3f06e0fa1a8d27d1d1f9d82462acc41b757e1a82b34d5d8e0354f024262a6fc9

Analysis

Target

8.exe
Size

21KB
MD5

4a30853a3699ae354d8a238558ed59dd
SHA1

9494865a139853498338b0dc505bd36cc59b6bae
SHA256

3f06e0fa1a8d27d1d1f9d82462acc41b757e1a82b34d5d8e0354f024262a6fc9
SHA512

09bc363d9d62700cf5a7066121e4359f000a6affc8aa04fb642dff8963d0b42f2cc2b02787b1529b2fdcea2d1332a353337199ff364a19cac1504e7ed18d706d

Score

10^/10

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description	pid	Process	procid_target
PID 1092 created 2752	1092	WerFault.exe	61

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1092	2752	WerFault.exe	61

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description	pid	Process
Token: SeDebugPrivilege	1092	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
1⤵
PID:2752
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2752 -s 132
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092