ebb59161759ac7e1a5c5b58f4eac53013778d1d39a5be4979c099a80c7f0bc55

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 18:09

Target

archive/appsremote/qwebp.dll
Size

325KB
MD5

f859ecc883476fe2c649cefbbd7e6f94
SHA1

9900468c306061409e9aa1953d7d6a0d05505de8
SHA256

b057c49c23c6ebe92e377b573723d9b349a6ede50cfd3b86573b565bf4a2ae0b
SHA512

67af11fb9c81a7e91be747b2d74e81e8fe653ef82f049b652c7892c4ec4cafeba76b54a976616cbf1cd6b83f0abe060e82e46bf37f3ed841d595c4318d6fd73b
SSDEEP

6144:9weI6fmBFAShI2q3S/fSEdZtE4k/7a0Ku0rhfaTalQbKb9PjArMxcCUZvbo:99mB6ShI2ViuZtErz10AAQhi

Score

1^/10

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4288	5072	rundll32.exe	84
PID 5072 wrote to memory of 4288	5072	rundll32.exe	84
PID 5072 wrote to memory of 4288	5072	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\archive\appsremote\qwebp.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\archive\appsremote\qwebp.dll,#1
  2⤵
  PID:4288