c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935

Analysis

Target

c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935.exe
Size

711KB
MD5

58478e20f4590f5882e936bee265bcec
SHA1

2604e2877265b146f3e0d637c9e4d21ed8064d25
SHA256

c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935
SHA512

576473e7943d8eb955b4c151088baf8d2d619161531b16fd95966cdefae880ab707fb101b0ecfd400d6ab61931ab27613f5b61f8d36b48411798a8a51e272936

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1304	1840	WerFault.exe	24

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1304	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1304	1840	c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935.exe	25
PID 1840 wrote to memory of 1304	1840	c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935.exe	25
PID 1840 wrote to memory of 1304	1840	c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935.exe	25
PID 1840 wrote to memory of 1304	1840	c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935.exe	25

C:\Users\Admin\AppData\Local\Temp\c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935.exe
"C:\Users\Admin\AppData\Local\Temp\c823110d0c3963b40cbc8f576e708fde84b76cb40615819155b445b415332935.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 176
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1304

memory/1304-61-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1840-59-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download