d1d3cf433e871d3aa6836ddb87578cbf494603f6f4a8918f36aea5816c6ce5e0

Analysis

Target

d1d3cf433e871d3aa6836ddb87578cbf494603f6f4a8918f36aea5816c6ce5e0.dll
Size

135KB
MD5

2512bc611f3477627381e7b69fd3dfc0
SHA1

4de71f730b57d672c3ccc9a655fd9e347b5462f9
SHA256

d1d3cf433e871d3aa6836ddb87578cbf494603f6f4a8918f36aea5816c6ce5e0
SHA512

ec71f2e14f38fd1aa8956ff38417cefbbebf35d2b79f70ac242f946cc7870a99c06329ee142a7fdc6c47e7ba27461065db38747eacf309b265d495c8e9b032f7

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1728	1492	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 5 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1728	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 1492	332	rundll32.exe	27
PID 332 wrote to memory of 1492	332	rundll32.exe	27
PID 332 wrote to memory of 1492	332	rundll32.exe	27
PID 332 wrote to memory of 1492	332	rundll32.exe	27
PID 332 wrote to memory of 1492	332	rundll32.exe	27
PID 332 wrote to memory of 1492	332	rundll32.exe	27
PID 332 wrote to memory of 1492	332	rundll32.exe	27
PID 1492 wrote to memory of 1728	1492	rundll32.exe	29
PID 1492 wrote to memory of 1728	1492	rundll32.exe	29
PID 1492 wrote to memory of 1728	1492	rundll32.exe	29
PID 1492 wrote to memory of 1728	1492	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d1d3cf433e871d3aa6836ddb87578cbf494603f6f4a8918f36aea5816c6ce5e0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d1d3cf433e871d3aa6836ddb87578cbf494603f6f4a8918f36aea5816c6ce5e0.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 224
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1728

memory/1492-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1728-63-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download