74cfa252e69c230f4d698eb2fd781b3b7c17231b1f4afccfcc23ffa5d3b2f467

Analysis

Target

update.dll
Size

277KB
MD5

902dfdda85be4ce700a786274bc6adc0
SHA1

9d995cf6952809eb2ebd4c4333bafeedd73bb1f0
SHA256

74cfa252e69c230f4d698eb2fd781b3b7c17231b1f4afccfcc23ffa5d3b2f467
SHA512

713976be2f355f35146c4370b6db2f88805d33de418e6376f25c6d5594db576ad07558263638ac5a40b6f6aea397031604c15b23bd13bce9d365e2a12b3a41e3

Score

3^/10

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 584	428	rundll32.exe	66
PID 428 wrote to memory of 584	428	rundll32.exe	66
PID 428 wrote to memory of 584	428	rundll32.exe	66

Program crash 1 IoCs

pid	pid_target	Process	procid_target
904	584	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious behavior: EnumeratesProcesses 13 IoCs

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:428
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\update.dll,#1
  2⤵
  PID:584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 616
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:904

memory/904-1-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/904-4-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download