IOC Report
newadvsplash.dll

loading gif

Files

File Path
Type
Category
Malicious
newadvsplash.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_14ad5693-eaaf-4133-8ad1-39eb02a7164f\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_168b1b20-02fd-4d70-93d2-09995b142d16\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_f447ed26-44b0-4145-a12b-d0b00b85de75\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_2824bab859d35889dff863c9c9b5d719d6756866_7522e4b5_fefad15e-02a6-45e0-8ba1-606216b2d276\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC89.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Apr 19 03:15:46 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD26.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD47.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7A5.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Apr 19 03:15:49 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB804.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB834.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC438.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Apr 19 03:15:52 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC447.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Apr 19 03:15:52 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4D5.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4E5.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC534.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5D0.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 8 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\newadvsplash.dll"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,hwnd
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,play
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6764 -s 628
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\newadvsplash.dll,show
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 628
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",hwnd
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",play
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",show
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\newadvsplash.dll",stop
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 628
There are 5 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://upx.sf.net
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProgramId
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
FileId
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LowerCaseLongPath
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LongPathHash
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Name
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
OriginalFileName
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Publisher
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Version
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinFileVersion
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinaryType
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProductName
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProductVersion
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LinkDate
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinProductVersion
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
AppxPackageFullName
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
AppxPackageRelativeId
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Size
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Language
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
IsOsComponent
\REGISTRY\A\{fb3c2fdb-9dfa-a39e-2dfa-70c1bf2feb14}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Usn
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
There are 12 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
3500000
heap
page read and write
140000
heap
page read and write
31AE000
stack
page read and write
31D0000
heap
page read and write
3120000
heap
page read and write
2F4A000
heap
page read and write
22BE000
stack
page read and write
28AD000
stack
page read and write
30F0000
heap
page read and write
24FC000
stack
page read and write
10AE000
stack
page read and write
309C000
stack
page read and write
270F000
stack
page read and write
4ADF000
stack
page read and write
322A000
heap
page read and write
E60000
heap
page read and write
23D0000
heap
page read and write
10000000
unkown
page readonly
2DDE000
stack
page read and write
48DE000
stack
page read and write
2BE0000
heap
page read and write
309A000
heap
page read and write
26AC000
stack
page read and write
491F000
stack
page read and write
27DF000
stack
page read and write
28FE000
stack
page read and write
3480000
heap
page read and write
293F000
stack
page read and write
2920000
heap
page read and write
297A000
heap
page read and write
42C0000
heap
page read and write
349F000
stack
page read and write
2B3B000
stack
page read and write
2560000
heap
page read and write
F8D000
heap
page read and write
22FF000
stack
page read and write
31C0000
heap
page read and write
10004000
unkown
page readonly
E20000
heap
page read and write
2830000
heap
page read and write
4270000
heap
page read and write
27C0000
heap
page read and write
2710000
heap
page read and write
226A000
heap
page read and write
3450000
heap
page read and write
10004000
unkown
page readonly
19B000
stack
page read and write
F7B000
heap
page read and write
2970000
heap
page read and write
343E000
stack
page read and write
10001000
unkown
page execute read
29CA000
heap
page read and write
30BC000
stack
page read and write
4960000
heap
page read and write
2D60000
heap
page read and write
2740000
heap
page read and write
11EE000
stack
page read and write
220000
heap
page read and write
10000000
unkown
page readonly
2BF0000
heap
page read and write
10003000
unkown
page read and write
10004000
unkown
page readonly
2990000
heap
page read and write
3090000
heap
page read and write
426E000
stack
page read and write
486F000
stack
page read and write
4360000
heap
page read and write
3280000
heap
page read and write
4B90000
heap
page read and write
4390000
heap
page read and write
F70000
heap
page read and write
BBC000
stack
page read and write
10002000
unkown
page readonly
303F000
stack
page read and write
10001000
unkown
page execute read
2CAB000
stack
page read and write
328A000
heap
page read and write
2380000
heap
page read and write
10001000
unkown
page execute read
325E000
stack
page read and write
2F00000
heap
page read and write
2370000
heap
page read and write
2B7C000
stack
page read and write
10000000
unkown
page readonly
346E000
stack
page read and write
234E000
stack
page read and write
2C50000
heap
page read and write
3560000
heap
page read and write
307E000
stack
page read and write
10000000
unkown
page readonly
F88000
heap
page read and write
E30000
heap
page read and write
4350000
heap
page read and write
305B000
stack
page read and write
DC000
stack
page read and write
2C80000
heap
page read and write
42AE000
stack
page read and write
2810000
heap
page read and write
10002000
unkown
page readonly
2CEC000
stack
page read and write
10003000
unkown
page read and write
29C0000
heap
page read and write
2570000
heap
page read and write
266B000
stack
page read and write
F60000
heap
page read and write
11AE000
stack
page read and write
286E000
stack
page read and write
10002000
unkown
page readonly
23FE000
stack
page read and write
294F000
stack
page read and write
31E0000
heap
page read and write
3080000
heap
page read and write
238F000
stack
page read and write
25E0000
heap
page read and write
4890000
heap
page read and write
290E000
stack
page read and write
9B000
stack
page read and write
299A000
heap
page read and write
3130000
heap
page read and write
2BE0000
heap
page read and write
210000
heap
page read and write
4D00000
heap
page read and write
344E000
stack
page read and write
33BF000
stack
page read and write
31D0000
heap
page read and write
307B000
stack
page read and write
2260000
heap
page read and write
10003000
unkown
page read and write
10002000
unkown
page readonly
1DC000
stack
page read and write
ABC000
stack
page read and write
F7F000
heap
page read and write
24BB000
stack
page read and write
33FE000
stack
page read and write
10003000
unkown
page read and write
10001000
unkown
page execute read
27F0000
heap
page read and write
279E000
stack
page read and write
2D50000
heap
page read and write
2950000
heap
page read and write
2F40000
heap
page read and write
34C0000
heap
page read and write
4D10000
heap
page read and write
34B0000
heap
page read and write
321F000
stack
page read and write
3220000
heap
page read and write
28B0000
heap
page read and write
10004000
unkown
page readonly
12EF000
stack
page read and write
There are 139 hidden memdumps, click here to show them.