829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe

Analysis

Target

829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe.exe
Size

3.3MB
MD5

21e3feb31825be4bbbe5e509b48eeec7
SHA1

90f9d03713da9b7ec84b938c28b9cd38960c38b9
SHA256

829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe
SHA512

51eec2b1f3cd9d9ee2383485cb8f09b45676d648c371c177136ba4beaa227a24dec8baf41bee88a8bc178f2f03bfab89deb7efc8b9f33302fa74a07ad7768488

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1688 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1688 powershell.exe

pid	process
1688	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe.exe

description	pid	process	target process
PID 1824 wrote to memory of 1688	1824	829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe.exe	powershell.exe
PID 1824 wrote to memory of 1688	1824	829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe.exe	powershell.exe
PID 1824 wrote to memory of 1688	1824	829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe.exe	powershell.exe
PID 1824 wrote to memory of 1688	1824	829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe.exe
"C:\Users\Admin\AppData\Local\Temp\829ccebd604476e92b2d847e228af249e7233e4e42136760e702de4115bd52fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
  -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688

C:\Users\Admin\AppData\Local\Temp\get-points.ps1

Filesize
3.0MB

MD5
bcac3bbb18f093dbc8e5e76d2675695f

SHA1
96453f65b41e428937349e6f48fe67d6dfd6a580

SHA256
b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a

SHA512
78c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab

Download Submit
memory/1688-63-0x0000000002532000-0x0000000002534000-memory.dmp

Filesize
8KB

Download
memory/1688-56-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1688-62-0x0000000002530000-0x0000000002532000-memory.dmp

Filesize
8KB

Download
memory/1688-64-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1688-61-0x000007FEF3420000-0x000007FEF3F7D000-memory.dmp

Filesize
11.4MB

Download
memory/1688-66-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1824-57-0x0000000002020000-0x000000000235D000-memory.dmp

Filesize
3.2MB

Download
memory/1824-59-0x0000000002360000-0x000000000280C000-memory.dmp

Filesize
4.7MB

Download
memory/1824-60-0x0000000000040000-0x00000000004F8000-memory.dmp

Filesize
4.7MB

Download
memory/1824-54-0x0000000002020000-0x000000000235D000-memory.dmp

Filesize
3.2MB

Download
memory/1824-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download