6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a

Analysis

Target

6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe
Size

769KB
MD5

940068f0f20ee4785d5ab78abddaaf2f
SHA1

243916ab8da3d39a6c9b69ac2f669ba2cc0bb59e
SHA256

6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a
SHA512

ed99595b4279d68c4f3f298c5af403382379fff4158378eb75a62cce763610e0bc7989ecabf6c4f83987c76d9ef2224689a478aa77c638cf41fd877925578268

Score

1^/10

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe
2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe
2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe
2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1624	2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe	26
PID 2036 wrote to memory of 1624	2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe	26
PID 2036 wrote to memory of 1624	2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe	26
PID 2036 wrote to memory of 1624	2036	6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe	26

C:\Users\Admin\AppData\Local\Temp\6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe
"C:\Users\Admin\AppData\Local\Temp\6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Local\Temp\6ca21c729d3241cc88bbc4dcc7e2432a89c63878af6fd4f8fdb980a1db566a6a.exe"'
  2⤵
  PID:1624

memory/1624-62-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-54-0x00000000009F0000-0x0000000000AB4000-memory.dmp

Filesize
784KB

Download
memory/2036-55-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2036-56-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x0000000004740000-0x00000000047CC000-memory.dmp

Filesize
560KB

Download
memory/2036-59-0x0000000004A20000-0x0000000004AD8000-memory.dmp

Filesize
736KB

Download
memory/2036-61-0x0000000005260000-0x00000000052D8000-memory.dmp

Filesize
480KB

Download