cd9f4545497982e34ff0cff1d26e4b8d4a46ff76715e815a06d5079f27117b1c

Analysis

Target

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
Size

898KB
MD5

cb2b4cd74c7b57a12bd822a168e4e608
SHA1

f2182062719f0537071545b77ca75f39c2922bf5
SHA256

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
SHA512

7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1588 1696 WerFault.exe 5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1588 WerFault.exe
1588 WerFault.exe
1588 WerFault.exe
1588 WerFault.exe
1588 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1588 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1588 WerFault.exe

pid	pid_target	process	target process
1588	1696	WerFault.exe	5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

pid	process
1588	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1588	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe

description	pid	process	target process
PID 1696 wrote to memory of 1588	1696	5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe	WerFault.exe
PID 1696 wrote to memory of 1588	1696	5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe	WerFault.exe
PID 1696 wrote to memory of 1588	1696	5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe	WerFault.exe
PID 1696 wrote to memory of 1588	1696	5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe
"C:\Users\Admin\AppData\Local\Temp\5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

memory/1588-61-0x0000000000000000-mapping.dmp

Download
memory/1588-62-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1696-59-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1696-60-0x0000000000360000-0x0000000000393000-memory.dmp

Filesize
204KB

Download