3ff83caf891a65a3c748972d4678935ed3a0b923430c0bee73d6ff4c127495e7

Analysis

max time kernel
15s
max time network
19s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
20/07/2023, 15:49

Target

rshelper.exe
Size

137KB
MD5

20dca29f7a428ee788b163119b45edac
SHA1

7a35686fe6c8730671557ad206922c6356a3859d
SHA256

3ff83caf891a65a3c748972d4678935ed3a0b923430c0bee73d6ff4c127495e7
SHA512

a3a770c1a341c34e52c81848f02a5e1851864f8ffcf192f30207c237ba9c9266dde552dc4eb5b6aff8e0346ffd974995b2628b65a37cdaeb8c031711c9128fef
SSDEEP

1536:r+GXnIHF54ed78e9aVwIF5n5Xd+JTg0QwWOvLSb8TXu+f8vR8PUCwZVmn0kB89gN:r+xF5RqeIVwIvu3QwWOL+8Te68w4OwSp

Score

3^/10

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1892	4380	WerFault.exe	69
4460	4380	WerFault.exe	69

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	rshelper.exe

C:\Users\Admin\AppData\Local\Temp\rshelper.exe
"C:\Users\Admin\AppData\Local\Temp\rshelper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4380 -s 896
  2⤵
  - Program crash
  PID:1892
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4380 -s 896
  2⤵
  - Program crash
  PID:4460

memory/4380-120-0x000002E1B5630000-0x000002E1B5654000-memory.dmp

Filesize
144KB

Download
memory/4380-121-0x00007FF8771A0000-0x00007FF877B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-122-0x000002E1B59E0000-0x000002E1B59E1000-memory.dmp

Filesize
4KB

Download
memory/4380-123-0x000002E1CFB30000-0x000002E1CFB40000-memory.dmp

Filesize
64KB

Download
memory/4380-124-0x00007FF8771A0000-0x00007FF877B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-125-0x000002E1CFB30000-0x000002E1CFB40000-memory.dmp

Filesize
64KB

Download