ef3518c1b27e2a7ac50a9a919cdd5e09a4eb72148a8325dd97cf84a60f32c6e4

Analysis

max time kernel
122s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 13:09

Target

ef3518c1b27e2a7ac50a9a919cdd5e09a4eb72148a8325dd97cf84a60f32c6e4.dll
Size

48KB
MD5

6aebeece5101f90896ff5aabd17f98f9
SHA1

070a5c2abd10effbd52ee6a4d2a3b3c202119334
SHA256

ef3518c1b27e2a7ac50a9a919cdd5e09a4eb72148a8325dd97cf84a60f32c6e4
SHA512

bb78927d68eedb2815a8902dcc872664335970bd7c414f3f9f0e187f30d56f29ac97e616c85dc37e24f5c6c941552c444e54e9cb359d999219c235d4b875ce5f
SSDEEP

768:5JqFgOvH6CISzuKvcLXs8AGPoIfNfvI0mOYbZVou9y2JuUQ37ty8G:5gCSTcL8uPoIVfvT/60ZdU8

Score

1^/10

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4632	Rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4632	Rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1224	872	regsvr32.exe	80
PID 872 wrote to memory of 1224	872	regsvr32.exe	80
PID 872 wrote to memory of 1224	872	regsvr32.exe	80
PID 1224 wrote to memory of 4632	1224	regsvr32.exe	81
PID 1224 wrote to memory of 4632	1224	regsvr32.exe	81
PID 1224 wrote to memory of 4632	1224	regsvr32.exe	81

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef3518c1b27e2a7ac50a9a919cdd5e09a4eb72148a8325dd97cf84a60f32c6e4.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\ef3518c1b27e2a7ac50a9a919cdd5e09a4eb72148a8325dd97cf84a60f32c6e4.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\Rundll32.exe
    C:\Windows\system32\Rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef3518c1b27e2a7ac50a9a919cdd5e09a4eb72148a8325dd97cf84a60f32c6e4.dll,DllUnregisterServer
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4632