IOC Report

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_435bf9987f6a7ee95ec1aabecf98fbf5b0b7b2_82810a17_13c89011\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER55D7.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Dec 23 04:19:44 2021, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D4A.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6097.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
clean
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_435bf9987f6a7ee95ec1aabecf98fbf5b0b7b2_82810a17_131cfb8a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1C9.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Dec 23 04:10:37 2021, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8FD.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBBD.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll"
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684
clean
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 672
clean

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
clean
http://www.n4pkg6fy8o.gaDVarFileInfo$
unknown
clean

IPs

IP
Domain
Country
Malicious
185.4.135.27
unknown
Greece
malicious
85.10.248.28
unknown
Germany
malicious
80.211.3.13
unknown
Italy
malicious
144.91.122.102
unknown
Germany
malicious

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProgramId
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
FileId
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LowerCaseLongPath
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LongPathHash
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Name
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Publisher
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Version
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinFileVersion
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinaryType
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductName
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductVersion
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LinkDate
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinProductVersion
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Size
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Language
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsPeFile
clean
\REGISTRY\A\{a7afdeb8-4d36-abfc-ef25-a5756fc2d86f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsOsComponent
clean
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
00188005FE8F2564
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProgramId
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
FileId
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LowerCaseLongPath
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LongPathHash
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Name
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Publisher
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Version
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinFileVersion
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinaryType
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductName
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductVersion
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LinkDate
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinProductVersion
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Size
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Language
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsPeFile
clean
\REGISTRY\A\{efc38983-124d-a95f-ab63-8751671d6b56}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsOsComponent
clean
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
0018800453F4626F
clean
There are 32 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
6F501000
unkown image
page execute read
malicious
6F501000
unkown image
page execute read
malicious
6F501000
unkown image
page execute read
malicious
6F501000
unkown image
page execute read
malicious
7FF5939D7000
unkown image
page readonly
clean
32D7000
unkown
page read and write
clean
32D7000
unkown
page read and write
clean
32DE000
unkown
page read and write
clean
2AF0000
unkown image
page readonly
clean
32DE000
unkown
page read and write
clean
32DE000
unkown
page read and write
clean
32DE000
unkown
page read and write
clean
283F000
stack
page read and write
clean
7FF54D8C5000
unkown image
page readonly
clean
51B1000
unkown
page read and write
clean
32D7000
unkown
page read and write
clean
7FF5673A1000
unkown image
page readonly
clean
C867AFF000
stack
page read and write
clean
32DE000
unkown
page read and write
clean
2271CD47000
unkown
page read and write
clean