Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
oLiA3yj6Cq.dll
|
PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_12aa84f81d99ae7eee3b83fc11c16348eb77b7_e29f7403_3efe9483-1171-4cd2-ae68-ab22ee01a16b\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA60A.tmp.dmp
|
Mini DuMP crash report, 15 streams, Sat Oct 26 07:10:00 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA669.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA699.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\loaddll64.exe
|
loaddll64.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll"
|
|
|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1
|
|
|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllGetClassObject
|
|
|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllMain
|
|
|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllRegisterServer
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1
|
||
|
C:\Windows\System32\regsvr32.exe
|
regsvr32.exe /s C:\Users\user\Desktop\oLiA3yj6Cq.dll
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 2784 -s 412
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
20.25.126.96
|
|
||
|
http://upx.sf.net
|
unknown
|
||
|
http://127.0.0.1:%u/
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
ProgramId
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
FileId
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
LongPathHash
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
Name
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
OriginalFileName
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
Publisher
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
Version
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
BinFileVersion
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
BinaryType
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
ProductName
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
ProductVersion
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
LinkDate
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
BinProductVersion
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
Size
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
Language
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
IsOsComponent
|
||
|
\REGISTRY\A\{d0a7c0bc-319f-0fb8-eaaf-c8e514aefa22}\Root\InventoryApplicationFile\regsvr32.exe|20eb212352f3412a
|
Usn
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018000DDABBE6B3
|
There are 14 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1E583CE0000
|
unclassified section
|
page execute read
|
|
|
|
16E0D6D0000
|
unclassified section
|
page execute read
|
|
|
|
20650830000
|
unclassified section
|
page execute read
|
|
|
|
29E27C60000
|
unclassified section
|
page execute read
|
|
|
|
1BF69420000
|
direct allocation
|
page execute and read and write
|
|
|
|
16E0D720000
|
direct allocation
|
page execute and read and write
|
|
|
|
1BF693B0000
|
unclassified section
|
page execute read
|
|
|
|
16E0BB90000
|
heap
|
page read and write
|
||
|
29E264B5000
|
heap
|
page read and write
|
||
|
2064F210000
|
heap
|
page read and write
|
||
|
387FAFF000
|
stack
|
page read and write
|
||
|
1E583C50000
|
heap
|
page read and write
|
||
|
1BF69190000
|
heap
|
page read and write
|
||
|
C77F47C000
|
stack
|
page read and write
|
||
|
20650890000
|
heap
|
page read and write
|
||
|
2064EF30000
|
heap
|
page read and write
|
||
|
13BF000
|
stack
|
page read and write
|
||
|
C489B7C000
|
stack
|
page read and write
|
||
|
10EBCE000
|
stack
|
page read and write
|
||
|
1120000
|
heap
|
page read and write
|
||
|
B71BC7C000
|
stack
|
page read and write
|
||
|
16E0BBA8000
|
heap
|
page read and write
|
||
|
2C3F000
|
stack
|
page read and write
|
||
|
29E26220000
|
heap
|
page read and write
|
||
|
29E26140000
|
heap
|
page read and write
|
||
|
1E583A80000
|
heap
|
page read and write
|
||
|
2064F215000
|
heap
|
page read and write
|
||
|
16E0D6C0000
|
heap
|
page read and write
|
||
|
16E0D774000
|
direct allocation
|
page execute and read and write
|
||
|
387F8FB000
|
stack
|
page read and write
|
||
|
1BF692B0000
|
heap
|
page read and write
|
||
|
29E26290000
|
heap
|
page read and write
|
||
|
1415000
|
heap
|
page read and write
|
||
|
B71BCFF000
|
stack
|
page read and write
|
||
|
1BF6946E000
|
direct allocation
|
page execute and read and write
|
||
|
16E0BD90000
|
heap
|
page read and write
|
||
|
1E583C70000
|
heap
|
page read and write
|
||
|
11C0000
|
heap
|
page read and write
|
||
|
1BF69468000
|
direct allocation
|
page execute and read and write
|
||
|
C489E7F000
|
stack
|
page read and write
|
||
|
1E583A70000
|
heap
|
page read and write
|
||
|
16E0D5B0000
|
heap
|
page read and write
|
||
|
1BF69471000
|
direct allocation
|
page execute and read and write
|
||
|
16E0BDD5000
|
heap
|
page read and write
|
||
|
29E27E10000
|
heap
|
page read and write
|
||
|
1BF69290000
|
heap
|
page read and write
|
||
|
DCB000
|
stack
|
page read and write
|
||
|
11EA000
|
heap
|
page read and write
|
||
|
1010000
|
heap
|
page read and write
|
||
|
1E585550000
|
heap
|
page read and write
|
||
|
387FCFA000
|
stack
|
page read and write
|
||
|
1BF69160000
|
heap
|
page read and write
|
||
|
16E0BDD0000
|
heap
|
page read and write
|
||
|
1E583A88000
|
heap
|
page read and write
|
||
|
387FBFF000
|
stack
|
page read and write
|
||
|
10EEFE000
|
stack
|
page read and write
|
||
|
1BF69415000
|
heap
|
page read and write
|
||
|
206508A0000
|
heap
|
page read and write
|
||
|
29E264B0000
|
heap
|
page read and write
|
||
|
C489BFF000
|
stack
|
page read and write
|
||
|
1E583DA0000
|
heap
|
page read and write
|
||
|
1BF69473000
|
direct allocation
|
page execute and read and write
|
||
|
1E583DA5000
|
heap
|
page read and write
|
||
|
1E583D90000
|
heap
|
page read and write
|
||
|
B71BDFE000
|
stack
|
page read and write
|
||
|
2064EDE0000
|
heap
|
page read and write
|
||
|
16E0BD70000
|
heap
|
page read and write
|
||
|
2064EEC0000
|
heap
|
page read and write
|
||
|
387FDFE000
|
stack
|
page read and write
|
||
|
1410000
|
heap
|
page read and write
|
||
|
387F9FE000
|
stack
|
page read and write
|
||
|
10F0000
|
heap
|
page read and write
|
||
|
C77F4FF000
|
stack
|
page read and write
|
||
|
C489EFE000
|
stack
|
page read and write
|
||
|
16E0BBA0000
|
heap
|
page read and write
|
||
|
29E263B0000
|
heap
|
page read and write
|
||
|
2064EEE0000
|
heap
|
page read and write
|
||
|
2064EF38000
|
heap
|
page read and write
|
||
|
C77F57F000
|
stack
|
page read and write
|
||
|
11CB000
|
heap
|
page read and write
|
||
|
2D30000
|
heap
|
page read and write
|
||
|
1BF69410000
|
heap
|
page read and write
|
||
|
387FEFF000
|
stack
|
page read and write
|
||
|
387FFFE000
|
stack
|
page read and write
|
||
|
1BF69199000
|
heap
|
page read and write
|
||
|
133F000
|
stack
|
page read and write
|
||
|
1BF69080000
|
heap
|
page read and write
|
||
|
1BF691E3000
|
heap
|
page read and write
|
||
|
10EB4E000
|
stack
|
page read and write
|
||
|
10EACC000
|
stack
|
page read and write
|
||
|
1BF6946B000
|
direct allocation
|
page execute and read and write
|
||
|
B71BD7F000
|
stack
|
page read and write
|
||
|
29E26240000
|
heap
|
page read and write
|
||
|
1BF6919D000
|
heap
|
page read and write
|
||
|
29E26298000
|
heap
|
page read and write
|
||
|
B71BE7E000
|
stack
|
page read and write
|
There are 86 hidden memdumps, click here to show them.