04e629027649a7dcf4595df3f4df38427d08d1ce2277b660e662d038b9f92df9

Analysis

max time kernel
107s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 18:12

Target

$PLUGINSDIR/pwgen.dll
Size

16KB
MD5

a555472395178ac8c733d90928e05017
SHA1

f44b192d66473f01a6540aaec4b6c9ac4c611d35
SHA256

82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e
SHA512

e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a
SSDEEP

96:Rb32p/4mp563gfdaDf2GEFd69qI214YgU+dXXDtFCOdd7KPcC+pyTY62l2z252NJ:YCQAED61dpEEN5VifUbw2mDG0

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2008 1868 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2008	1868	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 5028 wrote to memory of 1868	5028	rundll32.exe	rundll32.exe
PID 5028 wrote to memory of 1868	5028	rundll32.exe	rundll32.exe
PID 5028 wrote to memory of 1868	5028	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\pwgen.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\pwgen.dll,#1
2⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 612
3⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1868 -ip 1868
1⤵
PID:4536

memory/1868-0-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download