File name:

NFC READER.zip

Full analysis: https://app.any.run/tasks/4f42e6b8-e2d6-48c2-a103-88e1163d3151
Verdict: Malicious activity
Analysis date: March 24, 2025, 12:13:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
qrcode
crypto-regex
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

1428CEF16138F7ACC606AE65B4B1B511

SHA1:

89EE8C435B150E1D60150BA3B80E2D6ACC78EEC6

SHA256:

25AAD9A377D8A9A4B2E47F672B4C9AA5886B0755EC5B836AF99222C98B631EBA

SSDEEP:

196608:HxW+4UFTkLfMHiySgjFvx6qmetR5ySGG2E:HxF/tkLfMHi88HetR5ySG+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4112)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Nfcking_eng.exe (PID: 1272)

    • Creates file in the systems drive root

      • Nfcking_eng.exe (PID: 1272)

    • Drops a system driver (possible attempt to evade defenses)

      • Nfcking_eng.exe (PID: 1272)

    • There is functionality for taking screenshot (YARA)

      • Nfcking_eng.exe (PID: 1272)

    • The process drops C-runtime libraries

      • Nfcking_eng.exe (PID: 1272)

    • Process drops legitimate windows executable

      • Nfcking_eng.exe (PID: 1272)

    • Creates a software uninstall entry

      • Nfcking_eng.exe (PID: 1272)

    • The process creates files with name similar to system file names

      • Nfcking_eng.exe (PID: 1272)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Nfcking_eng.exe (PID: 1272)

    • Reads security settings of Internet Explorer

      • Nfcking.exe (PID: 6324)

    • Found regular expressions for crypto-addresses (YARA)

      • Nfcking.exe (PID: 6324)

    • Executes application which crashes

      • mfoc.exe (PID: 2420)

  • INFO

    • Manual execution by a user

      • Nfcking_eng.exe (PID: 1272)
      • Nfcking_eng.exe (PID: 6324)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4112)

    • Checks supported languages

      • Nfcking_eng.exe (PID: 1272)
      • Nfcking.exe (PID: 6324)

    • Create files in a temporary directory

      • Nfcking_eng.exe (PID: 1272)

    • Reads the computer name

      • Nfcking_eng.exe (PID: 1272)
      • Nfcking.exe (PID: 6324)

    • The sample compiled with english language support

      • Nfcking_eng.exe (PID: 1272)

    • The sample compiled with chinese language support

      • Nfcking_eng.exe (PID: 1272)

    • Creates files or folders in the user directory

      • Nfcking_eng.exe (PID: 1272)
      • WerFault.exe (PID: 2040)

    • Reads the machine GUID from the registry

      • Nfcking.exe (PID: 6324)

    • Reads the software policy settings

      • slui.exe (PID: 2320)
      • slui.exe (PID: 6080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:12:05 20:44:34
ZipCRC: 0x11516e3c
ZipCompressedSize: 13960567
ZipUncompressedSize: 14005819
ZipFileName: Nfcking_eng.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe nfcking_eng.exe no specs nfcking_eng.exe nfcking.exe no specs slui.exe mfoc.exe conhost.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemfoc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272"C:\Users\admin\Desktop\Nfcking_eng.exe" C:\Users\admin\Desktop\Nfcking_eng.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\nfcking_eng.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2040C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2420 -s 380C:\Windows\SysWOW64\WerFault.exemfoc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2320"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2420"nfc-bin/mfoc.exe" -O "./nfc-data/tmp/Mfoc.tmp" -x 3 -H "C:\NfcKing\nfc-bin\mfoc.exe
Nfcking.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\nfcking\nfc-bin\mfoc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
4112"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NFC READER.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6080C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6108C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6324"C:\Users\admin\Desktop\Nfcking_eng.exe" C:\Users\admin\Desktop\Nfcking_eng.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\nfcking_eng.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6324"C:\NfcKing\NfcKing.exe"C:\NfcKing\Nfcking.exeNfcking_eng.exe
User:
admin
Company:
无锡思柯锐迪电子科技有限公司
Integrity Level:
HIGH
Description:
NFC_TOOLS
Version:
1.6.8.0
Modules
Images
c:\nfcking\nfcking.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
6 398
Read events
6 373
Write events
22
Delete events
3

Modification events

(PID) Process:(4112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\NFC READER.zip
(PID) Process:(4112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4112) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1272) Nfcking_eng.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(1272) Nfcking_eng.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
Executable files
57
Suspicious files
22
Text files
45
Unknown types
0

Dropped files

PID
Process
Filename
Type
1272Nfcking_eng.exeC:\NfcKing\Be.Windows.Forms.HexBox.dllexecutable
MD5:7A6A1DEAFC87DDA48858F80B3C3EEC0F
SHA256:ED3AA1A6C806D4229EF3C48B6AC1CE9D07BAD53E9ED4BC21BEF728FD373C5CA3
1272Nfcking_eng.exeC:\Users\admin\AppData\Local\Temp\nsw2CBB.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
1272Nfcking_eng.exeC:\Users\admin\AppData\Local\Temp\nsw2CBB.tmp\StartMenu.dllexecutable
MD5:26836307758E048D1CE0AFE754D6A972
SHA256:A6919F5F3B53A9C8C015413BABE7A9872491A2583E49BB3C261E60785C3C3534
1272Nfcking_eng.exeC:\Users\admin\AppData\Local\Temp\nsw2CBB.tmp\LangDLL.dllexecutable
MD5:9648B84AEC426C8426E8312B73956216
SHA256:B60AEC1C8956D2140FC1539F216768913F39F5731D708B0E060851823B4FF319
1272Nfcking_eng.exeC:\NfcKing\config\ico.icoimage
MD5:C644ABB58BACEB44A6BE3D6061FB494A
SHA256:651E5E761B80FC982B52210AA98A134C924EAA3FACC584CF762B4F57FD90D165
4112WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4112.25823\Nfcking_eng.exeexecutable
MD5:81BAC6DA4CC8651498AE8ABE3493C98F
SHA256:81324CB9B751B166AE6EDDCC0BEF0313DAAE199EB7802F3D291ACF29F0030507
1272Nfcking_eng.exeC:\NfcKing\ChameleonMiniGUI.exe.configxml
MD5:21893023C4029D62FD41528922E21DEE
SHA256:E6F3A6E4E6C1379161A673DDC7F0AB9CF29BD0B5016B06C6110F20220003F5AE
1272Nfcking_eng.exeC:\NfcKing\ChameleonMiniGUI.exeexecutable
MD5:B0380E0A549E1212E53BAC7A45107988
SHA256:AE25CDB30765739D7C0A3B5791C0BB5FD86BDEE39858CFB8F8979E25E2A9B1B0
1272Nfcking_eng.exeC:\Users\admin\AppData\Local\Temp\nsw2CBB.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
1272Nfcking_eng.exeC:\NfcKing\config\libnfc.conftext
MD5:03C7C29DFA47390CB2223C2C990EE19A
SHA256:301EC7C5785472BECE7D5F4F1BEBB9303E515280E5F2D95DFAF931F94C20574E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4776
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.164.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.34:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
904
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
904
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.34:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
2.16.164.34:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
20.198.162.76:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
4776
backgroundTaskHost.exe
20.74.47.205:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.34
  • 2.16.164.40
  • 2.16.164.9
  • 2.16.164.72
  • 2.16.164.120
  • 2.16.164.51
whitelisted
client.wns.windows.com
  • 20.198.162.76
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.0
  • 40.126.31.3
  • 40.126.31.1
  • 20.190.159.130
  • 40.126.31.67
  • 20.190.159.128
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NFC READER.zip