8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Size

512KB
MD5

e6a4e8097b854c10cc69f5978bf1670d
SHA1

b504dde770d405402bbc69c5fbb0ef5c7dac4ab5
SHA256

8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352
SHA512

062a43e71483b8f80f6b6555e3bd069eee8cd5516c4135dfddfdf5786dd977f91a5b7d8ad1416e3e7818173b18c88cb891590287f496d46aeda6e3312e08ec0d
SSDEEP

6144:UzYpglE2bU8+jIrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01v:UXE2yr/Ng1/Nblt01PBExK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe

Executes dropped EXE 11 IoCs

pid	Process
460	Mdpalp32.exe
576	Mgnnhk32.exe
2132	Njljefql.exe
1164	Nacbfdao.exe
3644	Ndbnboqb.exe
4484	Ngpjnkpf.exe
2332	Njogjfoj.exe
4496	Nafokcol.exe
1644	Nddkgonp.exe
2064	Nkncdifl.exe
2480	Nbhkac32.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe

Program crash 1 IoCs

pid	pid_target	Process
2264	4548	WerFault.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 460	1548	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe	80
PID 1548 wrote to memory of 460	1548	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe	80
PID 1548 wrote to memory of 460	1548	8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe	80
PID 460 wrote to memory of 576	460	Mdpalp32.exe	81
PID 460 wrote to memory of 576	460	Mdpalp32.exe	81
PID 460 wrote to memory of 576	460	Mdpalp32.exe	81
PID 576 wrote to memory of 2132	576	Mgnnhk32.exe	82
PID 576 wrote to memory of 2132	576	Mgnnhk32.exe	82
PID 576 wrote to memory of 2132	576	Mgnnhk32.exe	82
PID 2132 wrote to memory of 1164	2132	Njljefql.exe	83
PID 2132 wrote to memory of 1164	2132	Njljefql.exe	83
PID 2132 wrote to memory of 1164	2132	Njljefql.exe	83
PID 1164 wrote to memory of 3644	1164	Nacbfdao.exe	84
PID 1164 wrote to memory of 3644	1164	Nacbfdao.exe	84
PID 1164 wrote to memory of 3644	1164	Nacbfdao.exe	84
PID 3644 wrote to memory of 4484	3644	Ndbnboqb.exe	85
PID 3644 wrote to memory of 4484	3644	Ndbnboqb.exe	85
PID 3644 wrote to memory of 4484	3644	Ndbnboqb.exe	85
PID 4484 wrote to memory of 2332	4484	Ngpjnkpf.exe	86
PID 4484 wrote to memory of 2332	4484	Ngpjnkpf.exe	86
PID 4484 wrote to memory of 2332	4484	Ngpjnkpf.exe	86
PID 2332 wrote to memory of 4496	2332	Njogjfoj.exe	87
PID 2332 wrote to memory of 4496	2332	Njogjfoj.exe	87
PID 2332 wrote to memory of 4496	2332	Njogjfoj.exe	87
PID 4496 wrote to memory of 1644	4496	Nafokcol.exe	88
PID 4496 wrote to memory of 1644	4496	Nafokcol.exe	88
PID 4496 wrote to memory of 1644	4496	Nafokcol.exe	88
PID 1644 wrote to memory of 2064	1644	Nddkgonp.exe	89
PID 1644 wrote to memory of 2064	1644	Nddkgonp.exe	89
PID 1644 wrote to memory of 2064	1644	Nddkgonp.exe	89
PID 2064 wrote to memory of 2480	2064	Nkncdifl.exe	90
PID 2064 wrote to memory of 2480	2064	Nkncdifl.exe	90
PID 2064 wrote to memory of 2480	2064	Nkncdifl.exe	90

C:\Users\Admin\AppData\Local\Temp\8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe
"C:\Users\Admin\AppData\Local\Temp\8cd8c6db277cad66600a45df5cc3745b0232af3be8210363754f01d0e1dc0352.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\SysWOW64\Mgnnhk32.exe
    C:\Windows\system32\Mgnnhk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\Njljefql.exe
      C:\Windows\system32\Njljefql.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        13⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        14⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        15⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        16⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        17⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        18⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        19⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        20⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 400
        21⤵
        Program crash
        
        PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4548 -ip 4548
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
512KB

MD5
8e95d7fb2e71582237adba5495db0255

SHA1
dffad92ab6706a3a1b0c21ff9fe23800fa6397b1

SHA256
39b64eae27d3f0dd3ba3dd059c05fea547df950b5e91daccc398594ee83accba

SHA512
acc20c5b9489d90d53daab72968e109e42ecff3a6bd4b8a14fae7ae4b710e0d5257d58add821a1547f967d2752be67286a2fcf8eaa40dd68285fcb273cb0417c

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
512KB

MD5
69f94c73875f1b4d7b2b13dffe888e0a

SHA1
c5047fe855a76173addefddb9fcf78c1638bd8cd

SHA256
094c95627dfe5f383ca67e13648af9612376f66b5826d638c8bd713675787f10

SHA512
51255ac3bd12678ab91c3b9657d107c77efce26be9c09912c96c061b745ab30cbbc1a277ba404a11d70f35c68315a77b16e93d58329f10d28e61b2970b5f3019

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
512KB

MD5
219110164642383537c0252c62c2e92e

SHA1
61218582d7969fd8be97ce2f4306615b49d809f4

SHA256
7bb96f9ccb7777e69cbe52e2c38966700a0a729bcca042deb87cb760428147eb

SHA512
476068ea7133e90f4ce969065d44ab6ac5ef81e7a6f281f257a3af34ab695bfb77349e9a7ce09e02f94004d4606f229e73ce217dfdf4f1259ad252f30ca555a9

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
512KB

MD5
c1c1328f0d9e2ba5d8f4055636ec26af

SHA1
2932bfbb6789847ff02d6020ae659812e0002c17

SHA256
6c7f6a6c4ffe0e871f86526388a643a44c6f07adbdbbcaf954229b1e0c674bd9

SHA512
dd4d85b77c80ce52f3e016c04c92a9c7c20e4fe3193b08e5b47642333f5accbf42835467afeb43caae4e26fa54e5945a43a50b5826f3970be49272b41d9a80d9

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
512KB

MD5
5045b11fe8348996a085658bc43f7eb8

SHA1
1762f5b03c48c94c45463821f1ed53d732507276

SHA256
bda52fe103c10c56730a75bb3f9355ba5d4dfeac5964247fb03280e863ffe746

SHA512
ff196c65e5113175c823b7da3067b5e9c7bd30ae4b16541838e225720298d1b82083b69ebe2f4ab4b785c97a91dd5bb5e6a2b5798dddc0e24fe35e6f779d6d14

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
512KB

MD5
adc1ae6bc784f20688feb93824d51f7b

SHA1
efc0113883b83a1d1ad69281ebab69f6b9a6c3aa

SHA256
cea786ba59fee9b6451cfb3a84ee309347a39ecb2f94792bc4ef9e665a7b6aca

SHA512
16e130299e24cc31a2a061f3c5448934496aac6b4a594a475f625115e786bbcaac7b60e28bf4bc420c5913c4265805178dc8eed8ddcc768de5adf3f045cb73d7

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
512KB

MD5
5883351d77ab2ddc6b83be788c8d6287

SHA1
90697e6120cf143b8e6291e1959d057731924d2b

SHA256
dace34eb946615f0ed79fc9945166ead63ca648b87009e60ccbd552484a18bc1

SHA512
7277f1e03c8065c12941867f7bdd48b50829854b2f465370b5849ce4789725367426ea8f55d2b3c30a485c4577452e884225398e959a691539082bb4de400a67

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
512KB

MD5
06b1715fe360912c5331de303b1280d1

SHA1
10f64a1aff9163c6472d42b5aecbbbdd09c5c4e4

SHA256
6d443f5510c0601b0f5493af9d3b3e7ba32e2b876c0973a5634d41503f7f2d4f

SHA512
99759b89b666a0e2f79db5ffcaf438543b5e84923916fed12bcc4b2610cb826e54612e0df6e5697ee65f9576b638fa5acad9ad3b3b3166b34a4200926cad7362

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
512KB

MD5
b8000f82a92f6c74d7036ac9a032a9b6

SHA1
1328cb5890cd71a10ff1b4cef654c048e897835d

SHA256
d9262b42b0504192675a4a28570830f5fb742567f416b61833c531eec4f83c1f

SHA512
f913074b853e3ac05f0a380144fdd7ae832610b15de5c63dd8fbb4f40cffc56554164e20d24b6eec1e3d04864c3d9515f2a962e41dbee5deabb8b949c43e43a9

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
512KB

MD5
4432315d95644d34abbc9f3f6c35c4a7

SHA1
c694b0fea631b1d3b8236186acec11c3334ed51c

SHA256
b154c38c7dc99610d51fee11412cdd48edd68c954e64dad4c7e85d5b005859da

SHA512
de11c6339e7c8175aa211ad0f463c9db2f120254906c06fe7d0dcd848b62c31053f6e4d618f5a535b07e5e946f81c59084cccad19fefc04646f3843e71f2cdf8

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
512KB

MD5
6f1b9eea11c33fbe3e3a42b530764eba

SHA1
e16b62760fdde41a471ef126a6aacd56ed56d118

SHA256
1a49249763ffb75e72f8a3799f82278b559b01f13b47dd7667c593acaf92a6d7

SHA512
b0cebe44070d2ae3309e46119266923d98071645f28ed997a0f55796cc29251ebeaf3864267ade797b72c41337ee9ea7affe3c227c72c17105173ad58dde6d2b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
512KB

MD5
400c0510eecc4899289134470c7adeee

SHA1
57711d6e145dfa100fd5823d8ccfd9083dae1080

SHA256
6474735b77e5476bc6717576f7e6f3e32da00b1d4abbec9848cdeca99f4fee0d

SHA512
655484719376a7e3c7a390468a1c479db0760778a69ac8c1165bd862d63a9e8824a5cbf1b4050c5f674ec36e5e71e21d02aff7df0fb4fe6dc09b74fec63f4d5b

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
512KB

MD5
e70f508c933218f3f32e968316ba56eb

SHA1
0c4b5f34b77a4a0d3ca205506b8d92eb2e6f3b1a

SHA256
2d6827249f6f91da29d93d3b10df5f59f23116a824bc175f47bacec911ec5f7d

SHA512
5e60a0a59f5269d0d9606f06e11c5a098514e58c5422113c5b46cf22e4e7f158bd98737b8c8ca8a94b738b485aba4ed294ead101d3bd110c24110f60132e3aac

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
512KB

MD5
229cbd32d3d41c1b2f6204d5a8a97696

SHA1
0224dbdd690c80d724354fb58513049833fe617e

SHA256
e675f1c6890115ec451ab2b589b2a3daf8839ff7c8e20a2304e231f4e4ebafbd

SHA512
57551e03338033e7b2b06c525a5204a190fa38b07dd804a7a49223aa07505cfb11cfbbe08e206732c313530be9924f6193b02d254f7039189b8801769c5267dd

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
512KB

MD5
661945f0b31ac84c4d24ef158815199f

SHA1
8307787ec90229fe47cc3dc1f7fd90c4b6ac5a92

SHA256
c8dd3b923885ca7aeaeec0cd5a43ba18fd6abdb35005bb4b5db928ad34c1e2b8

SHA512
349dedd24263699cb41f3aea497aae026ae8bb262ee8ab2d9e31a3f95946e8beb18a5036d99445f0db53970dcb1a2d5c352fda9f48b23c0eaa82f63d1606222b

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
512KB

MD5
d1525e998e68b63c898f6ab135f71a50

SHA1
703f420b08de3c0fd4756ce647574fff5ad4b814

SHA256
2adb6275f5d56dcf079cf1c5cab1fac785d898ca893d62f0cf7696e0cc09fbd3

SHA512
c0fd7c99dc2f77f5816848d4e450d242e16c8cc406e93f62e9d16bf99da051b3770f46229667f84e182790f55e0617bb2eeefa2e8dc844fd56598098131ca75a

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
512KB

MD5
c54db3150311a59342e97d9fb102edd7

SHA1
9758d930f60dae08815eb2fe4a7cb616600eecea

SHA256
7d1e1d06e91f611ad6989db5336bc81c99f5827d8c9f9715aa29ca8440529705

SHA512
574b475f9a8ef79be9a89177fcd9a5faf30c7b78ddb036f69ced95fab2bc9e80f7ec33c77ba40370a4f684136eb810e7ada234298afe69c17ae8d58bd7f951be

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
512KB

MD5
e14fb270aefcc8498744f4a803a053bc

SHA1
909d6459e1ceb7642ef7dd8e39cd61c48f5423b4

SHA256
13db0b5883be927d935363bc8b7eb3f2226df066b9d95f6fb16cd6e731ab49c6

SHA512
c42d8fea58123a9c6d9b50d55680e4b237f334effeae3d9e1001e0bdc8eeaabb053df44dac45da73273ed062cf04c98dff96c1ae8964d3e4cd94f5209507bce8

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
512KB

MD5
bbe952838df9f4040a69ebf108599597

SHA1
ef48aa4654d0e703737e17125e5b0fa8c289cb9c

SHA256
9ee32d1b78b54cb493cbb42835fbcbd677d635a6ac53a1947150c20abdc9c4d8

SHA512
36e45d4aadcb9a7fcf2d743bcc0b4e13912b564c9d7edb2a79dd742878127d490e523ae85b19e3dd8ed39483e4039d3520097c7920d2490a0fdac7dbe3b85fc0

Download Submit
memory/404-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/460-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/576-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/576-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1344-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1548-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads