Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
QualityUpdateAssistant.dll
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
initial sample
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_f1e2a93da88b32cda8c0398fc0f16d5f7ea571e1_606702e6_15d5ab69-9905-49c3-8179-a8d144bd5245\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Qua_69d6fdc2216b7557c151bb744884d1a78ca7bd0_cb9a354e_aa478cdb-a592-4df8-bd48-f5f1f889ca29\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Qua_69d6fdc2216b7557c151bb744884d1a78ca7bd0_cb9a354e_cbaa4629-6e7a-4c66-8044-c5a78e9f22e9\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Qua_69d6fdc2216b7557c151bb744884d1a78ca7bd0_cb9a354e_ef734fa1-f744-4e89-a5e4-a6e6eee6643c\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F0F.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 26 08:22:41 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F3E.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 26 08:22:41 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER500A.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER501A.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5069.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER50D7.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A1B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Fri Apr 26 08:22:44 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A5A.tmp.dmp
|
Mini DuMP crash report, 15 streams, Fri Apr 26 08:22:44 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B93.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BB2.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BC3.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BE2.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\System32\Logs\LcuAssistant.001.etl
|
data
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
|
C:\Windows\system32\Logs\LcuAssistant.002.etl (copy)
|
data
|
dropped
|
There are 10 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\loaddll64.exe
|
loaddll64.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll"
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",#1
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\QualityUpdateAssistant.dll,Execute
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",#1
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7160 -s 516
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 3876 -s 516
|
||
|
C:\Windows\System32\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\QualityUpdateAssistant.dll",Execute
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 6548 -s 508
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 6456 -s 488
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProgramId
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
FileId
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LongPathHash
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Name
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
OriginalFileName
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Publisher
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Version
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinFileVersion
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinaryType
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProductName
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
ProductVersion
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
LinkDate
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
BinProductVersion
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Size
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Language
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
IsOsComponent
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\rundll32.exe|c8d854bf61fafc41
|
Usn
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
ProgramId
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
FileId
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
LongPathHash
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
Name
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
OriginalFileName
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
Publisher
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
Version
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
BinFileVersion
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
BinaryType
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
ProductName
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
ProductVersion
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
LinkDate
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
BinProductVersion
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
Size
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
Language
|
||
|
\REGISTRY\A\{530b3e17-87ba-243c-e99c-ec6617a2fb73}\Root\InventoryApplicationFile\loaddll64.exe|f3d72086358f9008
|
Usn
|
There are 29 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1D155620000
|
heap
|
page read and write
|
||
|
1D153B29000
|
heap
|
page read and write
|
||
|
7FF8B9091000
|
unkown
|
page execute read
|
||
|
1D153CD5000
|
heap
|
page read and write
|
||
|
1D153B2D000
|
heap
|
page read and write
|
||
|
226FD4EB000
|
heap
|
page read and write
|
||
|
7FF8B90DF000
|
unkown
|
page readonly
|
||
|
1D153B20000
|
heap
|
page read and write
|
||
|
1D256F50000
|
heap
|
page read and write
|
||
|
7FF8B9103000
|
unkown
|
page read and write
|
||
|
1D256FF0000
|
heap
|
page read and write
|
||
|
7FF8B9090000
|
unkown
|
page readonly
|
||
|
7781FAC000
|
stack
|
page read and write
|
||
|
226FD4A8000
|
heap
|
page read and write
|
||
|
9BE407F000
|
stack
|
page read and write
|
||
|
7FF8B9090000
|
unkown
|
page readonly
|
||
|
21CBBB65000
|
heap
|
page read and write
|
||
|
21CBB920000
|
heap
|
page read and write
|
||
|
226FD820000
|
heap
|
page read and write
|
||
|
1D153C40000
|
heap
|
page read and write
|
||
|
1D258A20000
|
heap
|
page read and write
|
||
|
21CBD4B0000
|
heap
|
page read and write
|
||
|
21CBBB60000
|
heap
|
page read and write
|
||
|
7FF8B9091000
|
unkown
|
page execute read
|
||
|
7FF8B9091000
|
unkown
|
page execute read
|
||
|
1D256F95000
|
heap
|
page read and write
|
||
|
21CBB928000
|
heap
|
page read and write
|
||
|
854D7FE000
|
stack
|
page read and write
|
||
|
778227E000
|
stack
|
page read and write
|
||
|
226FD420000
|
heap
|
page read and write
|
||
|
B86C5AE000
|
stack
|
page read and write
|
||
|
7FF8B90DF000
|
unkown
|
page readonly
|
||
|
1D256F60000
|
heap
|
page read and write
|
||
|
21CBB8C0000
|
heap
|
page read and write
|
||
|
1D153A30000
|
heap
|
page read and write
|
||
|
1D153B65000
|
heap
|
page read and write
|
||
|
854D6FE000
|
stack
|
page read and write
|
||
|
B86C52C000
|
stack
|
page read and write
|
||
|
21CBB92E000
|
heap
|
page read and write
|
||
|
1D153C20000
|
heap
|
page read and write
|
||
|
1D153B70000
|
heap
|
page read and write
|
||
|
21CBB8E0000
|
heap
|
page read and write
|
||
|
9BE40FE000
|
stack
|
page read and write
|
||
|
7FF8B9103000
|
unkown
|
page read and write
|
||
|
1D25703B000
|
heap
|
page read and write
|
||
|
226FD3F0000
|
heap
|
page read and write
|
||
|
854D38B000
|
stack
|
page read and write
|
||
|
1D153CD0000
|
heap
|
page read and write
|
||
|
21CBB8B0000
|
heap
|
page read and write
|
||
|
7FF8B9103000
|
unkown
|
page read and write
|
||
|
B86C87E000
|
stack
|
page read and write
|
||
|
9BE3DBC000
|
stack
|
page read and write
|
||
|
7FF8B9106000
|
unkown
|
page readonly
|
||
|
226FD4A0000
|
heap
|
page read and write
|
||
|
7FF8B9090000
|
unkown
|
page readonly
|
||
|
1D256F90000
|
heap
|
page read and write
|
||
|
226FD845000
|
heap
|
page read and write
|
||
|
1D153C40000
|
heap
|
page read and write
|
||
|
226FD840000
|
heap
|
page read and write
|
||
|
1D256FF8000
|
heap
|
page read and write
|
||
|
1D153B60000
|
heap
|
page read and write
|
||
|
7FF8B9106000
|
unkown
|
page readonly
|
||
|
77822FE000
|
stack
|
page read and write
|
||
|
1D256FA0000
|
heap
|
page read and write
|
||
|
226FD400000
|
heap
|
page read and write
|
||
|
7FF8B90DF000
|
unkown
|
page readonly
|
||
|
7FF8B9106000
|
unkown
|
page readonly
|
There are 57 hidden memdumps, click here to show them.