24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453

Analysis

Target

24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453.dll
Size

209KB
MD5

3f535607cca76b56fc9beb31be3088fb
SHA1

215c81780a68d5b7e5fb1ff000bc138b9c2f24bb
SHA256

24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453
SHA512

f60ef14a1c4356b50f8211abc4723aa49ef06033ce5f244c210b45825d7e2b902661b9746d607a3626a548db947c23bee247eda6e8db2d95ce8e6d5445b6fa3d

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

668 776 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

668 WerFault.exe
668 WerFault.exe
668 WerFault.exe
668 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

668 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 668 WerFault.exe

pid	pid_target	process	target process
668	776	WerFault.exe	rundll32.exe

pid	process
668	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	668	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 820 wrote to memory of 776	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 776	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 776	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 776	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 776	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 776	820	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 776	820	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 668	776	rundll32.exe	WerFault.exe
PID 776 wrote to memory of 668	776	rundll32.exe	WerFault.exe
PID 776 wrote to memory of 668	776	rundll32.exe	WerFault.exe
PID 776 wrote to memory of 668	776	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24187dd5b4f24a5e3ec8b9e69588f59f2883b839de6fd6ae282644b408a7d453.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:776

memory/668-56-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/776-55-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download