36db6b770f31550863d3569c12d828ac698ced0f9cf160e4e58ee6fe45908782

Analysis

max time kernel
42s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 09:15

Target

36db6b770f31550863d3569c12d828ac698ced0f9cf160e4e58ee6fe45908782.dll
Size

32KB
MD5

1e633bf03b148230ec615f7ed20ef180
SHA1

5dae6ed4686ba9b87457024b68293c25c7b84780
SHA256

36db6b770f31550863d3569c12d828ac698ced0f9cf160e4e58ee6fe45908782
SHA512

de4cabf96bc409c276d688c9fea143495129dba7859bad308359361a81656e95e3ce9b6ce1998ae02bdda9ca72e4ef7b410f0c32a11f83f1102abd34457ff44f
SSDEEP

384:Iqxmg+IkGK842Z/1yqLoa25nOHj1FvMe4lGyi7:IemgPFK842Z/1yOoRFOHj1FvMe4lGyo

Score

1^/10

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
956	Rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
956	Rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 888	904	regsvr32.exe	27
PID 904 wrote to memory of 888	904	regsvr32.exe	27
PID 904 wrote to memory of 888	904	regsvr32.exe	27
PID 904 wrote to memory of 888	904	regsvr32.exe	27
PID 904 wrote to memory of 888	904	regsvr32.exe	27
PID 904 wrote to memory of 888	904	regsvr32.exe	27
PID 904 wrote to memory of 888	904	regsvr32.exe	27
PID 888 wrote to memory of 956	888	regsvr32.exe	28
PID 888 wrote to memory of 956	888	regsvr32.exe	28
PID 888 wrote to memory of 956	888	regsvr32.exe	28
PID 888 wrote to memory of 956	888	regsvr32.exe	28
PID 888 wrote to memory of 956	888	regsvr32.exe	28
PID 888 wrote to memory of 956	888	regsvr32.exe	28
PID 888 wrote to memory of 956	888	regsvr32.exe	28

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\36db6b770f31550863d3569c12d828ac698ced0f9cf160e4e58ee6fe45908782.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\36db6b770f31550863d3569c12d828ac698ced0f9cf160e4e58ee6fe45908782.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\Rundll32.exe
    C:\Windows\system32\Rundll32.exe C:\Users\Admin\AppData\Local\Temp\36db6b770f31550863d3569c12d828ac698ced0f9cf160e4e58ee6fe45908782.dll,DllUnregisterServer
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:956

memory/888-56-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/904-54-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download