82e2ec8dbb04662b464e20ca63c53463b8417c3aff081a0adc19bea3c32357da

Analysis

Target

82e2ec8dbb04662b464e20ca63c53463b8417c3aff081a0adc19bea3c32357da.exe
Size

1.1MB
MD5

d15bf7fb89a2ec389e8db7d3705afe03
SHA1

9112a82fbb6a998dd785d273fc68cdc6007a6c43
SHA256

82e2ec8dbb04662b464e20ca63c53463b8417c3aff081a0adc19bea3c32357da
SHA512

5fb9775b03d8bb0c0df4642de1ecc77edc64e3d44c3628068ded7717cfef75b45c0895920330113cb386ca59e3451593f4c490574a01e55c048c1d230a7c85e2

Score

10^/10

vmprotect

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1116 created 756	1116	WerFault.exe	67

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
behavioral2/memory/1116-1-0x0000000004600000-0x0000000004601000-memory.dmp	vmprotect

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1116	756	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

C:\Users\Admin\AppData\Local\Temp\82e2ec8dbb04662b464e20ca63c53463b8417c3aff081a0adc19bea3c32357da.exe
"C:\Users\Admin\AppData\Local\Temp\82e2ec8dbb04662b464e20ca63c53463b8417c3aff081a0adc19bea3c32357da.exe"
1⤵
PID:756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 248
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116

memory/1116-0-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/1116-1-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/1116-3-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download