dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4

Analysis

Target

dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4.dll
Size

159KB
MD5

e3dace173ded785a9af4a9007587eec6
SHA1

2b746a247ef14585e9102336939e341f62cc6b67
SHA256

dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4
SHA512

da3c9481438b4373c328904aac1ed64a1d20c02a558573543b36fc35a1f296664b518243fe4431b8b19c85678271cc0e7215aae7dd3769d998a45297dccb3b25

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	4004	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 4004	656	rundll32.exe	70
PID 656 wrote to memory of 4004	656	rundll32.exe	70
PID 656 wrote to memory of 4004	656	rundll32.exe	70

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4.dll,#1
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 616
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2504