0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 18:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Size

80KB
MD5

2025bea79ba789dde8e8088064c23fa9
SHA1

72fe5df097804b28cc860a518a74971eccdc2983
SHA256

0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5
SHA512

383868fc03893af95fe0fbd317ab5aa658fbb83f63089b8b91ab1dbdc0e3322941adb0ce3f018d907844430813e4e5f371a67ba065d5bc71fd02a20009674c59
SSDEEP

1536:UIcG/suG3XjRequAl28LN68+MKOq2Lt4wfi+TjRC/6i:UIcG/sdmU28Lk8+MKyewf1TjYL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe

Executes dropped EXE 12 IoCs

pid	Process
3924	Mdpalp32.exe
1992	Njljefql.exe
828	Nqfbaq32.exe
944	Nklfoi32.exe
2136	Nafokcol.exe
4840	Ncgkcl32.exe
5008	Nkncdifl.exe
1940	Nbhkac32.exe
1704	Nkqpjidj.exe
1764	Nbkhfc32.exe
1900	Ncldnkae.exe
2288	Nkcmohbg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	2288	WerFault.exe	91

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3924	1976	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe	80
PID 1976 wrote to memory of 3924	1976	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe	80
PID 1976 wrote to memory of 3924	1976	0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe	80
PID 3924 wrote to memory of 1992	3924	Mdpalp32.exe	81
PID 3924 wrote to memory of 1992	3924	Mdpalp32.exe	81
PID 3924 wrote to memory of 1992	3924	Mdpalp32.exe	81
PID 1992 wrote to memory of 828	1992	Njljefql.exe	82
PID 1992 wrote to memory of 828	1992	Njljefql.exe	82
PID 1992 wrote to memory of 828	1992	Njljefql.exe	82
PID 828 wrote to memory of 944	828	Nqfbaq32.exe	83
PID 828 wrote to memory of 944	828	Nqfbaq32.exe	83
PID 828 wrote to memory of 944	828	Nqfbaq32.exe	83
PID 944 wrote to memory of 2136	944	Nklfoi32.exe	84
PID 944 wrote to memory of 2136	944	Nklfoi32.exe	84
PID 944 wrote to memory of 2136	944	Nklfoi32.exe	84
PID 2136 wrote to memory of 4840	2136	Nafokcol.exe	85
PID 2136 wrote to memory of 4840	2136	Nafokcol.exe	85
PID 2136 wrote to memory of 4840	2136	Nafokcol.exe	85
PID 4840 wrote to memory of 5008	4840	Ncgkcl32.exe	86
PID 4840 wrote to memory of 5008	4840	Ncgkcl32.exe	86
PID 4840 wrote to memory of 5008	4840	Ncgkcl32.exe	86
PID 5008 wrote to memory of 1940	5008	Nkncdifl.exe	87
PID 5008 wrote to memory of 1940	5008	Nkncdifl.exe	87
PID 5008 wrote to memory of 1940	5008	Nkncdifl.exe	87
PID 1940 wrote to memory of 1704	1940	Nbhkac32.exe	88
PID 1940 wrote to memory of 1704	1940	Nbhkac32.exe	88
PID 1940 wrote to memory of 1704	1940	Nbhkac32.exe	88
PID 1704 wrote to memory of 1764	1704	Nkqpjidj.exe	89
PID 1704 wrote to memory of 1764	1704	Nkqpjidj.exe	89
PID 1704 wrote to memory of 1764	1704	Nkqpjidj.exe	89
PID 1764 wrote to memory of 1900	1764	Nbkhfc32.exe	90
PID 1764 wrote to memory of 1900	1764	Nbkhfc32.exe	90
PID 1764 wrote to memory of 1900	1764	Nbkhfc32.exe	90
PID 1900 wrote to memory of 2288	1900	Ncldnkae.exe	91
PID 1900 wrote to memory of 2288	1900	Ncldnkae.exe	91
PID 1900 wrote to memory of 2288	1900	Ncldnkae.exe	91

C:\Users\Admin\AppData\Local\Temp\0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe
"C:\Users\Admin\AppData\Local\Temp\0684986d66d677a8b3ef979b00ab005f5d4b4ec6a29224f4380bbe48fc27cbd5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\Njljefql.exe
    C:\Windows\system32\Njljefql.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\Nqfbaq32.exe
      C:\Windows\system32\Nqfbaq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        13⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 400
        14⤵
        Program crash
        
        PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2288 -ip 2288
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
80KB

MD5
2bea4372f2fdf6f2f69d8a2499dd5897

SHA1
a0a3f4a5af29f1a356772a567895ca88102f6bcc

SHA256
811db53e118f675bb869c50cc3ca5965787785aab6e8e455a0633665a79ac7e9

SHA512
7ef8c464d02a552fba9556835c8ac4fcc278517f9110a0d3a56b5770410cb8809089d042056c64cc162e6d567b4cfe6a490d3c62e1d2277825276dd6cc9756a8

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
80KB

MD5
71dce7dd608f2c005931619d350d8fe4

SHA1
e41eda56e7f41070a38eb60c248f016a223d03e9

SHA256
879e844172708546791f31cbb300d8604e4b306e86d86ce071026b22d15770a3

SHA512
f91b07cf3d1649d514ae430e4ccaadde16bc1452a2b00e0ef966a96b12b9b891a61fb7fe1453ee00cc90e0cf592f96fd8e1cdd7657c55831bb179958df46f448

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
80KB

MD5
6fecc2657198dee6acd65a5bc60d8e63

SHA1
59e17d5a46deed2cac492dc3a4ad3ba2b13bfe77

SHA256
6d806c6a3d40fbf2af6efd8a3f0a8e01dee480348642c20c51217ceba26665b0

SHA512
0a59e76660349e5edeb36cc1b8fb0c94d30cec1a3498069f4d134a16e5a1b30e6f7bcf7e3c309133fbc5cc9b03814a2f0a06798f69249453f19cc81b9b3ee3a8

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
80KB

MD5
6edf072955dba77e6845a46aa730e2e1

SHA1
bf3ef27e940db3f3809cd46bfddf62ac1a81caf0

SHA256
771cf284b4cc86246d551625d40ed4f8d709f5ba88e7cc5dd6d1684114c4aa15

SHA512
94b15adf3e630720d1f10d9a98a0d46352a759332194a0fc6a55803c75731c2041f78ad37884736fcf41e2e840a85926ee3c5262e3c259a359f9744548f7f839

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
a38c50698864f51d947133aa3a39b261

SHA1
cd7f9af118774afac6c359e5f561d945619a64bc

SHA256
eb0dea405fa9f91937758455ce0a41dc9151c34e7a0456af462e87f80af48362

SHA512
001720f979b8dc4792767f41c1efce689597312e79f2e0b9f90b4c9aaea6f596c952d2e513a54cfb36e8b6f0f9b37ec2477e5b4340f8485cfac832e1a6009b08

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
80KB

MD5
04a2ad8831aeea1797da249162bf81aa

SHA1
309ead8c6a42d8dc3ae2f380d0c9f14ae507c801

SHA256
1d7119050877dc20f0a76c44c1232c68193801efcc2bf7d27a8976f397a1e542

SHA512
88053885720eb997499acb58281a92a203eb40f761ae8aac1a077f60f1932c65001ef710982ee80944637c0323541675df7b4fd0a8288cb571feb52a2f2f3baa

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
80KB

MD5
ae85720666b1065252ed07f729218df4

SHA1
d34cd2ce13a1a2be28bdde269f602048d721ad63

SHA256
f5db7b1bff648899bab7f7b6ba32ffa536ea6a185d703fdc96661c7656ab34e4

SHA512
7356c632232f3b35387e741e6fdb0505be22f557254bda945e2ad5381250d3a28d7f9e52876fd5b3ba520ebf377e39bbe56f2d49609036106f8f55c40295d1e7

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
9d2b6be6ba0c2199d072f3ce73eb4954

SHA1
86c99bf0d6c8815ea397f9011d6b8aa1cb6b64fb

SHA256
a5e96611c1da6e27ccadaed387c0a2c7cc63c413294ba41d43855f1df39cb1a0

SHA512
bd882f185b5a8cacdb1d5503dd77187dc04fbd2e66a20360e545d0e2e4b2472974532e11def4518726c7256071386b32b32ed0fdb8bd758f21ea8b6cd5412d4a

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
80KB

MD5
6b7870119893ad97ce3f3ea317b63304

SHA1
480c69f0ebe501336025bc194931ae7cde030438

SHA256
9fe85bd3e4784bbd39b5ccb35b74fb48277125a479c824f1416a2b45bf993a64

SHA512
1d575bbbb10bafcdc3c3018d37514788b47925c049a46ff200ee56cf7a9155d40818f5cde6c172aa61d81ed3a0f3629743a6d196a2a86e1332c5dd0bcc4a4cfb

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
80KB

MD5
cd4c83a99391f500058203d59c43e533

SHA1
0045e23e23619770d36079bb778303e343a082d4

SHA256
9ac3a3253e0db3d82c513f0bec3a169b4463afb45f355f400c6a6306165b024d

SHA512
2152e21d3a70a58a8ad99ca3107dc9e484c608b1fca1ecd76e294c9de8c25c809d07a70e190f5d1612f4d8aa6bc160d0737e827bf0a8dd327173f97a10b6dcba

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
80KB

MD5
8f896aa3fe45795361c24dde4a91abc7

SHA1
56b2ab226f558ad0f42a4d43104c3cf833fa93e2

SHA256
2621cd26955525c576d8eaf4541641df6e3dc0f3afc5bef2774ce88755dd7ab4

SHA512
db30f96148f47baf699a9b33a21441c37f8feb0435006665a24d06335a74ccd93bbbfa8481e896d4e653e303fc4c71ef651780c3d3e698c25aee70a5eea308cc

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
80KB

MD5
11cacb056aedf2f4c2782fba3c4564ff

SHA1
e415175ba8068d572400cd08e807b44cab61233b

SHA256
f3b0f8a56921f8d71dae812345598859b48f787a7d40fe54d14029c746f7dc80

SHA512
d2212b6d3a475bad00c2ea42bd4a5f722828c5bf6e66a79ac4f8d2bc5449150f792a2d1409db3a1a1e1d8047de0c9459be418e9081668f22b546c5bb45aee25b

Download Submit
memory/828-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1976-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads