c7af3849210fbedaa9447012d804ccb362d66a34e7d636ea1b97d0a8115f022c

Resubmissions

09/08/2024, 16:03

24/02/2021, 17:21

Target

ed5c086f90c82e755393dd4d183d8323.exe
Size

369KB
MD5

ed5c086f90c82e755393dd4d183d8323
SHA1

50900629dd2d2e39d67e8fa098e2460e2d899139
SHA256

c7af3849210fbedaa9447012d804ccb362d66a34e7d636ea1b97d0a8115f022c
SHA512

7345707c182898eb134250dd3de5870a36c45a522a363d7c9b06df72b9fe81785c4c448d8efb2a748a5b578783d6282ce499d03f2ce8d624e408f5bde18c328e

Score

10^/10

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3804 created 3996	3804	WerFault.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3804	3996	WerFault.exe	67

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

C:\Users\Admin\AppData\Local\Temp\ed5c086f90c82e755393dd4d183d8323.exe
"C:\Users\Admin\AppData\Local\Temp\ed5c086f90c82e755393dd4d183d8323.exe"
1⤵
PID:3996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 708
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3804

memory/3804-5-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/3804-6-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/3996-2-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3996-3-0x0000000000990000-0x0000000000A0F000-memory.dmp

Filesize
508KB

Download
memory/3996-4-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download