Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
extracted_payload.dll.dll
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ext_cb732a877ab57dd2d946af222794a5afefd7721_f0f0aff8_253f7c32-d5c0-48d0-9464-549d84556580\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ext_cb732a877ab57dd2d946af222794a5afefd7721_f0f0aff8_eeaad2f6-aca0-401b-9aab-2173bff9d66e\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ext_cb732a877ab57dd2d946af222794a5afefd7721_f0f0aff8_ff20ae40-2634-4b53-bc11-91db7a4c3297\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6598.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Nov 25 22:02:02 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6616.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Nov 25 22:02:02 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6654.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6694.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6694.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6712.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER70B3.tmp.dmp
|
Mini DuMP crash report, 14 streams, Mon Nov 25 22:02:05 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7102.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7123.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 4 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\extracted_payload.dll.dll,ReflectiveLoader
|
|
|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1
|
|
|
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",ReflectiveLoader
|
|
|
|
C:\Windows\System32\loaddll64.exe
|
loaddll64.exe "C:\Users\user\Desktop\extracted_payload.dll.dll"
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7572 -s 332
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7588 -s 352
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7852 -s 352
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
3.78.244.11
|
|
||
|
http://upx.sf.net
|
unknown
|
||
|
http://127.0.0.1:%u/
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProgramId
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
FileId
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LongPathHash
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Name
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
OriginalFileName
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Publisher
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Version
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinFileVersion
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinaryType
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProductName
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProductVersion
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LinkDate
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinProductVersion
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Size
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Language
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
IsOsComponent
|
||
|
\REGISTRY\A\{ca94feb3-e9f3-c2eb-0bcb-16a628aa01fb}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Usn
|
There are 10 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FFE0E162000
|
unkown
|
page readonly
|
|
|
|
25254020000
|
direct allocation
|
page execute and read and write
|
|
|
|
1627EFF0000
|
direct allocation
|
page execute and read and write
|
|
|
|
1A4C0FD0000
|
direct allocation
|
page execute and read and write
|
|
|
|
7FFE0E162000
|
unkown
|
page readonly
|
|
|
|
7FFE0E162000
|
unkown
|
page readonly
|
|
|
|
BC8E7BC000
|
stack
|
page read and write
|
||
|
2576D2B0000
|
heap
|
page read and write
|
||
|
C727BE000
|
stack
|
page read and write
|
||
|
1A4BF590000
|
heap
|
page read and write
|
||
|
A8771C000
|
stack
|
page read and write
|
||
|
8C284FF000
|
stack
|
page read and write
|
||
|
252525C0000
|
heap
|
page read and write
|
||
|
7FFE0E130000
|
unkown
|
page readonly
|
||
|
7FFE0E183000
|
unkown
|
page read and write
|
||
|
7FFE0E183000
|
unkown
|
page read and write
|
||
|
1627ED50000
|
heap
|
page read and write
|
||
|
7FFE0E184000
|
unkown
|
page readonly
|
||
|
BC8EA7E000
|
stack
|
page read and write
|
||
|
8C281FC000
|
stack
|
page read and write
|
||
|
1A4C1024000
|
direct allocation
|
page execute and read and write
|
||
|
C72A7E000
|
stack
|
page read and write
|
||
|
1627EFE0000
|
heap
|
page read and write
|
||
|
7FFE0E17E000
|
unkown
|
page read and write
|
||
|
25254074000
|
direct allocation
|
page execute and read and write
|
||
|
7FFE0E131000
|
unkown
|
page execute read
|
||
|
2576D31C000
|
heap
|
page read and write
|
||
|
252528F0000
|
heap
|
page read and write
|
||
|
BC8EAFE000
|
stack
|
page read and write
|
||
|
252528F5000
|
heap
|
page read and write
|
||
|
1627F044000
|
direct allocation
|
page execute and read and write
|
||
|
2576D510000
|
heap
|
page read and write
|
||
|
7FFE0E178000
|
unkown
|
page read and write
|
||
|
7FFE0E184000
|
unkown
|
page readonly
|
||
|
1627ED78000
|
heap
|
page read and write
|
||
|
8C285FF000
|
stack
|
page read and write
|
||
|
1627F0B0000
|
heap
|
page read and write
|
||
|
7FFE0E172000
|
unkown
|
page write copy
|
||
|
7FFE0E130000
|
unkown
|
page readonly
|
||
|
1627ED70000
|
heap
|
page read and write
|
||
|
7FFE0E17E000
|
unkown
|
page read and write
|
||
|
7FFE0E184000
|
unkown
|
page readonly
|
||
|
1A4BF498000
|
heap
|
page read and write
|
||
|
C7273C000
|
stack
|
page read and write
|
||
|
1A4BF490000
|
heap
|
page read and write
|
||
|
7FFE0E178000
|
unkown
|
page read and write
|
||
|
7FFE0E172000
|
unkown
|
page write copy
|
||
|
25252650000
|
heap
|
page read and write
|
||
|
1A4C1130000
|
heap
|
page read and write
|
||
|
7FFE0E178000
|
unkown
|
page read and write
|
||
|
7FFE0E172000
|
unkown
|
page write copy
|
||
|
1A4BF690000
|
heap
|
page read and write
|
||
|
1627F0B5000
|
heap
|
page read and write
|
||
|
2576D300000
|
heap
|
page read and write
|
||
|
2576D5F0000
|
heap
|
page read and write
|
||
|
1627EF40000
|
heap
|
page read and write
|
||
|
7FFE0E131000
|
unkown
|
page execute read
|
||
|
A8779E000
|
stack
|
page read and write
|
||
|
7FFE0E17E000
|
unkown
|
page read and write
|
||
|
2576D319000
|
heap
|
page read and write
|
||
|
1A4BF820000
|
heap
|
page read and write
|
||
|
25252658000
|
heap
|
page read and write
|
||
|
1A4BF670000
|
heap
|
page read and write
|
||
|
2576D2C0000
|
heap
|
page read and write
|
||
|
252525E0000
|
heap
|
page read and write
|
||
|
7FFE0E183000
|
unkown
|
page read and write
|
||
|
7FFE0E130000
|
unkown
|
page readonly
|
||
|
252524E0000
|
heap
|
page read and write
|
||
|
1A4BF825000
|
heap
|
page read and write
|
||
|
2525266E000
|
heap
|
page read and write
|
||
|
1627ED40000
|
heap
|
page read and write
|
||
|
A87A7F000
|
stack
|
page read and write
|
||
|
2576D2E0000
|
heap
|
page read and write
|
||
|
2525265F000
|
heap
|
page read and write
|
||
|
2576D30D000
|
heap
|
page read and write
|
||
|
2576D2E0000
|
heap
|
page read and write
|
||
|
25254010000
|
heap
|
page read and write
|
||
|
7FFE0E131000
|
unkown
|
page execute read
|
There are 68 hidden memdumps, click here to show them.