ea11fa5c53db476858902d1ac3a763bf6da8e743b9dc3a508a203b18ffc2d9a5

Analysis

Target

nakit.exe
Size

587KB
MD5

1c07bd7e68247568357448dc81d45e53
SHA1

88c96369e426a72d3043582115da7aa623b00e66
SHA256

ea11fa5c53db476858902d1ac3a763bf6da8e743b9dc3a508a203b18ffc2d9a5
SHA512

ffdb7e4dd2d67db9bb20ea5d2fd83d12c49feaa7a9ac49ef9c51c2971ce294e42c6db9ac4719b0007ec61f184c854d2004c88cd0d40078f49f6c9631e3ddd35a

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

804 1568 WerFault.exe nakit.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

804 WerFault.exe
804 WerFault.exe
804 WerFault.exe
804 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 804 WerFault.exe

pid	pid_target	process	target process
804	1568	WerFault.exe	nakit.exe

description	pid	process
Token: SeDebugPrivilege	804	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

nakit.exe

description	pid	process	target process
PID 1568 wrote to memory of 804	1568	nakit.exe	WerFault.exe
PID 1568 wrote to memory of 804	1568	nakit.exe	WerFault.exe
PID 1568 wrote to memory of 804	1568	nakit.exe	WerFault.exe
PID 1568 wrote to memory of 804	1568	nakit.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\nakit.exe
"C:\Users\Admin\AppData\Local\Temp\nakit.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568

memory/804-61-0x0000000000000000-mapping.dmp

Download
memory/804-62-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1568-55-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1568-57-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1568-58-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1568-59-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/1568-60-0x0000000005290000-0x000000000530B000-memory.dmp

Filesize
492KB

Download