4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346

General

Target

4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
Size

708KB
MD5

21d2a09032e7cfd619161bf46f945e49
SHA1

bf13d03927839004e141769dfc50ab5db686bf12
SHA256

4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346
SHA512

40183442fa6005cdc2560303b2b3264c7a348f46117c62e6ce54938b18221ba7178907458430e99895609defa5ea8e1b606daf9259343392f915ea68cf5c455b

Score

3^/10

Malware Config

Signatures

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2680	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
2828	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
576	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
212	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
3012	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
1324	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
3944	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
3176	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
2284	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
1240	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
2980	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
508	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
2568	732	WerFault.exe	4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe

Suspicious behavior: EnumeratesProcesses 188 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2680	WerFault.exe
Token: SeBackupPrivilege	2680	WerFault.exe
Token: SeDebugPrivilege	2680	WerFault.exe
Token: SeDebugPrivilege	2828	WerFault.exe
Token: SeDebugPrivilege	576	WerFault.exe
Token: SeDebugPrivilege	212	WerFault.exe
Token: SeDebugPrivilege	3012	WerFault.exe
Token: SeDebugPrivilege	1324	WerFault.exe
Token: SeDebugPrivilege	3944	WerFault.exe
Token: SeDebugPrivilege	3176	WerFault.exe
Token: SeDebugPrivilege	2284	WerFault.exe
Token: SeDebugPrivilege	1240	WerFault.exe
Token: SeDebugPrivilege	2980	WerFault.exe
Token: SeDebugPrivilege	508	WerFault.exe
Token: SeDebugPrivilege	2568	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe
"C:\Users\Admin\AppData\Local\Temp\4eab21e944c603bceb8dc6ecfc742c2e9087f7e31b49482c2e8c4041d14f4346.exe"
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 796
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 932
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1076
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1048
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1136
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1068
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1240
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1432
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1608
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1352
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1044
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1672
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1772
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-17-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/212-14-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/508-51-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/508-48-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/576-13-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/576-10-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/732-1-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/732-0-0x00000000023F6000-0x00000000023F7000-memory.dmp

Filesize
4KB

Download
memory/1240-43-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/1240-40-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1324-22-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/1324-25-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2284-36-0x00000000046D0000-0x00000000046D1000-memory.dmp

Filesize
4KB

Download
memory/2284-39-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2568-55-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/2568-52-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2680-5-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/2680-3-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/2680-2-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/2828-9-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2828-6-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/2980-44-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/2980-47-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3012-21-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/3012-18-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/3176-32-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3944-31-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/3944-28-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads