8aff3e755bfdbab3f3c06c6929ed7c98064af4560c138ac0a7a464d0ab95625e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 01:45

Target

8aff3e755bfdbab3f3c06c6929ed7c98064af4560c138ac0a7a464d0ab95625e.dll
Size

37KB
MD5

3f7fd91c78b501a7b9828328f04a3a2c
SHA1

559b4ee6e1d2e54e5c13d7c9849a83feb709ba62
SHA256

8aff3e755bfdbab3f3c06c6929ed7c98064af4560c138ac0a7a464d0ab95625e
SHA512

a7cd299dfbb361390e8173490eb5fb7dadf47e5fb9c37b95f80a51b89ccbb2a9b4adba56314010b9e2c003312fbf2b3957c69df247c124677a9a732ec04cc372
SSDEEP

768:SpttgI3lDitWDX1x21xma6WA9d03TuJXIBX/hNH:Sxbue1x2qabA9doR

Score

1^/10

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4376	4900	rundll32.exe	79
PID 4900 wrote to memory of 4376	4900	rundll32.exe	79
PID 4900 wrote to memory of 4376	4900	rundll32.exe	79
PID 4376 wrote to memory of 2116	4376	rundll32.exe	80
PID 4376 wrote to memory of 2116	4376	rundll32.exe	80
PID 4376 wrote to memory of 2116	4376	rundll32.exe	80
PID 2116 wrote to memory of 3416	2116	net.exe	82
PID 2116 wrote to memory of 3416	2116	net.exe	82
PID 2116 wrote to memory of 3416	2116	net.exe	82
PID 4376 wrote to memory of 1268	4376	rundll32.exe	83
PID 4376 wrote to memory of 1268	4376	rundll32.exe	83
PID 4376 wrote to memory of 1268	4376	rundll32.exe	83
PID 1268 wrote to memory of 1528	1268	net.exe	85
PID 1268 wrote to memory of 1528	1268	net.exe	85
PID 1268 wrote to memory of 1528	1268	net.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8aff3e755bfdbab3f3c06c6929ed7c98064af4560c138ac0a7a464d0ab95625e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8aff3e755bfdbab3f3c06c6929ed7c98064af4560c138ac0a7a464d0ab95625e.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\net.exe
    net stop winss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winss
      4⤵
      PID:3416
- - C:\Windows\SysWOW64\net.exe
    net stop OcHealthMon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OcHealthMon
      4⤵
      PID:1528

memory/4376-133-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download