b11f8065c37558a54799f1965283968f05754cd63328560148f59d54ed77351c

General

Target

f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
Size

123KB
MD5

4f0abd7211e5bcb49a92591158d4d231
SHA1

f8e6d9646bf17d37f2aad9f5b82212f90f67b886
SHA256

b11f8065c37558a54799f1965283968f05754cd63328560148f59d54ed77351c
SHA512

3e5369dfd10eee1c0f456cd7aa94e095d289f9895f67046df25cac5294b7d6dde897fdc59425c8cd75c61ef6285ef5b645bc7a5f2d5de6b7f6a174bac70ee8fc

Score

10^/10

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1072 created 3176 1072 WerFault.exe f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

description	pid	process	target process
PID 1072 created 3176	1072	WerFault.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

description	pid	process	target process
PID 3176 set thread context of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1072 3176 WerFault.exe f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

pid	pid_target	process	target process
1072	3176	WerFault.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1072 WerFault.exe
Token: SeBackupPrivilege 1072 WerFault.exe
Token: SeDebugPrivilege 1072 WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

description	pid	process	target process
PID 3176 wrote to memory of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
PID 3176 wrote to memory of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
PID 3176 wrote to memory of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
PID 3176 wrote to memory of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
PID 3176 wrote to memory of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
PID 3176 wrote to memory of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
PID 3176 wrote to memory of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
PID 3176 wrote to memory of 204	3176	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe	f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe

C:\Users\Admin\AppData\Local\Temp\f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe
"C:\Users\Admin\AppData\Local\Temp\f8e6d9646bf17d37f2aad9f5b82212f90f67b886.exe"
2⤵
PID:204

memory/204-114-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/204-115-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/204-117-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download