IOC Report

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_435bf9987f6a7ee95ec1aabecf98fbf5b0b7b2_82810a17_131cfb8a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1C9.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Dec 23 04:10:37 2021, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8FD.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBBD.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll"
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 672
clean

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
clean
http://www.n4pkg6fy8o.gaDVarFileInfo$
unknown
clean

IPs

IP
Domain
Country
Malicious
185.4.135.27
unknown
Greece
malicious
85.10.248.28
unknown
Germany
malicious
80.211.3.13
unknown
Italy
malicious
144.91.122.102
unknown
Germany
malicious

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProgramId
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
FileId
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LowerCaseLongPath
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LongPathHash
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Name
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Publisher
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Version
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinFileVersion
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinaryType
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductName
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductVersion
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LinkDate
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinProductVersion
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Size
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Language
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsPeFile
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsOsComponent
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
0018800453F4626F
clean
There are 14 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
6EC31000
unkown image
page execute read
malicious
6EC31000
unkown image
page execute read
malicious
6EC31000
unkown image
page execute read
malicious
6EC31000
unkown image
page execute read
malicious
574E97B000
unkown
page read and write
clean
BBB000
unkown
page read and write
clean
B7A000
unkown
page read and write
clean
511E000
stack
page read and write
clean
200B000
unkown image
page readonly
clean
1E17000
unkown image
page readonly
clean
212F2987000
unkown
page read and write
clean
4E90000
unkown
page read and write
clean
212F204A000
unkown
page read and write
clean
977000
unkown
page read and write
clean
FC000
unkown
page read and write
clean
7FF504454000
unkown image
page readonly
clean
7FF5A9B4F000
unkown image
page readonly
clean
977000
unkown
page read and write
clean
1ADE4629000
unkown
page read and write
clean
19A84A20000
unkown image
page readonly
clean
7FF5A9B77000
unkown image
page readonly
clean
4A7B000
unkown
page read and write
clean
212F2987000
unkown
page read and write
clean
7FF5A9B63000
unkown image
page readonly
clean
1ADE4652000
unkown
page read and write
clean
7FF511CA2000
unkown image
page readonly
clean
4B3D000
unkown
page read and write
clean
7F242000
unkown image
page readonly
clean
7FF500E09000
unkown image
page readonly
clean
977000
unkown
page read and write
clean
97E000
unkown
page read and write
clean
19A84E00000
unkown image
page readonly
clean
1267000
unkown image
page readonly
clean
212F20B3000
unkown
page read and write
clean
977000
unkown
page read and write
clean
4970000
unkown
page read and write
clean
977000
unkown
page read and write
clean