ae2001d5b60a2f0bd8e72c0106363950cd9f68e9ce42b9a40b0af26814908809

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 07:27

Target

$PLUGINSDIR/nsDui.dll
Size

10.0MB
MD5

368841af8b0074e348418f106716e603
SHA1

75469510665b651b38e3b4fb7c4240722c756126
SHA256

3be54dea5aedc0d8d16d6c4bd4e046e2d93bfc550a1a035a94768c2d5901e327
SHA512

3804afa3930a90f258a2b4e7106e1d0211e5d4ca6a7f5ba23da11e3908b4e202295ddbcb1ecf1e15215bc9a0aece1a46efad07ad94feddd4f316b0de674c50d5
SSDEEP

196608:H1YWSpeHkab9WLMhJuH9E7QfqV9BgtBx2Tr+Z/iYyEuOyWoqeob8VvW:eWBfbQcJudLqV9ByBxP/1o0b

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4944 1516 WerFault.exe rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 448 svchost.exe

pid	pid_target	process	target process
4944	1516	WerFault.exe	rundll32.exe

description	pid	process
Token: SeManageVolumePrivilege	448	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2700 wrote to memory of 1516	2700	rundll32.exe	rundll32.exe
PID 2700 wrote to memory of 1516	2700	rundll32.exe	rundll32.exe
PID 2700 wrote to memory of 1516	2700	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDui.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDui.dll,#1
2⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 680
3⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1516 -ip 1516
1⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3284 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:2212

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

memory/448-0-0x000001C119940000-0x000001C119950000-memory.dmp

Filesize
64KB

Download
memory/448-16-0x000001C119A40000-0x000001C119A50000-memory.dmp

Filesize
64KB

Download
memory/448-32-0x000001C121D60000-0x000001C121D61000-memory.dmp

Filesize
4KB

Download
memory/448-34-0x000001C121D90000-0x000001C121D91000-memory.dmp

Filesize
4KB

Download
memory/448-35-0x000001C121D90000-0x000001C121D91000-memory.dmp

Filesize
4KB

Download
memory/448-36-0x000001C121EA0000-0x000001C121EA1000-memory.dmp

Filesize
4KB

Download