93fd40d9f5a114848582efbe45cc9a4fb99d5c7d6d12eed483746d57af630023

Analysis

max time kernel
59s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2023, 22:14

Target

93fd40d9f5a114848582efbe45cc9a4fb99d5c7d6d12eed483746d57af630023.dll
Size

4.2MB
MD5

5a81f46207a4fef5234e09e2a78a4649
SHA1

ba041b6eb182011f2445173e00e5b156732ba3f3
SHA256

93fd40d9f5a114848582efbe45cc9a4fb99d5c7d6d12eed483746d57af630023
SHA512

297ac0d44f689e30bbb3d1b6b36ba95d7e414f6bd78984c4ec20fdcd3292336b6f1440ddffa96769828db46cb6be51156aa1482e1d39befeb2c8e7a8bb73ee84
SSDEEP

49152:p7iVyVitHeP90SLzMkzvnCz+AZnH9FUTrrJ4BR8yLWwCriMkHmeJgqXb7VqSTBok:g4VC+P9ykxaC31e0ZeJgqX

Score

1^/10

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\ = "中文(简体) - 2345王牌拼音输入法"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\93fd40d9f5a114848582efbe45cc9a4fb99d5c7d6d12eed483746d57af630023.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0055AAB0-EACB-46DB-9BB4-1B97FC046D02}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 3404	4444	regsvr32.exe	85
PID 4444 wrote to memory of 3404	4444	regsvr32.exe	85
PID 4444 wrote to memory of 3404	4444	regsvr32.exe	85

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\93fd40d9f5a114848582efbe45cc9a4fb99d5c7d6d12eed483746d57af630023.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\93fd40d9f5a114848582efbe45cc9a4fb99d5c7d6d12eed483746d57af630023.dll
  2⤵
  - Modifies registry class
  PID:3404