9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d

Analysis

max time kernel
188s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
Size

310KB
MD5

8405c44ea39c1e89ab347380ed8d8941
SHA1

ecd6172ceabc9ba534780c71c3a0fcd743338d63
SHA256

9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d
SHA512

2534c3991afae603bfe1090b3c4df5c527f93c354477143fdc4658aadd54aa0d37d2d74b430fb0d895231f636f35e63dd322786826d69cef2e9ff6e4d207be64
SSDEEP

6144:GWsS02/oPbqhjCVTS/EGQalR+pSXSYZaKYxzXpztpz6cI0:CS0YI5FS/vQxBYQtzRVI0

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2464	aKkDmBo01804.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2488-132-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/2488-134-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/2488-135-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/2488-136-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/2464-143-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/2464-144-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral2/memory/2488-145-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aKkDmBo01804 = "C:\\ProgramData\\aKkDmBo01804\\aKkDmBo01804.exe"	aKkDmBo01804.exe

Program crash 28 IoCs

pid	pid_target	Process	procid_target
3208	2488	WerFault.exe	80
2748	2488	WerFault.exe	80
1648	2488	WerFault.exe	80
924	2464	WerFault.exe	86
2756	2488	WerFault.exe	80
244	2464	WerFault.exe	86
1644	2488	WerFault.exe	80
4688	2464	WerFault.exe	86
3428	2488	WerFault.exe	80
3540	2464	WerFault.exe	86
4476	2464	WerFault.exe	86
4892	2488	WerFault.exe	80
4080	2464	WerFault.exe	86
3644	2488	WerFault.exe	80
640	2464	WerFault.exe	86
4908	2488	WerFault.exe	80
1032	2464	WerFault.exe	86
2624	2464	WerFault.exe	86
3416	2464	WerFault.exe	86
4792	2464	WerFault.exe	86
1556	2464	WerFault.exe	86
3736	2464	WerFault.exe	86
2368	2464	WerFault.exe	86
1172	2464	WerFault.exe	86
4936	2464	WerFault.exe	86
556	2488	WerFault.exe	80
176	2488	WerFault.exe	80
232	2464	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
Token: SeDebugPrivilege	2464	aKkDmBo01804.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2464	aKkDmBo01804.exe
2464	aKkDmBo01804.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2464	aKkDmBo01804.exe
2464	aKkDmBo01804.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2464	aKkDmBo01804.exe
2464	aKkDmBo01804.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2464	2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe	86
PID 2488 wrote to memory of 2464	2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe	86
PID 2488 wrote to memory of 2464	2488	9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe	86

C:\Users\Admin\AppData\Local\Temp\9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe
"C:\Users\Admin\AppData\Local\Temp\9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 560
  2⤵
  - Program crash
  PID:3208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 612
  2⤵
  - Program crash
  PID:2748
- C:\ProgramData\aKkDmBo01804\aKkDmBo01804.exe
  "C:\ProgramData\aKkDmBo01804\aKkDmBo01804.exe" "C:\Users\Admin\AppData\Local\Temp\9e10f89a718ea6c296d6079eae1b2e1d7f32bdfcba11a9a8d8f6c7ee1bca333d.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 616
    3⤵
    - Program crash
    PID:924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 768
    3⤵
    - Program crash
    PID:244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 776
    3⤵
    - Program crash
    PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 820
    3⤵
    - Program crash
    PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 828
    3⤵
    - Program crash
    PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 980
    3⤵
    - Program crash
    PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1020
    3⤵
    - Program crash
    PID:640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1000
    3⤵
    - Program crash
    PID:1032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1392
    3⤵
    - Program crash
    PID:2624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1604
    3⤵
    - Program crash
    PID:3416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 936
    3⤵
    - Program crash
    PID:4792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 644
    3⤵
    - Program crash
    PID:1556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1648
    3⤵
    - Program crash
    PID:3736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1868
    3⤵
    - Program crash
    PID:2368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1876
    3⤵
    - Program crash
    PID:1172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1956
    3⤵
    - Program crash
    PID:4936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1952
    3⤵
    - Program crash
    PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 624
  2⤵
  - Program crash
  PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 652
  2⤵
  - Program crash
  PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 800
  2⤵
  - Program crash
  PID:1644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 808
  2⤵
  - Program crash
  PID:3428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 964
  2⤵
  - Program crash
  PID:4892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1000
  2⤵
  - Program crash
  PID:3644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1112
  2⤵
  - Program crash
  PID:4908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 524
  2⤵
  - Program crash
  PID:556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 152
  2⤵
  - Program crash
  PID:176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2488 -ip 2488
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2488 -ip 2488
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2488 -ip 2488
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2464 -ip 2464
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2488 -ip 2488
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2464 -ip 2464
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2488 -ip 2488
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2464 -ip 2464
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2488 -ip 2488
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2464 -ip 2464
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2464 -ip 2464
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2488 -ip 2488
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2464 -ip 2464
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2488 -ip 2488
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2464 -ip 2464
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2488 -ip 2488
1⤵
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2464 -ip 2464
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2464 -ip 2464
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2464 -ip 2464
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2464 -ip 2464
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2464 -ip 2464
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2464 -ip 2464
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2464 -ip 2464
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2464 -ip 2464
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 2464 -ip 2464
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 2488 -ip 2488
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 2488 -ip 2488
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 2464 -ip 2464
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aKkDmBo01804\aKkDmBo01804.exe

Filesize
310KB

MD5
1f3854319d3f525a50aaf7740021e3a1

SHA1
18dbe3ef16e4b834f863a52ce3d9525564eb20d1

SHA256
06805032ddfcfe68b461c8892e13764b2243a02d19feb4aec88303375c182d15

SHA512
8c281253256df199ae4a9ce9f5a345150df79de4d4dad159c682c86066cd6fb30563e393f2f9b315f4cf9c2c06d98bd45fba377f972326a0db237061c1071073

Download Submit
C:\ProgramData\aKkDmBo01804\aKkDmBo01804.exe

Filesize
310KB

MD5
1f3854319d3f525a50aaf7740021e3a1

SHA1
18dbe3ef16e4b834f863a52ce3d9525564eb20d1

SHA256
06805032ddfcfe68b461c8892e13764b2243a02d19feb4aec88303375c182d15

SHA512
8c281253256df199ae4a9ce9f5a345150df79de4d4dad159c682c86066cd6fb30563e393f2f9b315f4cf9c2c06d98bd45fba377f972326a0db237061c1071073

Download Submit
memory/2464-143-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2464-144-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2488-132-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2488-134-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2488-135-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2488-136-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2488-145-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download