bc52edf75f10223dfca0e123d41dec31eb9f64686fccc2382ec37d0430eb1e5b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe
Size

73KB
MD5

043bfc763475d8f9a02fe32bb95fd500
SHA1

ede2fcc8645ee581903c6ce1c1fa99cc257b7a1a
SHA256

bc52edf75f10223dfca0e123d41dec31eb9f64686fccc2382ec37d0430eb1e5b
SHA512

6faf01f4f31737af76a5bf42ce576959a2332ce032fcce2d4900eed7d4e3eb1204e6ca7b41e01d3acbde95b82a0729e844d0765b0086644f8f29a4369439e420
SSDEEP

1536:sDcLLfPxPtp14zgyXVdtnBDvtwHNWnnnl:sDKLzn4zgyXVd1NSE

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4364	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe

Executes dropped EXE 64 IoCs

pid	Process
1808	egkhost.exe
2832	egkhost.exe
3780	egkhost.exe
4636	egkhost.exe
768	egkhost.exe
1672	egkhost.exe
5112	egkhost.exe
2020	egkhost.exe
3068	egkhost.exe
5040	egkhost.exe
4612	egkhost.exe
1000	egkhost.exe
3368	egkhost.exe
4328	egkhost.exe
3432	egkhost.exe
4528	egkhost.exe
3772	egkhost.exe
4876	egkhost.exe
624	egkhost.exe
1784	egkhost.exe
4932	egkhost.exe
1492	egkhost.exe
1616	egkhost.exe
4960	egkhost.exe
3396	egkhost.exe
940	egkhost.exe
2460	egkhost.exe
4500	egkhost.exe
1000	egkhost.exe
3368	egkhost.exe
3584	egkhost.exe
388	egkhost.exe
4820	egkhost.exe
1532	egkhost.exe
3936	egkhost.exe
4092	egkhost.exe
5004	egkhost.exe
2300	egkhost.exe
3264	egkhost.exe
3320	egkhost.exe
1572	egkhost.exe
3800	egkhost.exe
3756	egkhost.exe
3736	egkhost.exe
1396	egkhost.exe
4568	egkhost.exe
4500	egkhost.exe
4772	egkhost.exe
3960	egkhost.exe
2424	egkhost.exe
1920	egkhost.exe
4360	egkhost.exe
4580	egkhost.exe
436	egkhost.exe
2144	egkhost.exe
3028	egkhost.exe
1328	egkhost.exe
2516	egkhost.exe
2068	egkhost.exe
4880	egkhost.exe
5032	egkhost.exe
1232	egkhost.exe
4480	egkhost.exe
4768	egkhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\egkhost.exe	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe
File opened for modification	C:\Windows\Debug\egkhost.exe	attrib.exe
File created	C:\Windows\Debug\egkhost.exe	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2560	1808	WerFault.exe	84
4992	2832	WerFault.exe	96
3212	3780	WerFault.exe	99
2452	4636	WerFault.exe	102
3400	768	WerFault.exe	105
2088	1672	WerFault.exe	108
3512	5112	WerFault.exe	111
3276	2020	WerFault.exe	114
696	3068	WerFault.exe	117
4128	5040	WerFault.exe	120
4068	4612	WerFault.exe	123
2124	1000	WerFault.exe	126
468	3368	WerFault.exe	129
3960	4328	WerFault.exe	132
3488	3432	WerFault.exe	135
5000	4528	WerFault.exe	140
2000	3772	WerFault.exe	143
1432	4876	WerFault.exe	146
4088	624	WerFault.exe	149
1328	1784	WerFault.exe	152
1672	4932	WerFault.exe	156
1572	1492	WerFault.exe	159
4144	1616	WerFault.exe	162
924	4960	WerFault.exe	165
880	3396	WerFault.exe	168
4276	940	WerFault.exe	171
704	2460	WerFault.exe	174
2124	4500	WerFault.exe	177
3304	1000	WerFault.exe	180
3344	3368	WerFault.exe	183
3624	3584	WerFault.exe	186
1536	388	WerFault.exe	189
4968	4820	WerFault.exe	192
4868	1532	WerFault.exe	195
3772	3936	WerFault.exe	198
1440	4092	WerFault.exe	201
2544	5004	WerFault.exe	204
3212	2300	WerFault.exe	207
3232	3264	WerFault.exe	210
4964	3320	WerFault.exe	213
4908	1572	WerFault.exe	216
4680	3800	WerFault.exe	219
1560	3756	WerFault.exe	222
1452	3736	WerFault.exe	225
1336	1396	WerFault.exe	228
1504	4568	WerFault.exe	231
3876	4500	WerFault.exe	234
1200	4772	WerFault.exe	237
3368	3960	WerFault.exe	240
3156	2424	WerFault.exe	243
2480	1920	WerFault.exe	246
4944	4360	WerFault.exe	249
3572	4580	WerFault.exe	252
3496	436	WerFault.exe	255
5024	2144	WerFault.exe	258
5088	3028	WerFault.exe	261
208	1328	WerFault.exe	264
232	2516	WerFault.exe	267
4036	2068	WerFault.exe	270
516	4880	WerFault.exe	273
440	5032	WerFault.exe	276
4760	1232	WerFault.exe	279
1332	4480	WerFault.exe	282
2636	4768	WerFault.exe	285

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	egkhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	egkhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2944	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 4364	2944	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe	82
PID 2944 wrote to memory of 4364	2944	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe	82
PID 2944 wrote to memory of 4364	2944	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe	82
PID 2944 wrote to memory of 1520	2944	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe	88
PID 2944 wrote to memory of 1520	2944	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe	88
PID 2944 wrote to memory of 1520	2944	043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4364	attrib.exe

C:\Users\Admin\AppData\Local\Temp\043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\043bfc763475d8f9a02fe32bb95fd500_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\attrib.exe
  attrib +a +s +h +r C:\Windows\Debug\egkhost.exe
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:4364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\043BFC~1.EXE > nul
  2⤵
  PID:1520

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 828
  2⤵
  - Program crash
  PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1808 -ip 1808
1⤵
PID:2776

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 792
  2⤵
  - Program crash
  PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2832 -ip 2832
1⤵
PID:4784

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 792
  2⤵
  - Program crash
  PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3780 -ip 3780
1⤵
PID:2856

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 792
  2⤵
  - Program crash
  PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4636 -ip 4636
1⤵
PID:2892

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 792
  2⤵
  - Program crash
  PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 768 -ip 768
1⤵
PID:4932

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 792
  2⤵
  - Program crash
  PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1672 -ip 1672
1⤵
PID:1632

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 792
  2⤵
  - Program crash
  PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5112 -ip 5112
1⤵
PID:1492

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 792
  2⤵
  - Program crash
  PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2020 -ip 2020
1⤵
PID:1872

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 792
  2⤵
  - Program crash
  PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3068 -ip 3068
1⤵
PID:4760

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 792
  2⤵
  - Program crash
  PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5040 -ip 5040
1⤵
PID:4676

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 792
  2⤵
  - Program crash
  PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4612 -ip 4612
1⤵
PID:1688

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:1000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 792
  2⤵
  - Program crash
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1000 -ip 1000
1⤵
PID:4372

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 792
  2⤵
  - Program crash
  PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3368 -ip 3368
1⤵
PID:2976

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 792
  2⤵
  - Program crash
  PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4328 -ip 4328
1⤵
PID:2580

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:3432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 792
  2⤵
  - Program crash
  PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3432 -ip 3432
1⤵
PID:3088

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 792
  2⤵
  - Program crash
  PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4528 -ip 4528
1⤵
PID:2380

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:3772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 792
  2⤵
  - Program crash
  PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3772 -ip 3772
1⤵
PID:4292

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 792
  2⤵
  - Program crash
  PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4876 -ip 4876
1⤵
PID:1276

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 792
  2⤵
  - Program crash
  PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 624 -ip 624
1⤵
PID:2004

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 792
  2⤵
  - Program crash
  PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1784 -ip 1784
1⤵
PID:556

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 792
  2⤵
  - Program crash
  PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4932 -ip 4932
1⤵
PID:3232

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 792
  2⤵
  - Program crash
  PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1492 -ip 1492
1⤵
PID:4964

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 792
  2⤵
  - Program crash
  PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1616 -ip 1616
1⤵
PID:5032

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 792
  2⤵
  - Program crash
  PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4960 -ip 4960
1⤵
PID:1428

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 792
  2⤵
  - Program crash
  PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3396 -ip 3396
1⤵
PID:1332

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 792
  2⤵
  - Program crash
  PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 940 -ip 940
1⤵
PID:4740

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 792
  2⤵
  - Program crash
  PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2460 -ip 2460
1⤵
PID:1688

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 792
  2⤵
  - Program crash
  PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4500 -ip 4500
1⤵
PID:1648

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 792
  2⤵
  - Program crash
  PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1000 -ip 1000
1⤵
PID:2864

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 792
  2⤵
  - Program crash
  PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3368 -ip 3368
1⤵
PID:3960

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 792
  2⤵
  - Program crash
  PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3584 -ip 3584
1⤵
PID:4688

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 792
  2⤵
  - Program crash
  PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 388 -ip 388
1⤵
PID:3964

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 792
  2⤵
  - Program crash
  PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4820 -ip 4820
1⤵
PID:4684

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 792
  2⤵
  - Program crash
  PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1532 -ip 1532
1⤵
PID:4528

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 792
  2⤵
  - Program crash
  PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3936 -ip 3936
1⤵
PID:1508

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 792
  2⤵
  - Program crash
  PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4092 -ip 4092
1⤵
PID:1112

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 792
  2⤵
  - Program crash
  PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5004 -ip 5004
1⤵
PID:3360

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 792
  2⤵
  - Program crash
  PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2300 -ip 2300
1⤵
PID:4280

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 792
  2⤵
  - Program crash
  PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3264 -ip 3264
1⤵
PID:3364

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 792
  2⤵
  - Program crash
  PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3320 -ip 3320
1⤵
PID:1408

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:1572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 792
  2⤵
  - Program crash
  PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1572 -ip 1572
1⤵
PID:2500

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 792
  2⤵
  - Program crash
  PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3800 -ip 3800
1⤵
PID:628

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 792
  2⤵
  - Program crash
  PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3756 -ip 3756
1⤵
PID:3744

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:3736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 792
  2⤵
  - Program crash
  PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3736 -ip 3736
1⤵
PID:2980

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 792
  2⤵
  - Program crash
  PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1396 -ip 1396
1⤵
PID:4000

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 792
  2⤵
  - Program crash
  PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4568 -ip 4568
1⤵
PID:1400

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 796
  2⤵
  - Program crash
  PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4500 -ip 4500
1⤵
PID:3920

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 792
  2⤵
  - Program crash
  PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4772 -ip 4772
1⤵
PID:2976

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 792
  2⤵
  - Program crash
  PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3960 -ip 3960
1⤵
PID:4344

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 792
  2⤵
  - Program crash
  PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2424 -ip 2424
1⤵
PID:2572

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 792
  2⤵
  - Program crash
  PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1920 -ip 1920
1⤵
PID:2696

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 792
  2⤵
  - Program crash
  PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4360 -ip 4360
1⤵
PID:1556

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 792
  2⤵
  - Program crash
  PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4580 -ip 4580
1⤵
PID:2672

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 792
  2⤵
  - Program crash
  PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 436 -ip 436
1⤵
PID:1508

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 792
  2⤵
  - Program crash
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2144 -ip 2144
1⤵
PID:4508

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 792
  2⤵
  - Program crash
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3028 -ip 3028
1⤵
PID:4088

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 792
  2⤵
  - Program crash
  PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1328 -ip 1328
1⤵
PID:1708

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 792
  2⤵
  - Program crash
  PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2516 -ip 2516
1⤵
PID:1464

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 792
  2⤵
  - Program crash
  PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 2068 -ip 2068
1⤵
PID:3128

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:4880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 792
  2⤵
  - Program crash
  PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4880 -ip 4880
1⤵
PID:1512

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:5032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 792
  2⤵
  - Program crash
  PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5032 -ip 5032
1⤵
PID:1864

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 792
  2⤵
  - Program crash
  PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1232 -ip 1232
1⤵
PID:2212

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 792
  2⤵
  - Program crash
  PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4480 -ip 4480
1⤵
PID:4572

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 792
  2⤵
  - Program crash
  PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 4768 -ip 4768
1⤵
PID:2020

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
PID:380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 792
  2⤵
  PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 380 -ip 380
1⤵
PID:4140

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Checks processor information in registry
PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 792
  2⤵
  PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1084 -ip 1084
1⤵
PID:1412

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Checks processor information in registry
PID:940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 792
  2⤵
  PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 940 -ip 940
1⤵
PID:1400

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Checks processor information in registry
PID:4596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 792
  2⤵
  PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4596 -ip 4596
1⤵
PID:1772

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
PID:4620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 792
  2⤵
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4620 -ip 4620
1⤵
PID:1000

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Checks processor information in registry
PID:1004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 796
  2⤵
  PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1004 -ip 1004
1⤵
PID:1592

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Checks processor information in registry
PID:1976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 792
  2⤵
  PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1976 -ip 1976
1⤵
PID:3432

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
- Checks processor information in registry
PID:1420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 796
  2⤵
  PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 1420 -ip 1420
1⤵
PID:2884

C:\Windows\Debug\egkhost.exe
C:\Windows\Debug\egkhost.exe
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\egkhost.exe

Filesize
73KB

MD5
860bdfc4b431c0a982f05ecec9407927

SHA1
e5507a4540fa2567299e391d90a5e0e7ba0d7dd1

SHA256
bf726fd5b9f6230d13ae9ec99c371aa490c9d813270d931a1116f1807a7a34d5

SHA512
faaf1896ab2195afe50fa4a66ecf0bae0a47cae1f3c598127dd286a1317322b446b9a0f203af74ee3eb2249a70a4f050f5772a5a38ab75f31969dcf62044b97e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads