f80829d30029ba255675929587f2b6665de2790e52b24845b92d1427c8893264

Analysis

max time kernel
134s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2024 00:04

Target

$PLUGINSDIR/InstallOptions.dll
Size

15KB
MD5

d095b082b7c5ba4665d40d9c5042af6d
SHA1

2220277304af105ca6c56219f56f04e894b28d27
SHA256

b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
SHA512

61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
SSDEEP

192:EyGQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoTr11929WtshLAzgSrX8:EyNt+4t7uJalUnGesY7Lt8nCr/Yosa

Score

3^/10

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2380	1616	WerFault.exe	89
3568	1616	WerFault.exe	89

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 1616	3980	rundll32.exe	89
PID 3980 wrote to memory of 1616	3980	rundll32.exe	89
PID 3980 wrote to memory of 1616	3980	rundll32.exe	89
PID 1616 wrote to memory of 2380	1616	rundll32.exe	94
PID 1616 wrote to memory of 2380	1616	rundll32.exe	94
PID 1616 wrote to memory of 2380	1616	rundll32.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 636
    3⤵
    - Program crash
    PID:2380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 636
    3⤵
    - Program crash
    PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1616 -ip 1616
1⤵
PID:4932