1cdad75e7830e4ae946bb26c15be354676820710c2471d9ea6d24926fc0df86f

General

Target

0fa38d62e10a8aae27e6624c29e94dc0.dll
Size

1.2MB
MD5

0fa38d62e10a8aae27e6624c29e94dc0
SHA1

38eacb884c084f9e455e6e32002661a95bb7e4f5
SHA256

1cdad75e7830e4ae946bb26c15be354676820710c2471d9ea6d24926fc0df86f
SHA512

bb283a71face353a3cec670442ddef2b8eab5fcfe1d0893c7ed195880356f4181f1b56854a54e95174b518db7c72fa9e094954e81fa10149c6cfb3424b650419

Score

1^/10

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

regsvr32.exeexplorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

1060 regsvr32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	regsvr32.exe
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	regsvr32.exe
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	regsvr32.exe
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	regsvr32.exe
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	regsvr32.exe
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	regsvr32.exe
PID 1920 wrote to memory of 1060	1920	regsvr32.exe	regsvr32.exe
PID 1060 wrote to memory of 616	1060	regsvr32.exe	explorer.exe
PID 1060 wrote to memory of 616	1060	regsvr32.exe	explorer.exe
PID 1060 wrote to memory of 616	1060	regsvr32.exe	explorer.exe
PID 1060 wrote to memory of 616	1060	regsvr32.exe	explorer.exe
PID 1060 wrote to memory of 616	1060	regsvr32.exe	explorer.exe
PID 1060 wrote to memory of 616	1060	regsvr32.exe	explorer.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fa38d62e10a8aae27e6624c29e94dc0.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\0fa38d62e10a8aae27e6624c29e94dc0.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:616

memory/616-63-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/616-65-0x0000000000000000-mapping.dmp

Download
memory/616-67-0x00000000749A1000-0x00000000749A3000-memory.dmp

Filesize
8KB

Download
memory/616-68-0x0000000000140000-0x00000000001CF000-memory.dmp

Filesize
572KB

Download
memory/1060-55-0x0000000000000000-mapping.dmp

Download
memory/1060-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1060-57-0x0000000010000000-0x000000001008F000-memory.dmp

Filesize
572KB

Download
memory/1920-54-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download