06521c5730af4efc5e8c6d9517e6da154bc653131dc22af44271d740b45ae7eb

Analysis

Target

yhhljgxudqeyowcinyde44154280653/sqlite3.dll
Size

910KB
MD5

def2572ccae7f518bd9d30f37b2fed04
SHA1

eaec1754a69c50eac99e774b07ef156a1ca6de06
SHA256

b712286d4d36c74fa32127f848b79cfb857fdc2b1c84bbbee285cf34752443a2
SHA512

f6183e6b7989cfc342f28074e0c79223765a5995e04e5e1e9d2c6edd12837bf5a825a0800f2941c3c7eedc37258052fd72fd7f1421d88c426666a30b4436aa4a

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
648	2032	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
648	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	648	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 2032	964	rundll32.exe	27
PID 964 wrote to memory of 2032	964	rundll32.exe	27
PID 964 wrote to memory of 2032	964	rundll32.exe	27
PID 964 wrote to memory of 2032	964	rundll32.exe	27
PID 964 wrote to memory of 2032	964	rundll32.exe	27
PID 964 wrote to memory of 2032	964	rundll32.exe	27
PID 964 wrote to memory of 2032	964	rundll32.exe	27
PID 2032 wrote to memory of 648	2032	rundll32.exe	28
PID 2032 wrote to memory of 648	2032	rundll32.exe	28
PID 2032 wrote to memory of 648	2032	rundll32.exe	28
PID 2032 wrote to memory of 648	2032	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\yhhljgxudqeyowcinyde44154280653\sqlite3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\yhhljgxudqeyowcinyde44154280653\sqlite3.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 228
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:648

memory/648-56-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2032-54-0x0000000076C91000-0x0000000076C93000-memory.dmp

Filesize
8KB

Download