9067fa96c3f7249241d50425f1198a36c6c23578f14bf501a1664a501f088d69

Resubmissions

20-07-2021 12:56

08-04-2021 17:31

Target

9067fa96c3f7249241d50425f1198a36c6c23578f14bf501a1664a501f088d69.dll
Size

140KB
MD5

e92f45e8639d751bfd6053dd9419d0b9
SHA1

794eb3a9ce8b7e5092bb1b93341a54097f5b78a9
SHA256

9067fa96c3f7249241d50425f1198a36c6c23578f14bf501a1664a501f088d69
SHA512

1387e60f5e314bd4ff52e34cdfdc4c692b81924192588ec5b583dd3d74e0f8362a83f895b45ccca9095cea35e467d190bea3c99fe98a503b9ae0c5fee90cc380

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	428	WerFault.exe	69

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 428	648	rundll32.exe	69
PID 648 wrote to memory of 428	648	rundll32.exe	69
PID 648 wrote to memory of 428	648	rundll32.exe	69

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9067fa96c3f7249241d50425f1198a36c6c23578f14bf501a1664a501f088d69.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\9067fa96c3f7249241d50425f1198a36c6c23578f14bf501a1664a501f088d69.dll,#1
  2⤵
  PID:428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 640
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3148