9efec1ccc32904269a947610a020fc6e60524d07290f8c71b90c658a683aa4c1

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 05:21

Target

鿴/GetUserPassWord.dll
Size

120KB
MD5

a1c63e706705a141ceb958b58c808ef0
SHA1

bf3ddcc9804d6422d7e7a2ea4a8c7679cdb62208
SHA256

4051356f6966dafc85f5a327271cbd105161bb1e0b8b9ff392f44d450c9bbd9e
SHA512

d3bfb35d1ca3b3e0d9f525ed7b001416ad7ae8120b90d876845ded331a9fb76360a615abc41c177d4db23d62da618cb98841ed017f2283c6b633b3a3aa698d31
SSDEEP

1536:ySDV52V7HTLTrksPfteRIU+CWNWJQq5oxniBMWqOLeBnWP8oIcKBrJoybDg+Fg:y+5Es809rWAho5iBsdoIcOrOybzFg

Score

1^/10

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1964	2564	rundll32.exe	79
PID 2564 wrote to memory of 1964	2564	rundll32.exe	79
PID 2564 wrote to memory of 1964	2564	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\鿴\GetUserPassWord.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\鿴\GetUserPassWord.dll,#1
  2⤵
  PID:1964