dfb1f00592d6264a6bf3ad8b02187dfad62d1526fa5b32e667cd6bf884d4db85

Analysis

Target

111ad964219b61522ae20b036702d096.exe
Size

957KB
MD5

111ad964219b61522ae20b036702d096
SHA1

184bab164050233a8d72541decbc4437f2122843
SHA256

dfb1f00592d6264a6bf3ad8b02187dfad62d1526fa5b32e667cd6bf884d4db85
SHA512

09ea9830cb7508594818e25cddd03aef055b0cdc517f8270197b0798648007cfe2cc2bfd763a838067436d8a229a0c7a24ef6fa016eec07464c8e4d793798b6e

Score

10^/10

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3948 created 3496	3948	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious behavior: EnumeratesProcesses 13 IoCs

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3948	3496	WerFault.exe	66

C:\Users\Admin\AppData\Local\Temp\111ad964219b61522ae20b036702d096.exe
"C:\Users\Admin\AppData\Local\Temp\111ad964219b61522ae20b036702d096.exe"
1⤵
PID:3496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 684
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Program crash
  PID:3948

memory/3496-1-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/3496-2-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/3948-3-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3948-4-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3948-6-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download