ff084a610d5595988a38e6ae26a28a977396ac8ce9d528195311db6861fa0f74

Analysis

max time kernel
9s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 21:28

Target

1748-58-0x0000000075210000-0x0000000075303000-memory.dll
Size

972KB
MD5

c70800a83b069ea5444593148667c061
SHA1

5c522f78466b2b36380333df9a4305eb7bd2c19c
SHA256

ff084a610d5595988a38e6ae26a28a977396ac8ce9d528195311db6861fa0f74
SHA512

d19d37efa7a89bcb5a7b447d968beadaf704bbee1f92377399f63eb780ce56e22a66fa767b4d2cbd00aa02af4f870edc9df21bd64643afb5424f3b0748cb2916
SSDEEP

24576:4dabTOPeogLtdk25qMKvb/o2ggJcW2QRqV:MKToeLDk251KvjjXJciqV

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1900 912 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1900	912	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1124 wrote to memory of 912	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 912	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 912	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 912	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 912	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 912	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 912	1124	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1900	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1900	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1900	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1900	912	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1748-58-0x0000000075210000-0x0000000075303000-memory.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1748-58-0x0000000075210000-0x0000000075303000-memory.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 196
3⤵
- Program crash
PID:1900

memory/912-54-0x0000000000000000-mapping.dmp

Download
memory/912-55-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download