Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
file.dll
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_1aff9662ccd791d8d4eef4da2398bc923098b68_d75f6fa5_a4482ba1-72b3-4036-ba59-9c7045524573\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_1aff9662ccd791d8d4eef4da2398bc923098b68_d75f6fa5_ce2adf5f-3e69-4e0c-9b84-80f5ada87843\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_56d7447d6a13c353c2282cc3f2ec25695913c0_d75f6fa5_1ac2261b-d3b6-4096-8723-9d2cb56e6a9e\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_56d7447d6a13c353c2282cc3f2ec25695913c0_d75f6fa5_9b2953ba-c62e-42a8-a2c8-a3c4d6984f18\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_9de19133aefe36cce1fe9ee66691ccc86823a879_d75f6fa5_d06e6c10-5330-4937-9ceb-dc1518b61a0b\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1501.tmp.dmp
|
Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:26 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1530.tmp.dmp
|
Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:26 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER15BE.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1679.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER168A.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16B9.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER801.tmp.dmp
|
Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:23 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER850.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER880.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1D9.tmp.dmp
|
Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:17 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2D4.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF304.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBFB.tmp.dmp
|
Mini DuMP crash report, 14 streams, Wed Oct 2 15:26:20 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC98.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCC8.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 12 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Windows\System32\loaddll64.exe
|
loaddll64.exe "C:\Users\user\Desktop\file.dll"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
|
||
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init
|
||
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\file.dll",#1
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7800 -s 332
|
||
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 4940 -s 324
|
||
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 2504 -s 332
|
||
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_init
|
||
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceFillAlphas
|
||
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_prism_impl_shape_NativePiscesRasterizer_produceStrokeAlphas
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 8016 -s 324
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7488 -s 324
|
There are 5 hidden processes, click here to show them.
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://upx.sf.net
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProgramId
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
FileId
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LowerCaseLongPath
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LongPathHash
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Name
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
OriginalFileName
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Publisher
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Version
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinFileVersion
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinaryType
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProductName
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProductVersion
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LinkDate
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinProductVersion
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
AppxPackageFullName
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Size
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Language
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
IsOsComponent
|
||
\REGISTRY\A\{47751939-887f-32e6-591b-8ca71d8e6830}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Usn
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018400CF081ADAB
|
There are 14 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
1DD06750000
|
heap
|
page read and write
|
||
18C9E7E0000
|
heap
|
page read and write
|
||
1E809AFF000
|
heap
|
page read and write
|
||
1E809AD0000
|
heap
|
page read and write
|
||
B0DC9DE000
|
stack
|
page read and write
|
||
7FF83280C000
|
unkown
|
page readonly
|
||
7FF83280F000
|
unkown
|
page readonly
|
||
2B597660000
|
heap
|
page read and write
|
||
7FF832801000
|
unkown
|
page execute read
|
||
CE1587C000
|
stack
|
page read and write
|
||
1DD07EA0000
|
heap
|
page read and write
|
||
18D484E0000
|
heap
|
page read and write
|
||
2BA11690000
|
heap
|
page read and write
|
||
7FF83280F000
|
unkown
|
page readonly
|
||
3E2DE7C000
|
stack
|
page read and write
|
||
7FF83280C000
|
unkown
|
page readonly
|
||
2BA11860000
|
heap
|
page read and write
|
||
388C9AE000
|
stack
|
page read and write
|
||
1E809BF0000
|
heap
|
page read and write
|
||
2BA11878000
|
heap
|
page read and write
|
||
13A1F580000
|
heap
|
page read and write
|
||
3953A7F000
|
stack
|
page read and write
|
||
B49A87F000
|
stack
|
page read and write
|
||
E49618F000
|
stack
|
page read and write
|
||
395377C000
|
stack
|
page read and write
|
||
18D49ED0000
|
heap
|
page read and write
|
||
B0DCC7E000
|
stack
|
page read and write
|
||
18C9E7C0000
|
heap
|
page read and write
|
||
2C8B36A0000
|
heap
|
page read and write
|
||
7FF832801000
|
unkown
|
page execute read
|
||
E49608C000
|
stack
|
page read and write
|
||
2B5979C5000
|
heap
|
page read and write
|
||
2B5976B8000
|
heap
|
page read and write
|
||
13A1F585000
|
heap
|
page read and write
|
||
7FF832800000
|
unkown
|
page readonly
|
||
1DD063A0000
|
heap
|
page read and write
|
||
388C92C000
|
stack
|
page read and write
|
||
18D484B0000
|
heap
|
page read and write
|
||
2C8B1DD0000
|
heap
|
page read and write
|
||
18C9E870000
|
heap
|
page read and write
|
||
13A1F3B0000
|
heap
|
page read and write
|
||
18C9E878000
|
heap
|
page read and write
|
||
D035F9C000
|
stack
|
page read and write
|
||
2BA117A0000
|
heap
|
page read and write
|
||
18D486A0000
|
heap
|
page read and write
|
||
CE1597E000
|
stack
|
page read and write
|
||
13A1F1E0000
|
heap
|
page read and write
|
||
1E809AF8000
|
heap
|
page read and write
|
||
7FF83280F000
|
unkown
|
page readonly
|
||
2C8B1FB5000
|
heap
|
page read and write
|
||
7FF832800000
|
unkown
|
page readonly
|
||
2C8B1C00000
|
heap
|
page read and write
|
||
18D486A5000
|
heap
|
page read and write
|
||
7FF832800000
|
unkown
|
page readonly
|
||
1E809C40000
|
heap
|
page read and write
|
||
1DD06755000
|
heap
|
page read and write
|
||
2B5976B0000
|
heap
|
page read and write
|
||
2C8B1DF0000
|
heap
|
page read and write
|
||
1E80B520000
|
heap
|
page read and write
|
||
1E809AF0000
|
heap
|
page read and write
|
||
388CC7E000
|
stack
|
page read and write
|
||
7FF83280C000
|
unkown
|
page readonly
|
||
7FF83280F000
|
unkown
|
page readonly
|
||
2BA1186D000
|
heap
|
page read and write
|
||
1E809C45000
|
heap
|
page read and write
|
||
13A1F1B0000
|
heap
|
page read and write
|
||
7FF83280E000
|
unkown
|
page read and write
|
||
B0DC95C000
|
stack
|
page read and write
|
||
18C9EB10000
|
heap
|
page read and write
|
||
3E2DEFE000
|
stack
|
page read and write
|
||
7FF83280C000
|
unkown
|
page readonly
|
||
CE158FE000
|
stack
|
page read and write
|
||
E49610F000
|
stack
|
page read and write
|
||
D0363FF000
|
stack
|
page read and write
|
||
7FF83280C000
|
unkown
|
page readonly
|
||
1DD06340000
|
heap
|
page read and write
|
||
D0362FF000
|
stack
|
page read and write
|
||
7FF83280F000
|
unkown
|
page readonly
|
||
2B597650000
|
heap
|
page read and write
|
||
1DD06320000
|
heap
|
page read and write
|
||
18D485E0000
|
heap
|
page read and write
|
||
2B597910000
|
heap
|
page read and write
|
||
2BA11770000
|
heap
|
page read and write
|
||
2B5979C0000
|
heap
|
page read and write
|
||
13A1F1A0000
|
heap
|
page read and write
|
||
2C8B1C08000
|
heap
|
page read and write
|
||
1DD063A8000
|
heap
|
page read and write
|
||
B49A8FE000
|
stack
|
page read and write
|
||
13A20C20000
|
heap
|
page read and write
|
||
7FF832801000
|
unkown
|
page execute read
|
||
18C9EA70000
|
heap
|
page read and write
|
||
39537FF000
|
stack
|
page read and write
|
||
18D484E8000
|
heap
|
page read and write
|
||
2C8B1FB0000
|
heap
|
page read and write
|
||
3E2DF7F000
|
stack
|
page read and write
|
||
7FF832800000
|
unkown
|
page readonly
|
||
18C9E7B0000
|
heap
|
page read and write
|
||
7FF832801000
|
unkown
|
page execute read
|
||
B49A5CC000
|
stack
|
page read and write
|
||
2C8B1BE0000
|
heap
|
page read and write
|
||
2BA11AB0000
|
heap
|
page read and write
|
||
2B597680000
|
heap
|
page read and write
|
||
13A1F1E8000
|
heap
|
page read and write
|
||
18C9E87E000
|
heap
|
page read and write
|
||
1E8099F0000
|
heap
|
page read and write
|
||
18C9EB15000
|
heap
|
page read and write
|
||
18D483D0000
|
heap
|
page read and write
|
||
7FF832801000
|
unkown
|
page execute read
|
||
7FF832800000
|
unkown
|
page readonly
|
||
1DD06310000
|
heap
|
page read and write
|
There are 100 hidden memdumps, click here to show them.