c8b923b5395e23831c6e3c6d4e62811c4466fc89cb7547d779986969a6189137

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 03:34

Target

Reshade.exe
Size

6.0MB
MD5

748ae97b3d8db204a27e6949cc6c5038
SHA1

c2fcbb04f3d55e497d618f03f0c70b436f372306
SHA256

c8b923b5395e23831c6e3c6d4e62811c4466fc89cb7547d779986969a6189137
SHA512

722f66f43cd1c25a70e87ad7da5e020d6797612f4293987565a1b3621ac8a9ac67cce6c12320651444f3485cb7d0d0eea933663f79b8061b51bf0031afde0409
SSDEEP

98304:MHIu4+Dc0dprjamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2HQMbm3Uu:Mop+DXMeNoInY7/sHfbRy9LbmW7Te

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
3012	Reshade.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000500000001a41d-21.dat	upx
behavioral1/memory/3012-23-0x000007FEF5F00000-0x000007FEF636E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3012	2368	Reshade.exe	30
PID 2368 wrote to memory of 3012	2368	Reshade.exe	30
PID 2368 wrote to memory of 3012	2368	Reshade.exe	30

C:\Users\Admin\AppData\Local\Temp\Reshade.exe
"C:\Users\Admin\AppData\Local\Temp\Reshade.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\Reshade.exe
  "C:\Users\Admin\AppData\Local\Temp\Reshade.exe"
  2⤵
  - Loads dropped DLL
  PID:3012

C:\Users\Admin\AppData\Local\Temp\_MEI23682\python310.dll

Filesize
1.4MB

MD5
01988415e8fb076dcb4a0d0639b680d9

SHA1
91b40cffcfc892924ed59dc0664c527ff9d3f69c

SHA256
b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24

SHA512
eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe

Download Submit
memory/3012-23-0x000007FEF5F00000-0x000007FEF636E000-memory.dmp

Filesize
4.4MB

Download