d2a63c6d9cdda0bc062b61cf77d84259c451edfed1a01401e519bc75cfff7e8e

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/08/2023, 07:55

Target

Pre_Satup1_Activate.exe
Size

66.0MB
MD5

60c266e24923ebb2f88f2e29d45cc553
SHA1

893fa582caeca62faf5fccce950f5b654ef339c5
SHA256

d2a63c6d9cdda0bc062b61cf77d84259c451edfed1a01401e519bc75cfff7e8e
SHA512

e2c87a7c2fa8a3f07fff03505592c74a5528249c40e40573deb2a5dfc2961a99ac6f4d28324982555f7296d706901940f66e6a85e25a4492d42f1e674943fd15
SSDEEP

12288:cTSptB012lD9Gx/4fj0gcSyGD8Apjl4IWQAqOs/Dq1tXLi1CBpojCSguSYrsE1EP:cTam2bGwPc651uI9BCXhcjCSRrNgougc

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	powershell.exe
2416	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1424	2260	Pre_Satup1_Activate.exe	28
PID 2260 wrote to memory of 1424	2260	Pre_Satup1_Activate.exe	28
PID 2260 wrote to memory of 1424	2260	Pre_Satup1_Activate.exe	28
PID 2260 wrote to memory of 1424	2260	Pre_Satup1_Activate.exe	28
PID 1424 wrote to memory of 2156	1424	cmd.exe	30
PID 1424 wrote to memory of 2156	1424	cmd.exe	30
PID 1424 wrote to memory of 2156	1424	cmd.exe	30
PID 1424 wrote to memory of 2156	1424	cmd.exe	30
PID 2156 wrote to memory of 2416	2156	cmd.exe	31
PID 2156 wrote to memory of 2416	2156	cmd.exe	31
PID 2156 wrote to memory of 2416	2156	cmd.exe	31
PID 2156 wrote to memory of 2416	2156	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\Pre_Satup1_Activate.exe
"C:\Users\Admin\AppData\Local\Temp\Pre_Satup1_Activate.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Childhood & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell get-process avastui
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2416

C:\Users\Admin\AppData\Local\Temp\924\Childhood

Filesize
13KB

MD5
4247653db82d81645c04ee8f612d05b7

SHA1
2f3afb842618e52a0f8bac6d7e8cfb2fa42e91a7

SHA256
df9b5274ee9c66fa4d4551e7d66395943994dc860741eb94a51d3063a85bb841

SHA512
e7eb936c2e4e2d7e3472696a8ed617958f66698deef0effe6737e95851b8d3176ff47ba684ec7bf985328f1688da6476052a87a535a0d9c644a73692fecb0b9e

Download Submit
memory/2260-53-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2260-71-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2416-67-0x0000000073AE0000-0x000000007408B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-69-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2416-68-0x0000000073AE0000-0x000000007408B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-70-0x0000000073AE0000-0x000000007408B000-memory.dmp

Filesize
5.7MB

Download