1e264a7ebc6f216495ecbc96b8f4047e48dfa0765d2715ba399c07d173dc858f

Analysis

max time kernel
5s
max time network
4s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 23:10

Target

BootstrapperV1.18.exe
Size

971KB
MD5

335c86796cb4bb70a4475ab42835320e
SHA1

6307f5824e29a69dbd37a7e8c048db99e18eb88b
SHA256

1e264a7ebc6f216495ecbc96b8f4047e48dfa0765d2715ba399c07d173dc858f
SHA512

732b4713933c93dfa181822517653676474d2dd14b31331a86d3aa8e2c08e32dcffcce42f05daa81466f78e16f6674be19695588d822213a2197aecc1e93155a
SSDEEP

12288:2AXwt3si8zBLxbkY+MnHDJ1LzD1SoGkSj16XBUtbrIPQAbYLzZ3ZP:3wtcvzBLxbkY5zwoGkSjEXOtvIP1bYx

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	BootstrapperV1.18.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2636	1764	BootstrapperV1.18.exe	32
PID 1764 wrote to memory of 2636	1764	BootstrapperV1.18.exe	32
PID 1764 wrote to memory of 2636	1764	BootstrapperV1.18.exe	32

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.18.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.18.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1764 -s 1016
  2⤵
  PID:2636

memory/1764-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1764-1-0x00000000001C0000-0x00000000002BA000-memory.dmp

Filesize
1000KB

Download
memory/1764-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1764-3-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download