Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
up.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_45b27b9ae4bdc5533369f53128e793cbabf13_7522e4b5_8c897256-56e2-4a6b-a5a5-c2b09c66c44c\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER485.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Oct 14 07:46:20 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER590.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C0.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\loaddll32.exe
|
loaddll32.exe "C:\Users\user\Desktop\up.dll"
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\up.dll",#1
|
||
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\up.dll",#1
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
s-part-0017.t-0009.fb-t-msedge.net
|
13.107.253.45
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
ProgramId
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
FileId
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
LongPathHash
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
Name
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
OriginalFileName
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
Publisher
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
Version
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
BinFileVersion
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
BinaryType
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
ProductName
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
ProductVersion
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
LinkDate
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
BinProductVersion
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
Size
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
Language
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
IsOsComponent
|
||
|
\REGISTRY\A\{b060491f-7f1a-332b-2cbe-2896b6aa5310}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
|
Usn
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018000DDABBE6B3
|
There are 14 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2E40000
|
heap
|
page read and write
|
||
|
2EE2000
|
heap
|
page read and write
|
||
|
499D000
|
stack
|
page read and write
|
||
|
4ACF000
|
stack
|
page read and write
|
||
|
132D000
|
heap
|
page read and write
|
||
|
F70000
|
heap
|
page read and write
|
||
|
2EE2000
|
heap
|
page read and write
|
||
|
322E000
|
stack
|
page read and write
|
||
|
2EC8000
|
heap
|
page read and write
|
||
|
6D380000
|
unkown
|
page readonly
|
||
|
F0C000
|
stack
|
page read and write
|
||
|
31A0000
|
heap
|
page read and write
|
||
|
66A0000
|
trusted library allocation
|
page read and write
|
||
|
FCE000
|
stack
|
page read and write
|
||
|
2EB1000
|
heap
|
page read and write
|
||
|
2EB6000
|
heap
|
page read and write
|
||
|
3230000
|
heap
|
page read and write
|
||
|
490E000
|
stack
|
page read and write
|
||
|
1300000
|
heap
|
page read and write
|
||
|
2B89000
|
stack
|
page read and write
|
||
|
6240000
|
heap
|
page read and write
|
||
|
2EC5000
|
heap
|
page read and write
|
||
|
2E30000
|
heap
|
page read and write
|
||
|
2EC4000
|
heap
|
page read and write
|
||
|
6D433000
|
unkown
|
page read and write
|
||
|
130B000
|
heap
|
page read and write
|
||
|
2E90000
|
heap
|
page read and write
|
||
|
6250000
|
heap
|
page read and write
|
||
|
173E000
|
stack
|
page read and write
|
||
|
495D000
|
stack
|
page read and write
|
||
|
2E9A000
|
heap
|
page read and write
|
||
|
1329000
|
heap
|
page read and write
|
||
|
2ED0000
|
heap
|
page read and write
|
||
|
488E000
|
stack
|
page read and write
|
||
|
4A0E000
|
stack
|
page read and write
|
||
|
3237000
|
heap
|
page read and write
|
||
|
2BCC000
|
stack
|
page read and write
|
||
|
163E000
|
stack
|
page read and write
|
||
|
143E000
|
stack
|
page read and write
|
||
|
323A000
|
heap
|
page read and write
|
||
|
6290000
|
heap
|
page read and write
|
||
|
48CE000
|
stack
|
page read and write
|
||
|
4A8F000
|
stack
|
page read and write
|
||
|
6D3F5000
|
unkown
|
page readonly
|
||
|
1322000
|
heap
|
page read and write
|
||
|
1326000
|
heap
|
page read and write
|
||
|
2EBB000
|
heap
|
page read and write
|
||
|
6D439000
|
unkown
|
page readonly
|
||
|
2EC4000
|
heap
|
page read and write
|
||
|
4A4F000
|
stack
|
page read and write
|
||
|
306F000
|
stack
|
page read and write
|
||
|
17C0000
|
heap
|
page read and write
|
||
|
6D381000
|
unkown
|
page execute read
|
||
|
2EC1000
|
heap
|
page read and write
|
||
|
2EC9000
|
heap
|
page read and write
|
||
|
F80000
|
heap
|
page read and write
|
||
|
130F000
|
heap
|
page read and write
|
||
|
177E000
|
stack
|
page read and write
|
||
|
1460000
|
heap
|
page read and write
|
||
|
12FC000
|
stack
|
page read and write
|
||
|
6294000
|
heap
|
page read and write
|
||
|
2E80000
|
heap
|
page read and write
|
There are 52 hidden memdumps, click here to show them.