f1b07c98ccfa8141e68aa3736a3db120d5e19828bdde7b01b151596449b23241

Analysis

max time kernel
144s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 16:12

Target

jli.dll
Size

29.8MB
MD5

dbf0e80807ecbb72c05600f1b0a8c52e
SHA1

37a0bac28f6e88d972e3fc4e45d9226959d6f5f6
SHA256

08bbb333532b9c1a045337343f92517721a90e1d03aab1fcd4830b986758fc8c
SHA512

c959caea8ba174558f990ca61d1e692a7eb97c8faf41a1e82dd0216797b4991cb0acf166c85ee764f302cd3f874ac2b25ea00e5bd7b76f79b26079d1db2655c9
SSDEEP

196608:g9r1VSx657ZURMOgsDxOZQwNH9QkDdfvpn:gLVSAutgskhHSiXZ

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2016 4828 WerFault.exe rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 5084 svchost.exe

pid	pid_target	process	target process
2016	4828	WerFault.exe	rundll32.exe

description	pid	process
Token: SeManageVolumePrivilege	5084	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4696 wrote to memory of 4828	4696	rundll32.exe	rundll32.exe
PID 4696 wrote to memory of 4828	4696	rundll32.exe	rundll32.exe
PID 4696 wrote to memory of 4828	4696	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jli.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jli.dll,#1
2⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 628
3⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4828 -ip 4828
1⤵
PID:4120

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084

memory/4828-0-0x00000000730B0000-0x0000000074E86000-memory.dmp

Filesize
29.8MB

Download
memory/5084-1-0x0000020258490000-0x00000202584A0000-memory.dmp

Filesize
64KB

Download
memory/5084-17-0x0000020258590000-0x00000202585A0000-memory.dmp

Filesize
64KB

Download
memory/5084-33-0x0000020260900000-0x0000020260901000-memory.dmp

Filesize
4KB

Download
memory/5084-35-0x0000020260930000-0x0000020260931000-memory.dmp

Filesize
4KB

Download
memory/5084-36-0x0000020260930000-0x0000020260931000-memory.dmp

Filesize
4KB

Download
memory/5084-37-0x0000020260A40000-0x0000020260A41000-memory.dmp

Filesize
4KB

Download