4d70e1cd0a808bf84a1821c40536017c2e7c7bf5dfc7486c4aaa75f70c8c7e5c

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 00:29

Target

$PLUGINSDIR/InstallOptions.dll
Size

15KB
MD5

786110d3394edf4bb5c14e3e9a49f9e6
SHA1

4adf64a5999a1a41870fedefba22f67840f36f3a
SHA256

3ccb4385cd22b5c69bc2583e181da4085477906c193f04eb5a400801e00dbcd5
SHA512

e85e49b492a04188c46c90fef6ba5b177f85c670848f902748ec1540839ffb2f5d88563c14026328dd2100a48979ff8e67e7af1eee70fea0eb477c78db4d9524
SSDEEP

192:JsIZHdT9uwYX94kYd2iCzHR+yK7imphLAykycpKPd5mn8ozxGUWumle:JsUHd9GN2d2iwl0impATIPdAn8Ov6

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3924	1916	WerFault.exe	82

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1916	4852	rundll32.exe	82
PID 4852 wrote to memory of 1916	4852	rundll32.exe	82
PID 4852 wrote to memory of 1916	4852	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 636
    3⤵
    - Program crash
    PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1916 -ip 1916
1⤵
PID:5064