0ce3765954d734b6dbaa365b099fb175e292b6b35c81307e552cb4a06ab0b1e9

Analysis

max time kernel
131s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2023, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e31573ecebca57c468b6589db4a820f0.exe
Size

91KB
MD5

e31573ecebca57c468b6589db4a820f0
SHA1

d1b9c78bb5d1cc39c28555cce9678552f1e6c819
SHA256

0ce3765954d734b6dbaa365b099fb175e292b6b35c81307e552cb4a06ab0b1e9
SHA512

fa360d55241a4f80b63b098dc1fa4920c8332ae4a148907f4e09aae34469331c55bb4b2ecb9cb5d0a65cbe0913279064793cad0afffd6963330810cb8a1292cd
SSDEEP

1536:8lEksbBUKLHLaVHAFMsWLaZ+LfFAuE1LuAu4wiF/W/gPCLLNMgw6:J/0VgHQaZ+fFANLrwKW/zLR/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.e31573ecebca57c468b6589db4a820f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.e31573ecebca57c468b6589db4a820f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe

Executes dropped EXE 10 IoCs

pid	Process
936	Bgelgi32.exe
2864	Ckbemgcp.exe
4000	Cammjakm.exe
3880	Cpbjkn32.exe
3112	Caageq32.exe
1700	Cacckp32.exe
5068	Cgqlcg32.exe
4692	Dddllkbf.exe
1344	Dojqjdbl.exe
4360	Dkqaoe32.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	NEAS.e31573ecebca57c468b6589db4a820f0.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Ibmlia32.dll	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Jgddkelm.dll	NEAS.e31573ecebca57c468b6589db4a820f0.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	NEAS.e31573ecebca57c468b6589db4a820f0.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cpbjkn32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Cacckp32.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Aamebb32.dll	Caageq32.exe
File created	C:\Windows\SysWOW64\Ckbemgcp.exe	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3560	4360	WerFault.exe	95

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.e31573ecebca57c468b6589db4a820f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	NEAS.e31573ecebca57c468b6589db4a820f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.e31573ecebca57c468b6589db4a820f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.e31573ecebca57c468b6589db4a820f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.e31573ecebca57c468b6589db4a820f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.e31573ecebca57c468b6589db4a820f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 936	448	NEAS.e31573ecebca57c468b6589db4a820f0.exe	86
PID 448 wrote to memory of 936	448	NEAS.e31573ecebca57c468b6589db4a820f0.exe	86
PID 448 wrote to memory of 936	448	NEAS.e31573ecebca57c468b6589db4a820f0.exe	86
PID 936 wrote to memory of 2864	936	Bgelgi32.exe	87
PID 936 wrote to memory of 2864	936	Bgelgi32.exe	87
PID 936 wrote to memory of 2864	936	Bgelgi32.exe	87
PID 2864 wrote to memory of 4000	2864	Ckbemgcp.exe	88
PID 2864 wrote to memory of 4000	2864	Ckbemgcp.exe	88
PID 2864 wrote to memory of 4000	2864	Ckbemgcp.exe	88
PID 4000 wrote to memory of 3880	4000	Cammjakm.exe	89
PID 4000 wrote to memory of 3880	4000	Cammjakm.exe	89
PID 4000 wrote to memory of 3880	4000	Cammjakm.exe	89
PID 3880 wrote to memory of 3112	3880	Cpbjkn32.exe	90
PID 3880 wrote to memory of 3112	3880	Cpbjkn32.exe	90
PID 3880 wrote to memory of 3112	3880	Cpbjkn32.exe	90
PID 3112 wrote to memory of 1700	3112	Caageq32.exe	91
PID 3112 wrote to memory of 1700	3112	Caageq32.exe	91
PID 3112 wrote to memory of 1700	3112	Caageq32.exe	91
PID 1700 wrote to memory of 5068	1700	Cacckp32.exe	92
PID 1700 wrote to memory of 5068	1700	Cacckp32.exe	92
PID 1700 wrote to memory of 5068	1700	Cacckp32.exe	92
PID 5068 wrote to memory of 4692	5068	Cgqlcg32.exe	93
PID 5068 wrote to memory of 4692	5068	Cgqlcg32.exe	93
PID 5068 wrote to memory of 4692	5068	Cgqlcg32.exe	93
PID 4692 wrote to memory of 1344	4692	Dddllkbf.exe	94
PID 4692 wrote to memory of 1344	4692	Dddllkbf.exe	94
PID 4692 wrote to memory of 1344	4692	Dddllkbf.exe	94
PID 1344 wrote to memory of 4360	1344	Dojqjdbl.exe	95
PID 1344 wrote to memory of 4360	1344	Dojqjdbl.exe	95
PID 1344 wrote to memory of 4360	1344	Dojqjdbl.exe	95

C:\Users\Admin\AppData\Local\Temp\NEAS.e31573ecebca57c468b6589db4a820f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e31573ecebca57c468b6589db4a820f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\Bgelgi32.exe
  C:\Windows\system32\Bgelgi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\Ckbemgcp.exe
    C:\Windows\system32\Ckbemgcp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Cammjakm.exe
      C:\Windows\system32\Cammjakm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
      - C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        11⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 400
        12⤵
        Program crash
        
        PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4360 -ip 4360
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
91KB

MD5
1112b4a366a71b12922d9ba37af7616b

SHA1
73fa6f58de8f21eec4ec949d999b41f4b63bfa4f

SHA256
b56da1b4981ce42a1713788bb541b44dfcf3c0d66ab1524992e677e2eb2b3fe2

SHA512
15e8fa4c333f9366d0f6d1687feab4d169343b5e0956715a346f5b71172f91c17c485ff28dfe75d9348d27b73eeca26c5557d4cb8827e82c8e520a24b5fbd434

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
91KB

MD5
1112b4a366a71b12922d9ba37af7616b

SHA1
73fa6f58de8f21eec4ec949d999b41f4b63bfa4f

SHA256
b56da1b4981ce42a1713788bb541b44dfcf3c0d66ab1524992e677e2eb2b3fe2

SHA512
15e8fa4c333f9366d0f6d1687feab4d169343b5e0956715a346f5b71172f91c17c485ff28dfe75d9348d27b73eeca26c5557d4cb8827e82c8e520a24b5fbd434

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
91KB

MD5
b1cf229afcc32a473170f56215a2b1f8

SHA1
a64a9a11f46616939c5c1080b3b88244c606e0d8

SHA256
62bfb83be22c5071087c0d4c8c505eb94ac61f0dc1c50b9edb6c5b11c102282c

SHA512
385e83948b51f74123181e63002714bb5d186c1f37f012e1d12c48c217ff0a23cab629b05b31cf50fd63ca4d86b42139bbb5f71aff76938cc8c76fbbf241c0d3

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
91KB

MD5
b1cf229afcc32a473170f56215a2b1f8

SHA1
a64a9a11f46616939c5c1080b3b88244c606e0d8

SHA256
62bfb83be22c5071087c0d4c8c505eb94ac61f0dc1c50b9edb6c5b11c102282c

SHA512
385e83948b51f74123181e63002714bb5d186c1f37f012e1d12c48c217ff0a23cab629b05b31cf50fd63ca4d86b42139bbb5f71aff76938cc8c76fbbf241c0d3

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
91KB

MD5
218669bcb093d04f2b66efd75856d4f2

SHA1
b86fef88dcebf03f0d846d827346328c2ae4f9bb

SHA256
4af116c3809b43d86ac50354f808d3553676b3bb23ce4647b7d46a9261e37710

SHA512
feae3d43bbb957ca16f1ab07fc9f61f34ad8c39a528f3d24b8cca0c75512fb2f4ce572603c0380fece26217ee9e582b041b145d2c1e806d1cf07a213e206a36b

Download Submit
C:\Windows\SysWOW64\Cacckp32.exe

Filesize
91KB

MD5
218669bcb093d04f2b66efd75856d4f2

SHA1
b86fef88dcebf03f0d846d827346328c2ae4f9bb

SHA256
4af116c3809b43d86ac50354f808d3553676b3bb23ce4647b7d46a9261e37710

SHA512
feae3d43bbb957ca16f1ab07fc9f61f34ad8c39a528f3d24b8cca0c75512fb2f4ce572603c0380fece26217ee9e582b041b145d2c1e806d1cf07a213e206a36b

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
91KB

MD5
d66af57df261521aeb68ff0caad2c848

SHA1
33950e1d7843051986ba5d199e88c7e8f1eabbea

SHA256
9ab9fb2c746ed5aea3ba08d226b0c046274b0393d2fb7969450f290c91fd7c0c

SHA512
0bcd3088cf8664b18b63e945a00133ded0a1a793a88ee874fd67183d0eed7e2a3d6f13d548b91084506ae7dc28667113014ecc5fea709b4bf90c0cd357363880

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
91KB

MD5
d66af57df261521aeb68ff0caad2c848

SHA1
33950e1d7843051986ba5d199e88c7e8f1eabbea

SHA256
9ab9fb2c746ed5aea3ba08d226b0c046274b0393d2fb7969450f290c91fd7c0c

SHA512
0bcd3088cf8664b18b63e945a00133ded0a1a793a88ee874fd67183d0eed7e2a3d6f13d548b91084506ae7dc28667113014ecc5fea709b4bf90c0cd357363880

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
91KB

MD5
fdcc5e74c5c9a78554a92905181914a9

SHA1
978a37d31bf77b13c944d69fc674167b3d7c7b86

SHA256
81b9a15a784ad1d68315c1591f59dc72938ead655a34387f31b0bd5953a3059e

SHA512
c586a26c1ee479fe15f2c4d09fe1a0a11699d93d1a308b055c941b470dab97f84f6b38350e9949e27c3a8a9c53bbd89c1cda6ae62673f9fc24709e15660ef43c

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
91KB

MD5
fdcc5e74c5c9a78554a92905181914a9

SHA1
978a37d31bf77b13c944d69fc674167b3d7c7b86

SHA256
81b9a15a784ad1d68315c1591f59dc72938ead655a34387f31b0bd5953a3059e

SHA512
c586a26c1ee479fe15f2c4d09fe1a0a11699d93d1a308b055c941b470dab97f84f6b38350e9949e27c3a8a9c53bbd89c1cda6ae62673f9fc24709e15660ef43c

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
91KB

MD5
e49ebd5dcdcef36a73f453572733eb48

SHA1
a02a647ddc76bc51437110965cf7cf4cd23bb49c

SHA256
25afdb1e6a4b5aca9bfd48da1e06ee376d3169e94a923ef6069b6ac77c943b27

SHA512
b32bd14c0c7cd50f80101e55630076be5189fe62090bff28d33ebba9ed2e77d384fc0cd2d4c41949c9bc4fbd46b26de19433f1d432e0838535252433c77b998d

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
91KB

MD5
e49ebd5dcdcef36a73f453572733eb48

SHA1
a02a647ddc76bc51437110965cf7cf4cd23bb49c

SHA256
25afdb1e6a4b5aca9bfd48da1e06ee376d3169e94a923ef6069b6ac77c943b27

SHA512
b32bd14c0c7cd50f80101e55630076be5189fe62090bff28d33ebba9ed2e77d384fc0cd2d4c41949c9bc4fbd46b26de19433f1d432e0838535252433c77b998d

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
91KB

MD5
14d23ba2be5597ffabb4aafdc4068ac6

SHA1
1c6f2129f1a4b2d63c8d7327bfdec271c04f3b27

SHA256
402322e53a85fb3988a8c50b61cec993d94687436418602ea99d0fa9c521a5fc

SHA512
44594e216e4991bd8ca7b1feb3a351df54216fd8bf15616ec8d21b98734232d4553736371562a24bf94aaa8691c42217b36bcae3c6722f6bedc891cbda63e995

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
91KB

MD5
14d23ba2be5597ffabb4aafdc4068ac6

SHA1
1c6f2129f1a4b2d63c8d7327bfdec271c04f3b27

SHA256
402322e53a85fb3988a8c50b61cec993d94687436418602ea99d0fa9c521a5fc

SHA512
44594e216e4991bd8ca7b1feb3a351df54216fd8bf15616ec8d21b98734232d4553736371562a24bf94aaa8691c42217b36bcae3c6722f6bedc891cbda63e995

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
91KB

MD5
4366ba88a85cfb4ad7a571d95fafea4f

SHA1
b8b08b8ad653b1ba89ac81c410f1e84cb67c4b3d

SHA256
12cd84eac3e9c43185650a851471a296c99d3a0e5d1d935ca9757e856f2e561c

SHA512
805c9fa414f352f5c80605e5ac27096f74c3b08333d869699ea10aac73c25c6bfddaf19f3c421d7107d7d302a50cd3d9fd5cdb1ce184f50c4bfb79256a663a5b

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
91KB

MD5
4366ba88a85cfb4ad7a571d95fafea4f

SHA1
b8b08b8ad653b1ba89ac81c410f1e84cb67c4b3d

SHA256
12cd84eac3e9c43185650a851471a296c99d3a0e5d1d935ca9757e856f2e561c

SHA512
805c9fa414f352f5c80605e5ac27096f74c3b08333d869699ea10aac73c25c6bfddaf19f3c421d7107d7d302a50cd3d9fd5cdb1ce184f50c4bfb79256a663a5b

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
91KB

MD5
5f32a13310644391412444d7d5aae825

SHA1
4f8fe9d63c91e0c8719fb8ee428f2b6f552b173a

SHA256
c726b3274f5d0a3ba52459a7d0f2ff6dee584081a9b355c3d2a5cf5e9cdb1a40

SHA512
8a9a136e028bc86dd71d429379f40d4df0e497bc54dce42e761f4c40902bcf466b9462f6c207ee75efd09910e251b5b6b8dbf6f8a384b672270d6ba8d3dedccf

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
91KB

MD5
5f32a13310644391412444d7d5aae825

SHA1
4f8fe9d63c91e0c8719fb8ee428f2b6f552b173a

SHA256
c726b3274f5d0a3ba52459a7d0f2ff6dee584081a9b355c3d2a5cf5e9cdb1a40

SHA512
8a9a136e028bc86dd71d429379f40d4df0e497bc54dce42e761f4c40902bcf466b9462f6c207ee75efd09910e251b5b6b8dbf6f8a384b672270d6ba8d3dedccf

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
91KB

MD5
22cad4b686d8fe2049e71a4a7af46456

SHA1
daf15a2096597b1e6631a72009b1ca380bf8f4d5

SHA256
0a71dd5fec39e59d98eee6d4364f457b6c5d6238cb49aea94f71857d1065dcc6

SHA512
47962e88a6c711d9cb119babdcbc1f21292155020f720e964252d3cd8dc4d28715b08bd4642b36f96de14ce298c32a255a101c185e580e8e57e331e0252bd4fe

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
91KB

MD5
22cad4b686d8fe2049e71a4a7af46456

SHA1
daf15a2096597b1e6631a72009b1ca380bf8f4d5

SHA256
0a71dd5fec39e59d98eee6d4364f457b6c5d6238cb49aea94f71857d1065dcc6

SHA512
47962e88a6c711d9cb119babdcbc1f21292155020f720e964252d3cd8dc4d28715b08bd4642b36f96de14ce298c32a255a101c185e580e8e57e331e0252bd4fe

Download Submit
memory/448-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-90-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/936-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-86-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads