3c66f6c923c31e14a95ce0888a3ddbe65035b52f8f0477a9097df9c5ff8de1c8

Analysis

Target

PO.exe
Size

665KB
MD5

070a4973da16d32e155e1040824437cd
SHA1

496075d7a6d341c31bf59563cf0e9542c4746094
SHA256

3c66f6c923c31e14a95ce0888a3ddbe65035b52f8f0477a9097df9c5ff8de1c8
SHA512

651f45b8c7360ab858f8ecdc867aad5c6c66e6527f0403051e8ba9d752a7c50755eea3de2799910c12c7673b519fdf2ba72a5d0c11093bacea51aa6e657eca36

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO.exe

description pid process

Token: SeDebugPrivilege 1296 PO.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PO.exe

pid process

1296 PO.exe
1296 PO.exe
1296 PO.exe
1296 PO.exe
1296 PO.exe

description	pid	process
Token: SeDebugPrivilege	1296	PO.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PO.exe

description	pid	process	target process
PID 1296 wrote to memory of 1228	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1228	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1228	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1228	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1764	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1764	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1764	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1764	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1808	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1808	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1808	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1808	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1800	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1800	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1800	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1800	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1740	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1740	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1740	1296	PO.exe	PO.exe
PID 1296 wrote to memory of 1740	1296	PO.exe	PO.exe

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
PID:1740