cc113937163765301a8ff0ba15638e3b56db08f48f6a535b2e60f7c47a4e7070

Analysis

max time kernel
79s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
25/01/2024, 23:36

Target

$PLUGINSDIR/InstallOptions.dll
Size

14KB
MD5

cbdb85645d7e6ed202d01a515b313e94
SHA1

89c056bade5df80499c6813ec12ad3d2bfb4a374
SHA256

4125db388e2d22121661db9991bd755e2b9fc3ad8714c409759f459659f227aa
SHA512

cf4ab4ab50bc2eebfa7c864b9686a077ed3f7c7e066db87477edbc44160b23fc957d72919b44e551c7b04a749deec5d2204993912859ef294757f47ebf707951
SSDEEP

192:2zn2/g5R+tQg4qUFGfNUueeLvZ3yi9uD4spER4eyQxCnfnLgWhgnKSsdEWQ:2z24+TUUf/5rZ3y0y4sc4OxCfLLgp

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5112	1260	WerFault.exe	79

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5280 wrote to memory of 1260	5280	rundll32.exe	79
PID 5280 wrote to memory of 1260	5280	rundll32.exe	79
PID 5280 wrote to memory of 1260	5280	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5280
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 544
    3⤵
    - Program crash
    PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1260 -ip 1260
1⤵
PID:4972