2a198f370ff2d9c2afbec879a0dc84d1d60f59077178c67bff6a5f4b4210be8f

Analysis

max time kernel
143s
max time network
279s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
12/01/2024, 15:30

Target

Setting File/Setting File/Ordinary model-mini keyboard English setting software(Compatible with all�.application
Size

1KB
MD5

b6f3cd560652757e337496c4508d508b
SHA1

7b59069959596d618ee13ccbae298dcae31d6a09
SHA256

97cd26aa5c1a24e8e15f787fccf8df2536cc5a61bb1b7a8371263f3d229d5a92
SHA512

9b8165dd51dd98bef0f84779742d274a92496d378b60191926e87a11a41cc076784dc5d47daf463c07c49af6b2777961493a85a1283e7fea3bac94f5fcf3a38a

Score

1^/10

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1876	1844	rundll32.exe	80
PID 1844 wrote to memory of 1876	1844	rundll32.exe	80

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication "C:\Users\Admin\AppData\Local\Temp\Setting File\Setting File\Ordinary model-mini keyboard English setting software(Compatible with all�.application"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:1876

memory/1876-0-0x0000011CE2800000-0x0000011CE2808000-memory.dmp

Filesize
32KB

Download
memory/1876-1-0x0000011CFCE70000-0x0000011CFCFF8000-memory.dmp

Filesize
1.5MB

Download
memory/1876-2-0x00007FFC59540000-0x00007FFC5A002000-memory.dmp

Filesize
10.8MB

Download
memory/1876-3-0x0000011CE2C30000-0x0000011CE2C40000-memory.dmp

Filesize
64KB

Download
memory/1876-6-0x00007FFC59540000-0x00007FFC5A002000-memory.dmp

Filesize
10.8MB

Download
memory/1876-7-0x0000011CE2C30000-0x0000011CE2C40000-memory.dmp

Filesize
64KB

Download
memory/1876-8-0x0000011CE2C30000-0x0000011CE2C40000-memory.dmp

Filesize
64KB

Download