c96f0650573130180a039e7b9d66d11e18c97c9fe96c732f2d5fdbcb05a140eb

General

Target

450f463616026025f68295b9a3dd365f.exe
Size

779KB
MD5

450f463616026025f68295b9a3dd365f
SHA1

440c0e1d874ebd9c3f86b672f24b39d7c857baa3
SHA256

c96f0650573130180a039e7b9d66d11e18c97c9fe96c732f2d5fdbcb05a140eb
SHA512

7fb9e37bb037f48779b508863f9dacd9714214adc4642619978b9cf90cd19311ad0f122512a41e4d91ad55bd25d7f076266e93f60cfb9df7e8cf325149d4b76f

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4196 2980 WerFault.exe 450f463616026025f68295b9a3dd365f.exe

pid	pid_target	process	target process
4196	2980	WerFault.exe	450f463616026025f68295b9a3dd365f.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe
4196	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4196 WerFault.exe
Token: SeBackupPrivilege 4196 WerFault.exe
Token: SeDebugPrivilege 4196 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4196	WerFault.exe
Token: SeBackupPrivilege	4196	WerFault.exe
Token: SeDebugPrivilege	4196	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

450f463616026025f68295b9a3dd365f.exe

C:\Users\Admin\AppData\Local\Temp\450f463616026025f68295b9a3dd365f.exe
"C:\Users\Admin\AppData\Local\Temp\450f463616026025f68295b9a3dd365f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\450f463616026025f68295b9a3dd365f.exe
C:\Users\Admin\AppData\Local\Temp\450f463616026025f68295b9a3dd365f.exe
2⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 388
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2980-117-0x0000000000000000-mapping.dmp

Download
memory/2980-121-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2980-122-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3996-115-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/3996-118-0x0000000010410000-0x000000001042B000-memory.dmp

Filesize
108KB

Download

description	pid	process	target process
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe
PID 3996 wrote to memory of 2980	3996	450f463616026025f68295b9a3dd365f.exe	450f463616026025f68295b9a3dd365f.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads