3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630

General

Target

3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe
Size

1.3MB
MD5

0fe74c4d8d522f5d543fdedd8a83c3fb
SHA1

305409783ee13f9bb7302f10f1f87ffa71957189
SHA256

3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630
SHA512

5396e87bb4622b5eb133a3ff285635a00b3df7fc834f3b77d5134c5a7f75ec0981b138a220af0158d05262099b5ba21c3c7135dec4820dbb17f43eb6189eda66

Score

9^/10

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/848-135-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/848-135-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/848-135-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft

Suspicious use of SetThreadContext 1 IoCs

Processes:

3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe

description	pid	process	target process
PID 3512 set thread context of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe

description pid process

Token: SeDebugPrivilege 3512 3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe

description	pid	process
Token: SeDebugPrivilege	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe

description	pid	process	target process
PID 3512 wrote to memory of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe
PID 3512 wrote to memory of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe
PID 3512 wrote to memory of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe
PID 3512 wrote to memory of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe
PID 3512 wrote to memory of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe
PID 3512 wrote to memory of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe
PID 3512 wrote to memory of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe
PID 3512 wrote to memory of 848	3512	3996681741dbc68ae302b9bc7a7b6432303f938c6bdcf403a684e4aa75feb630.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:848

memory/848-134-0x0000000000000000-mapping.dmp

Download
memory/848-135-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/848-136-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/848-137-0x0000000005720000-0x0000000005776000-memory.dmp

Filesize
344KB

Download
memory/3512-130-0x00000000006C0000-0x0000000000814000-memory.dmp

Filesize
1.3MB

Download
memory/3512-131-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/3512-132-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/3512-133-0x00000000066B0000-0x000000000674C000-memory.dmp

Filesize
624KB

Download