c88f8d086be8dd345babad15c76490ef889af7eaecb015f3107ff039f0ed5f2d

Analysis

Target

c88f8d086be8dd345babad15c76490ef889af7eaecb015f3107ff039f0ed5f2d.dll
Size

68KB
MD5

5f5aed43a3ee55f2727f1c1470a6db32
SHA1

7574a3cb7c27bd548e93309b0401e7ce48d22d76
SHA256

c88f8d086be8dd345babad15c76490ef889af7eaecb015f3107ff039f0ed5f2d
SHA512

a3912fb654538c73c57c9a60b8a67e60b2446f1c5824d068613722a576bdcd26ef8ea121ffb4831b140049cecafd49e6879426dab7312c9e7a7283e9ebd4ae7f

Score

10^/10

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3276 created 676	3276	WerFault.exe	68

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3276	676	WerFault.exe	68

Suspicious behavior: EnumeratesProcesses 12 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 676	3156	rundll32.exe	68
PID 3156 wrote to memory of 676	3156	rundll32.exe	68
PID 3156 wrote to memory of 676	3156	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c88f8d086be8dd345babad15c76490ef889af7eaecb015f3107ff039f0ed5f2d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c88f8d086be8dd345babad15c76490ef889af7eaecb015f3107ff039f0ed5f2d.dll,#1
  2⤵
  PID:676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 580
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3276