a47f1b1a2995865a081e270569e3cb0857d3af3759c2e06b72e3f418e9611a87

General

Target

RFQ 10050395.exe
Size

733KB
MD5

208b8885063f4562e1e181c63f155bd1
SHA1

b0071008c3ae769433c6c71acd49c80a4b5a853d
SHA256

a47f1b1a2995865a081e270569e3cb0857d3af3759c2e06b72e3f418e9611a87
SHA512

96f48b489308904e883c004514cc0cd33cfeb893f03e4f9d9454b88c95c991cad2b9773040c4a9d08d524d0f79cf7232e4cc81352ea0a0100c4c7dbf99c5e3f7

Score

1^/10

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RFQ 10050395.exe

pid process

304 RFQ 10050395.exe
304 RFQ 10050395.exe
304 RFQ 10050395.exe
304 RFQ 10050395.exe
304 RFQ 10050395.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RFQ 10050395.exe

description pid process

Token: SeDebugPrivilege 304 RFQ 10050395.exe

description	pid	process
Token: SeDebugPrivilege	304	RFQ 10050395.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

RFQ 10050395.exe

description	pid	process	target process
PID 304 wrote to memory of 1908	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1908	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1908	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1908	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 560	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 560	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 560	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 560	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 108	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 108	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 108	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 108	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1332	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1332	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1332	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1332	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1344	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1344	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1344	304	RFQ 10050395.exe	RFQ 10050395.exe
PID 304 wrote to memory of 1344	304	RFQ 10050395.exe	RFQ 10050395.exe

C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"
2⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"
2⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"
2⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"
2⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 10050395.exe"
2⤵
PID:1344

memory/304-54-0x0000000000210000-0x00000000002CC000-memory.dmp

Filesize
752KB

Download
memory/304-55-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/304-56-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/304-57-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/304-58-0x0000000005200000-0x00000000052A8000-memory.dmp

Filesize
672KB

Download
memory/304-59-0x0000000002260000-0x00000000022D4000-memory.dmp

Filesize
464KB

Download