8bb79293e59e4fbd16f770848d90c6958c4f37b945e2c18d3739bbe7520f33a3

Analysis

max time kernel
136s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 10:53

Target

DevIL.dll
Size

715KB
MD5

0acecf404b56a55034b250214c8bb643
SHA1

0f492a0d0060b65a8aa72786012654446bca5414
SHA256

9f7cb3667692e669c017e71cff34a4047c191b0a243e093bc6004e482df9bcf8
SHA512

0ba838f08111d1071480c522e34d2572587c0f293523c5c11a0d5dab0fb50f7e84dd51d647ee1dc7e175d9cc505276650183c0ea3adc8e1c4377b91732e17e27
SSDEEP

12288:HLTaZaewq5fH4FwaRXPwGgCaShoknPysfsntz7JY83IGooN47k8TsFXyvn:HLOaewq5f4FwYPwG6sfsnRJY83IfoN4B

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4856	5016	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 5016	1556	rundll32.exe	83
PID 1556 wrote to memory of 5016	1556	rundll32.exe	83
PID 1556 wrote to memory of 5016	1556	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DevIL.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\DevIL.dll,#1
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 600
    3⤵
    - Program crash
    PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5016 -ip 5016
1⤵
PID:4040