697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

General

Target

fa35e20372326e5c1e12607df198b5c4.exe
Size

1.4MB
MD5

fa35e20372326e5c1e12607df198b5c4
SHA1

a022779cbf0fca54ef969c8a86be95083f9e128d
SHA256

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49
SHA512

c24b55c429d6d77791ad3fca53685f9f2f72b336cdf4de62f95e10fb54c1f3e55cda511b78415bbba474131ce4fd9bc887d1086b30a557fb08207487541dd25e

Score

7^/10

agilenet

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

Processes:

resource	yara_rule
behavioral2/memory/3492-121-0x0000000006660000-0x0000000006681000-memory.dmp	agile_net
behavioral2/memory/3492-124-0x0000000005370000-0x000000000586E000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

fa35e20372326e5c1e12607df198b5c4.exe

description pid process target process

PID 3492 set thread context of 2816 3492 fa35e20372326e5c1e12607df198b5c4.exe fa35e20372326e5c1e12607df198b5c4.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3188 2816 WerFault.exe fa35e20372326e5c1e12607df198b5c4.exe

description	pid	process	target process
PID 3492 set thread context of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe

pid	pid_target	process	target process
3188	2816	WerFault.exe	fa35e20372326e5c1e12607df198b5c4.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

fa35e20372326e5c1e12607df198b5c4.exeWerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fa35e20372326e5c1e12607df198b5c4.exeWerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fa35e20372326e5c1e12607df198b5c4.exe

description	pid	process	target process
PID 3492 wrote to memory of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 3492 wrote to memory of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 3492 wrote to memory of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 3492 wrote to memory of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 3492 wrote to memory of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 3492 wrote to memory of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 3492 wrote to memory of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe
PID 3492 wrote to memory of 2816	3492	fa35e20372326e5c1e12607df198b5c4.exe	fa35e20372326e5c1e12607df198b5c4.exe

C:\Users\Admin\AppData\Local\Temp\fa35e20372326e5c1e12607df198b5c4.exe
"C:\Users\Admin\AppData\Local\Temp\fa35e20372326e5c1e12607df198b5c4.exe"
2⤵
PID:2816

memory/2816-128-0x000000000040202B-mapping.dmp

Download
memory/2816-132-0x00000000007A0000-0x00000000007A6000-memory.dmp

Filesize
24KB

Download
memory/2816-129-0x00000000007A0000-0x00000000007A6000-memory.dmp

Filesize
24KB

Download
memory/3492-122-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/3492-120-0x0000000005370000-0x000000000586E000-memory.dmp

Filesize
5.0MB

Download
memory/3492-121-0x0000000006660000-0x0000000006681000-memory.dmp

Filesize
132KB

Download
memory/3492-115-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/3492-123-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/3492-124-0x0000000005370000-0x000000000586E000-memory.dmp

Filesize
5.0MB

Download
memory/3492-125-0x0000000006A40000-0x0000000006A4B000-memory.dmp

Filesize
44KB

Download
memory/3492-126-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/3492-119-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/3492-118-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3492-117-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download