IOC Report
u9R1HA4M7B.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_315cf41d-180d-42fe-9df9-a19be070e75b\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_4d33789e-b009-45d7-956c-442afac19bec\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_ab11d3bd-b6ac-4ab3-b71a-426236c34122\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_u9R_ce3539d85b1c5ec68c954104cf626e03175e8a_93eaf31b_b8be7178-c123-40e8-8433-717dd469d09c\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB829.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Apr 25 20:12:52 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB82A.tmp.dmp

Mini DuMP crash report, 14 streams, Thu Apr 25 20:12:52 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D6.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB904.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB915.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB963.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\u9R1HA4M7B.dll",#1

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2336 -s 140

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 6432 -s 232

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7296 -s 128

http://upx.sf.net

unknown

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

ProgramId

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

FileId

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

LowerCaseLongPath

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

LongPathHash

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

Name

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

OriginalFileName

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

Publisher

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

Version

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

BinFileVersion

\REGISTRY\A\{91d27c8e-b4af-c2f6-e340-7762155bba0f}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41

BinaryType

233F4080000

heap

page read and write

7FFE14641000

unkown

page read and write

7FFE14646000

unkown

page write copy

2210A3A0000

heap

page read and write

2515E545000

heap

page read and write

2515E540000

heap

page read and write

7FFE14647000

unkown

page readonly

63606AD000

stack

page read and write

2515E558000

heap

page read and write

7FFE14647000

unkown

page readonly