04c9a8ab43d1eb616b84d0686c8ae1d881ef03fe4f3aa26511e5b19d35ef16af

Analysis

Target

jna4751840382602025308.dll
Size

203KB
MD5

28d895a3cb7e9a0b6a5ae5ed6a62b254
SHA1

703d8604a8d04d29c52c0ebcde1e86f3bc8ff824
SHA256

04c9a8ab43d1eb616b84d0686c8ae1d881ef03fe4f3aa26511e5b19d35ef16af
SHA512

c917334ba893313f6062143a25187a313a973b41696c8e446d4d90f7483963f5134cafe65c86b212815981a9af27b1ada7feb2c9194a3b234c5817fb54d4e531

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1584 1820 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1584 WerFault.exe
1584 WerFault.exe
1584 WerFault.exe
1584 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1584 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1584 WerFault.exe

pid	pid_target	process	target process
1584	1820	WerFault.exe	rundll32.exe

pid	process
1584	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1584	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1828 wrote to memory of 1820	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1820	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1820	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1820	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1820	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1820	1828	rundll32.exe	rundll32.exe
PID 1828 wrote to memory of 1820	1828	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 1584	1820	rundll32.exe	WerFault.exe
PID 1820 wrote to memory of 1584	1820	rundll32.exe	WerFault.exe
PID 1820 wrote to memory of 1584	1820	rundll32.exe	WerFault.exe
PID 1820 wrote to memory of 1584	1820	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jna4751840382602025308.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\jna4751840382602025308.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

memory/1584-62-0x0000000000000000-mapping.dmp

Download
memory/1584-63-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1820-60-0x0000000000000000-mapping.dmp

Download
memory/1820-61-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download