a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967

General

Target

a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
Size

681KB
MD5

847ff4d67d0f422dfecd2c6ddd7c608b
SHA1

098ceae739de6868834b6ad238f27bd3a4c46046
SHA256

a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967
SHA512

640a804868c394dd1505ab6b780b74b6d9940689dbe728066b660d4a1af9b451cd5790d75d1bb5466664bec50b663a12fef7b7ae3fb5b9af9d4267b06cf86f91

Score

3^/10

Malware Config

Signatures

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1524	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
3404	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
752	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
2244	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
4088	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
1380	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
2240	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
2260	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
3952	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
3924	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
3676	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
504	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
948	580	WerFault.exe	a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe

Suspicious behavior: EnumeratesProcesses 188 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
1524	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
3404	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe
4088	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	1524	WerFault.exe
Token: SeBackupPrivilege	1524	WerFault.exe
Token: SeDebugPrivilege	1524	WerFault.exe
Token: SeDebugPrivilege	3404	WerFault.exe
Token: SeDebugPrivilege	752	WerFault.exe
Token: SeDebugPrivilege	2244	WerFault.exe
Token: SeDebugPrivilege	4088	WerFault.exe
Token: SeDebugPrivilege	1380	WerFault.exe
Token: SeDebugPrivilege	2240	WerFault.exe
Token: SeDebugPrivilege	2260	WerFault.exe
Token: SeDebugPrivilege	3952	WerFault.exe
Token: SeDebugPrivilege	3924	WerFault.exe
Token: SeDebugPrivilege	3676	WerFault.exe
Token: SeDebugPrivilege	504	WerFault.exe
Token: SeDebugPrivilege	948	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe
"C:\Users\Admin\AppData\Local\Temp\a8386ff55256357e5002145b68bc515fa7b2919a675ba17cd58e1e249652b967.exe"
1⤵
PID:580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 800
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 936
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1084
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1056
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1124
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1108
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1212
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1424
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1404
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1632
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1560
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1384
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 1560
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-52-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/504-55-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/580-1-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/580-0-0x0000000000E44000-0x0000000000E45000-memory.dmp

Filesize
4KB

Download
memory/580-16-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/580-17-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/752-12-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/752-15-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/948-59-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/948-56-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/1380-29-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1524-5-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/1524-3-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1524-2-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/2240-30-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/2240-35-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/2244-21-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/2244-18-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2260-36-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2260-39-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/3404-9-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3404-6-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/3676-48-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3676-51-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/3924-44-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3924-47-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3952-43-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3952-40-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4088-25-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4088-22-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads