021f4846815c6c2c0fcd2a808054c52c0569526bd4fb049b47ceb061e822d354

Analysis

Target

1XrdOdPqR6jBVMu.exe
Size

507KB
MD5

e5a4d65f4234001c405be18760073317
SHA1

9aaf994aa6cee464fde60749d9a1aba698199b41
SHA256

021f4846815c6c2c0fcd2a808054c52c0569526bd4fb049b47ceb061e822d354
SHA512

27892695e298ac1be6f982b97be4a9da56ed31031c3cb83d8e98815d1676442672aa3626a8a14782e638fa988a96dcb3229c72356374f7193fc8ee7469fdcc69

Score

1^/10

Suspicious behavior: EnumeratesProcesses 7 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	1XrdOdPqR6jBVMu.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1848	1156	1XrdOdPqR6jBVMu.exe	28
PID 1156 wrote to memory of 1848	1156	1XrdOdPqR6jBVMu.exe	28
PID 1156 wrote to memory of 1848	1156	1XrdOdPqR6jBVMu.exe	28
PID 1156 wrote to memory of 1848	1156	1XrdOdPqR6jBVMu.exe	28
PID 1156 wrote to memory of 1864	1156	1XrdOdPqR6jBVMu.exe	29
PID 1156 wrote to memory of 1864	1156	1XrdOdPqR6jBVMu.exe	29
PID 1156 wrote to memory of 1864	1156	1XrdOdPqR6jBVMu.exe	29
PID 1156 wrote to memory of 1864	1156	1XrdOdPqR6jBVMu.exe	29
PID 1156 wrote to memory of 1920	1156	1XrdOdPqR6jBVMu.exe	30
PID 1156 wrote to memory of 1920	1156	1XrdOdPqR6jBVMu.exe	30
PID 1156 wrote to memory of 1920	1156	1XrdOdPqR6jBVMu.exe	30
PID 1156 wrote to memory of 1920	1156	1XrdOdPqR6jBVMu.exe	30
PID 1156 wrote to memory of 1952	1156	1XrdOdPqR6jBVMu.exe	31
PID 1156 wrote to memory of 1952	1156	1XrdOdPqR6jBVMu.exe	31
PID 1156 wrote to memory of 1952	1156	1XrdOdPqR6jBVMu.exe	31
PID 1156 wrote to memory of 1952	1156	1XrdOdPqR6jBVMu.exe	31
PID 1156 wrote to memory of 1960	1156	1XrdOdPqR6jBVMu.exe	32
PID 1156 wrote to memory of 1960	1156	1XrdOdPqR6jBVMu.exe	32
PID 1156 wrote to memory of 1960	1156	1XrdOdPqR6jBVMu.exe	32
PID 1156 wrote to memory of 1960	1156	1XrdOdPqR6jBVMu.exe	32

C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe
"C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe
  "{path}"
  2⤵
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe
  "{path}"
  2⤵
  PID:1864
- C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe
  "{path}"
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe
  "{path}"
  2⤵
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\1XrdOdPqR6jBVMu.exe
  "{path}"
  2⤵
  PID:1960

memory/1156-0-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/1156-1-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1156-3-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/1156-4-0x0000000004FC0000-0x0000000005032000-memory.dmp

Filesize
456KB

Download
memory/1156-5-0x0000000000580000-0x0000000000618000-memory.dmp

Filesize
608KB

Download