafbc6a5103e9d63aae44e16
-
Filesize
96KB
MD51a78c200c7a571ca4c4dc342110dcac7
SHA1d6e76ab24654fc660cd174d6f9d63859921d5d32
SHA2566ed66b074aa5718a1d39cfe18ace6636c8283ddc2d8e116899de13385af81a74
SHA512e1d5ea1c08dfd24b231ce841e01c94d756983f8a7450539308d8a435194d9cfe181009bef8d946de21c65b3b5920c1c92fde30ce673039868a6d9a4680eafe87
-
Filesize
96KB
MD530266f9013303fc20c684cdd49d1120c
SHA168124aaa212f33f54531a1913b664a35e1dfbd82
SHA256ec00358e96e174340be4bd4d864c12add6236fa141b32fa4f5c469bc394055cc
SHA51205467ec70ec8b0a1db820d14419a2eb3b35a0359551c8f99f1a109930c7b080ff7e98357660963e7384d60ed246b244bc81bc94311b6fc3d6b92d62342ff6211