dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994

Analysis

Target

dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994.dll
Size

64KB
MD5

d7871e818a404134fcd16f5e976f8fd3
SHA1

3bba35f05b2077d6fe62950957b00e90ac85359a
SHA256

dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994
SHA512

f380a3009123fa979e7847a5c3318454b8fc5de12a7d9a18671cf463b3933000f48332091ca89005018bad460e2200905985655a7622f7542c771858cbd2fadf

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1660 1820 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1660 WerFault.exe
1660 WerFault.exe
1660 WerFault.exe
1660 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1660 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1660 WerFault.exe

pid	pid_target	process	target process
1660	1820	WerFault.exe	rundll32.exe

pid	process
1660	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1660	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 524 wrote to memory of 1820	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 1820	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 1820	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 1820	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 1820	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 1820	524	rundll32.exe	rundll32.exe
PID 524 wrote to memory of 1820	524	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 1660	1820	rundll32.exe	WerFault.exe
PID 1820 wrote to memory of 1660	1820	rundll32.exe	WerFault.exe
PID 1820 wrote to memory of 1660	1820	rundll32.exe	WerFault.exe
PID 1820 wrote to memory of 1660	1820	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dea0b318ee9e32956ce033f216a072d6112b39dab20c5616d157ce524b38b994.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

memory/1660-56-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1820-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download