87bcd92058ddcd970e40a11bf033409a0972946386a53839e40861e538eefcae

Analysis

Target

87bcd92058ddcd970e40a11bf033409a0972946386a53839e40861e538eefcae.dll
Size

256KB
MD5

41a3192e33329a122df8bcc6f2f35780
SHA1

c882a982d0378b8ae90b17b67eed462ee3bb5688
SHA256

87bcd92058ddcd970e40a11bf033409a0972946386a53839e40861e538eefcae
SHA512

50849a2130ec0a89a29b7e379ff469d4b8643305d02a98fb42c5c6a52aacabc7c3bccbcbceba2871360b1c263a0a7a082b696002a850e48aecaff91bca1f202e

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1332 1032 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1332 WerFault.exe
1332 WerFault.exe
1332 WerFault.exe
1332 WerFault.exe
1332 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1332 WerFault.exe

pid	pid_target	process	target process
1332	1032	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1332	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1032 wrote to memory of 1332	1032	rundll32.exe	WerFault.exe
PID 1032 wrote to memory of 1332	1032	rundll32.exe	WerFault.exe
PID 1032 wrote to memory of 1332	1032	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87bcd92058ddcd970e40a11bf033409a0972946386a53839e40861e538eefcae.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1032 -s 108
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1332

memory/1332-0-0x0000000000000000-mapping.dmp

Download
memory/1332-1-0x0000000001E80000-0x0000000001E91000-memory.dmp

Filesize
68KB

Download
memory/1332-2-0x00000000028B0000-0x00000000028C1000-memory.dmp

Filesize
68KB

Download