793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f

Analysis

max time kernel
14s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 07:24

Target

793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe
Size

1.7MB
MD5

f332a5f319a2b3ba21115c2f9f618f6e
SHA1

856a0097811e371eacb2d525ce7f7a5b37df49c8
SHA256

793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f
SHA512

f5a744dae8f45ed1b9bc9f6e442833471557716ca0e4ae8dbdd8dc14520d517bf5c9aa6e0ad2066241f4bbfcc16362c81bb8e0b0bca74403115492310b0d300c
SSDEEP

49152:ylY613sTH8v7a2v/ghy6tCyvHpzxEXNV6lkqfu3:yl9Hgk6tvvH1m8u3

Score

1^/10

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1484	952	793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe	28
PID 952 wrote to memory of 1484	952	793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe	28
PID 952 wrote to memory of 1484	952	793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe	28
PID 952 wrote to memory of 1484	952	793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe	28
PID 952 wrote to memory of 1484	952	793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe	28
PID 952 wrote to memory of 1484	952	793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe	28
PID 952 wrote to memory of 1484	952	793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe	28
PID 1484 wrote to memory of 820	1484	Net.exe	30
PID 1484 wrote to memory of 820	1484	Net.exe	30
PID 1484 wrote to memory of 820	1484	Net.exe	30
PID 1484 wrote to memory of 820	1484	Net.exe	30
PID 1484 wrote to memory of 820	1484	Net.exe	30
PID 1484 wrote to memory of 820	1484	Net.exe	30
PID 1484 wrote to memory of 820	1484	Net.exe	30

C:\Users\Admin\AppData\Local\Temp\793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe
"C:\Users\Admin\AppData\Local\Temp\793f3bb471b4a6feab33d17276de4bae85142561764b12ac5342c419c57baf5f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\Net.exe
  Net Stop PcaSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop PcaSvc
    3⤵
    PID:820

memory/952-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download