cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Size

1.2MB
MD5

06720322efc8173deb563348c7c129f3
SHA1

7f1dfbd69ebfd1fa1ab9dc2606d1670cfdbb3117
SHA256

cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6
SHA512

1087b924a68f1fed29d0a03e2f6fd034ffe1b291d7a0fc7c4e8f1e325dfa73ef2abb18cd785a75817f2696a5a3c1eaecfc0951e131234b1f322b225e341352cd
SSDEEP

12288:slVvLpHCXwpnsKvNA+XTvZHWuEo3oWbvrec:slVDlpsKv2EvZHp3oWbvrec

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe

Executes dropped EXE 11 IoCs

pid	Process
2660	Njogjfoj.exe
1268	Nafokcol.exe
4520	Nddkgonp.exe
1484	Ngcgcjnc.exe
2636	Nnmopdep.exe
1640	Nqklmpdd.exe
2940	Ngedij32.exe
5008	Njcpee32.exe
3800	Nqmhbpba.exe
992	Ndidbn32.exe
4732	Nkcmohbg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe

Program crash 1 IoCs

pid	pid_target	Process
3968	4732	WerFault.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2660	1460	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe	80
PID 1460 wrote to memory of 2660	1460	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe	80
PID 1460 wrote to memory of 2660	1460	cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe	80
PID 2660 wrote to memory of 1268	2660	Njogjfoj.exe	81
PID 2660 wrote to memory of 1268	2660	Njogjfoj.exe	81
PID 2660 wrote to memory of 1268	2660	Njogjfoj.exe	81
PID 1268 wrote to memory of 4520	1268	Nafokcol.exe	82
PID 1268 wrote to memory of 4520	1268	Nafokcol.exe	82
PID 1268 wrote to memory of 4520	1268	Nafokcol.exe	82
PID 4520 wrote to memory of 1484	4520	Nddkgonp.exe	83
PID 4520 wrote to memory of 1484	4520	Nddkgonp.exe	83
PID 4520 wrote to memory of 1484	4520	Nddkgonp.exe	83
PID 1484 wrote to memory of 2636	1484	Ngcgcjnc.exe	84
PID 1484 wrote to memory of 2636	1484	Ngcgcjnc.exe	84
PID 1484 wrote to memory of 2636	1484	Ngcgcjnc.exe	84
PID 2636 wrote to memory of 1640	2636	Nnmopdep.exe	85
PID 2636 wrote to memory of 1640	2636	Nnmopdep.exe	85
PID 2636 wrote to memory of 1640	2636	Nnmopdep.exe	85
PID 1640 wrote to memory of 2940	1640	Nqklmpdd.exe	86
PID 1640 wrote to memory of 2940	1640	Nqklmpdd.exe	86
PID 1640 wrote to memory of 2940	1640	Nqklmpdd.exe	86
PID 2940 wrote to memory of 5008	2940	Ngedij32.exe	87
PID 2940 wrote to memory of 5008	2940	Ngedij32.exe	87
PID 2940 wrote to memory of 5008	2940	Ngedij32.exe	87
PID 5008 wrote to memory of 3800	5008	Njcpee32.exe	88
PID 5008 wrote to memory of 3800	5008	Njcpee32.exe	88
PID 5008 wrote to memory of 3800	5008	Njcpee32.exe	88
PID 3800 wrote to memory of 992	3800	Nqmhbpba.exe	89
PID 3800 wrote to memory of 992	3800	Nqmhbpba.exe	89
PID 3800 wrote to memory of 992	3800	Nqmhbpba.exe	89
PID 992 wrote to memory of 4732	992	Ndidbn32.exe	90
PID 992 wrote to memory of 4732	992	Ndidbn32.exe	90
PID 992 wrote to memory of 4732	992	Ndidbn32.exe	90

C:\Users\Admin\AppData\Local\Temp\cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe
"C:\Users\Admin\AppData\Local\Temp\cfcfe80e55db0f6064dd561e8721030f3d4aec760a0f40722ab079f27da930e6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\Njogjfoj.exe
  C:\Windows\system32\Njogjfoj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\Nafokcol.exe
    C:\Windows\system32\Nafokcol.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\Nddkgonp.exe
      C:\Windows\system32\Nddkgonp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        12⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 228
        13⤵
        Program crash
        
        PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4732 -ip 4732
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgfgaq32.dll

Filesize
7KB

MD5
75f28374a98a906f5ab75a22359a251e

SHA1
7664087b79e0b85660960d750451f5f392fe9556

SHA256
251d8f33311837a1ef61fa245503c4619c6d0697ba1c8536b4260a83873a1c6f

SHA512
8d134a4cc0c16150d20992c86389091d40f4e94b1bfad6589542c563b38bdff23716e6e5ed8c61eafb48def6d9657e68e2c0d18a1276621e8c5c9cf2a7b763f5

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
1.2MB

MD5
4abd0d48d6ebbd8236afc23aacb34a9d

SHA1
03a16fbb2ec816f7ec310ca530fb98df1b236c27

SHA256
4668e2d0419dd51ca2ef56a1da61ca4ae25b0b853c29b2471981d5cfb4a19bed

SHA512
20bd04309a7e34bb52e61c08dbabf071ef36636aea6efc639a64f56ecc3b63107e9cdc1c2226dab6a7df41318036208a6b4e1ff0ce8349017dd830c4af62316a

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
1.2MB

MD5
b493ec8e9e2a657d7e279463edcf2084

SHA1
d3108d592845745d04ee30dbf0c207a7f55a66bc

SHA256
052d2d30a7b455c0f647c36e748e45390537fd7370e163243dde4e6c9a6dbe8a

SHA512
72009778cfd55589f459721f9e40a3d40ddaa7f9c581f3b025f987b8edf8b4ffdf50ce7721990c49699578c6cf964422582e84d9ed848b40c730b954464b4bc8

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
1.2MB

MD5
b19b7def0c8d30cd5bcbd0483b348ece

SHA1
fa74acc85ebd6d9d69972693f57004ab89c3219d

SHA256
69abdf8531ff3772c27443ef4ca441d9a7138023de0b4f67414095968125091a

SHA512
2e2920ef721a09081194ee7aea4bcf273b4181f6a68a4c9f38d2f1c073564b97d7b7c6224f0c897709d48eb3ebaaa85928d7695b2f47b4861581ad187f07bb5e

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
1.2MB

MD5
fa05d9f55ff9aab379cdc1774e4b784d

SHA1
7678040b8b29869c47a1e47ce86cd1896aff5b5d

SHA256
72d6b3257bd2bda256954f3b73d9638013fe75fda21ee2700dfb645a7e793376

SHA512
8c717b974da1f57a1ff257b4f1c7de34e2d39630770cd4b79b2098ee301b439680ceb6bedb73c0234c4c0666120d4ea31ada03b461ec4f697100304fa11bb28a

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
1.2MB

MD5
991c80148c281668d986f92edd95446e

SHA1
3027c7f43c42c698077e867d64074968c72b0e30

SHA256
68f3b3da01c7f9bd3e43596c847e2c124a1bd7437e8ca428ff1d68350b00ce08

SHA512
ade5217e5260c7c8acdf7c237f5d91c9b64f3458307ec32827cbaa8d8f1765d336732c7a3424d5778ad61711e71eb7792723c12cac82396e341f7712fbe62dc4

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
1.2MB

MD5
571d1ae32eeb3a7b881ebf65b25fd52b

SHA1
40f918a4ce74fb27600456482465576e36516750

SHA256
831f348c4eba08c452f6c341fcfd15ab33034b62de7b32ffc10743da759376d1

SHA512
6acd44880058e0798d1d1d418e77e584e96fd98c501e372c86cf220c90bd3931ec06ee2b3997d4686adc7690e8644bae9394f226aa4328ccfc4ba8b58a92117b

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
1.2MB

MD5
c25dcdadefa44b74e9cda4a049a26538

SHA1
38768c202be4c0efcce9dfdb22d5ec4ef3a03e5e

SHA256
d60881bf2195845c4a8c0292f5c8da55ba273347be5d87c0f0828ae788d9a36e

SHA512
56799ed5bc27f21dbd0d448d886345a725bf6a028a31ff781c1e99668445a050c2fe40bdf6efe0e19a2ba6c4d62d93a5aa03ed315f94c44cdadc733db18c33f9

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
1.2MB

MD5
d1b4020b3e6a1acd1c2f69aeea35f017

SHA1
a50ab9c3f84d57e2c01115c437e56bebe17810c1

SHA256
c839452c17f433bb8bf0382229c8885951c1608e6a41b5ece8859b418154e18a

SHA512
ed5e917d0c84e7ba94e57bfb5ecb92b0643dc9e2994215cde9f911c93ee597a5261d15ffdc67776e82af2dcd6914a9199e0602a9d4655372a7e5b701699a8f0e

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.2MB

MD5
8fd0a5cd626856c91ead1dd0ff80822a

SHA1
264d0fd0465ce40c4e311f47f9be3be8762a89fa

SHA256
c0abc5d44c30b1f162ed9fb54b17c71ce9deb75b71688467aaa80ed6feeb3c74

SHA512
5dbd6857e096a8a04ba08ba7e666bb81e9ec5ac33b06e7ebe0148245e0f8e223f5aa2a2f1f978ad402c20fd9c2b4ede4a7d6bd123fd3c75ca5583143b010277a

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
1.2MB

MD5
4d12c370d499356130ec62262f6416a0

SHA1
6576c73a6fe6a9bd73ae3547b52208b9f8aecab4

SHA256
1ef562ed667897fc9c1b081a662b1816f82d2f62b33459dc7a7d99489bf1ceff

SHA512
cab52bc2d7609cff78a7ba0feeadf44509d28f9749e6f5b6a03a1e6cedcb2d2cdf78737f1d0c1fecfe22ea68f7ba4a2f43681f032ef5a9d14c779c69b7180c12

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
1.2MB

MD5
ff0e31edf712f50acfd7296c753e8bdb

SHA1
d2b7f1569bffa8916afa4c27e5d2ddaa83786a14

SHA256
8db60caf0ad128da80da26772264bc48d94f01e78fa689c0b431b32dc45acd81

SHA512
9a0a8d34ab3f1252f02b4bebe6c687be68505e693d89f2529b920455e0ff9505035deda3cfb207cb9f71bc78d1e9e0e651de84f8d02fbd72651ed311ea49cb4f

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
1.2MB

MD5
8cdd17aa6edaed4918344b8680119a82

SHA1
8993d3e2a961afd5e885316286c68acdcdae2c26

SHA256
953261df2ec2f51105543eed6cc322e2a17a5b7a03623b977a0a020b8ae05bd3

SHA512
5d6bc7037980efe4f26312290d8ce21a4ce1e69f922d1fd60995645a7c8894697842acff0e9860d6e50fef3e077c994d4904845be4f884c398679f716c8b42c0

Download Submit
memory/992-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/992-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1460-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1484-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1640-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3800-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3800-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5008-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5008-92-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads