19ef515572e854be0638523790c2f83ab245178b3c27746dc9f9b04c1c1319b2

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-02-2023 16:50

Target

Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe
Size

14.0MB
MD5

a4ab9547bec4c8fe0f187a8bedd3f8b5
SHA1

fb0f71ba6132b0cc7b3844c07b9dbc5f8bc578b9
SHA256

19ef515572e854be0638523790c2f83ab245178b3c27746dc9f9b04c1c1319b2
SHA512

0686e9cca60ff256c6da52c681268f7342c70f6df1d62c03807880643117f7dfaa670fdbe1eaa7e54b387e93bb05db81b65bd3a95e6ddd8104a9b4413732a922
SSDEEP

98304:bIr63hrtH0wcQkh2hidp6okCrsl1O1C8e8ZTVQJaeyF91KZVqg81ElLbf:4avcQkh2wdXkHO15LVZ7909V

Score

7^/10

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1816-54-0x0000000000960000-0x0000000001768000-memory.dmp	net_reactor
behavioral1/memory/1816-55-0x000000001C2D0000-0x000000001C7E4000-memory.dmp	net_reactor

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1976	1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe	27
PID 1816 wrote to memory of 1976	1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe	27
PID 1816 wrote to memory of 1976	1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe	27
PID 1816 wrote to memory of 1976	1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe	27
PID 1816 wrote to memory of 1976	1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe	27
PID 1816 wrote to memory of 1976	1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe	27
PID 1816 wrote to memory of 1976	1816	Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe	27

C:\Users\Admin\AppData\Local\Temp\Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe
"C:\Users\Admin\AppData\Local\Temp\Photo_GoogleMaps_myphoto-7-0-56-1-01-photo_my-11.scr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1976

memory/1816-54-0x0000000000960000-0x0000000001768000-memory.dmp

Filesize
14.0MB

Download
memory/1816-55-0x000000001C2D0000-0x000000001C7E4000-memory.dmp

Filesize
5.1MB

Download