527d187202eb82012fd6a1c443a0907384728290f2484cb8e876c938d67b7e2d

Analysis

max time kernel
256s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 09:09

Target

527d187202eb82012fd6a1c443a0907384728290f2484cb8e876c938d67b7e2d.dll
Size

48KB
MD5

c59c12fc60e614ed53ccb5132bdcec0d
SHA1

cbcfef41561b3e74c98b1bef651a1bf6f3fb61d8
SHA256

527d187202eb82012fd6a1c443a0907384728290f2484cb8e876c938d67b7e2d
SHA512

2009cc1f706ff6bc00bde83dee5d620047f05652b980d13a7823d2785dcac190b7741859be4b61f13ad83cebfbf0da1ebf12ce065a8af62b2d066f8bea7852d0
SSDEEP

768:FyH0gt8aCkMTeE6B+f/9xHbIWYzfZR6BKMFDtWpHxd8A9cxYMu9EDlIu6KwvjcEB:5gt8aCkWHD94OMstie8ELu9EDlIuPucJ

Score

1^/10

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\_QUÞÚz\ = "YØ()L{Ø¨=ž1\x1b"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P€ ^	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P€ ^\6¨#z˜¨'’/ wŠ×I…+Y9×„UÕvi1ž:w¸Çš? = "'’/\r\x1awŠ×I…+\x05Y9×„UÕvi1ž:\x12\fw¸Ç\x0eš?\x1f\n\x0e"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P€ ^\ = "1ˆ;\x1e$b’È.™9\x15l"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P€ ^\ = "\x11Œ&\x03\x13}€Ÿ\x06ˆ.@] Ú\u0081b"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\(¡,=DÏË7¤w‰ëŸ=	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\(¡,=DÏË7¤w‰ëŸ=\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\527d187202eb82012fd6a1c443a0907384728290f2484cb8e876c938d67b7e2d.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\_QUÞÚz	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2660	1588	regsvr32.exe	80
PID 1588 wrote to memory of 2660	1588	regsvr32.exe	80
PID 1588 wrote to memory of 2660	1588	regsvr32.exe	80

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\527d187202eb82012fd6a1c443a0907384728290f2484cb8e876c938d67b7e2d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\527d187202eb82012fd6a1c443a0907384728290f2484cb8e876c938d67b7e2d.dll
  2⤵
  - Modifies registry class
  PID:2660