44624e009d92d8a1426de757355fb3428ad9e5972ac9e05e46777046858ab003

Analysis

max time kernel
29s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:50

Target

44624e009d92d8a1426de757355fb3428ad9e5972ac9e05e46777046858ab003.dll
Size

204KB
MD5

1670f783fc5bc7d5b5f38f0a17a71b08
SHA1

1c5bd36b21a7729b5de7e6ac43ae3d7b6f0006b7
SHA256

44624e009d92d8a1426de757355fb3428ad9e5972ac9e05e46777046858ab003
SHA512

dce76bd1f7eb20e78519f0aeee6a703953be67bfbbeeefb3db8433803ba0185553ff830f6d1a457921b4d5123fff07a166e2360b4c2aa6973ed011fa7ed4473d
SSDEEP

6144:FJNZKQMkmsRMYCrAenKhvRiDixaZP31uE:rNZftV2HrAeKhsu0Ph

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1340 1536 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1340	1536	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1536	1520	rundll32.exe	rundll32.exe
PID 1536 wrote to memory of 1340	1536	rundll32.exe	WerFault.exe
PID 1536 wrote to memory of 1340	1536	rundll32.exe	WerFault.exe
PID 1536 wrote to memory of 1340	1536	rundll32.exe	WerFault.exe
PID 1536 wrote to memory of 1340	1536	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44624e009d92d8a1426de757355fb3428ad9e5972ac9e05e46777046858ab003.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\44624e009d92d8a1426de757355fb3428ad9e5972ac9e05e46777046858ab003.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 240
    3⤵
    - Program crash
    PID:1340

memory/1340-57-0x0000000000000000-mapping.dmp

Download
memory/1536-54-0x0000000000000000-mapping.dmp

Download
memory/1536-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1536-56-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1536-58-0x0000000010000000-0x0000000010035000-memory.dmp

Filesize
212KB

Download
memory/1536-59-0x0000000000120000-0x0000000000144000-memory.dmp

Filesize
144KB

Download