Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
OCVOXxB3d1.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_76b43c6d9c1a2a81832137409fd652e3d2404ae8_7cac0383_17015320\Report.wer
|
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16914f67\Report.wer
|
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16bd4e9c\Report.wer
|
Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Wed Aug 31 21:47:16 2022, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F3A.tmp.dmp
|
Mini DuMP crash report, 14 streams, Wed Aug 31 21:47:16 2022, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4507.tmp.dmp
|
Mini DuMP crash report, 15 streams, Wed Aug 31 21:47:17 2022, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4575.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4640.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER473B.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4806.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER495D.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B81.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
There are 3 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\loaddll32.exe
|
loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll"
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
|
|
|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://gandcrab2pie73et.onion/cb44cde56c4e43dc
|
unknown
|
|
|
|
http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
|
unknown
|
||
|
https://www.torproject.org/
|
unknown
|
||
|
https://psi-im.org/download/
|
unknown
|
||
|
http://sj.ms/register.php
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
|
AmiHivePermissionsCorrect
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
|
AmiHiveOwnerCorrect
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
|
ExceptionRecord
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
ProgramId
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
FileId
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
LongPathHash
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
Name
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
Publisher
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
Version
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
BinFileVersion
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
BinaryType
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
ProductName
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
ProductVersion
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
LinkDate
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
BinProductVersion
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
Size
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
Language
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
IsPeFile
|
||
|
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
|
IsOsComponent
|
There are 10 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
707B3000
|
unkown
|
page write copy
|
|
|
|
707B3000
|
unkown
|
page write copy
|
|
|
|
707AB000
|
unkown
|
page readonly
|
|
|
|
707AB000
|
unkown
|
page readonly
|
|
|
|
146B000
|
heap
|
page read and write
|
|
|
|
707B3000
|
unkown
|
page write copy
|
|
|
|
707AB000
|
unkown
|
page readonly
|
|
|
|
707B3000
|
unkown
|
page write copy
|
|
|
|
707B3000
|
unkown
|
page write copy
|
|
|
|
3590000
|
heap
|
page read and write
|
|
|
|
3590000
|
heap
|
page read and write
|
|
|
|
707AB000
|
unkown
|
page readonly
|
|
|
|
3590000
|
heap
|
page read and write
|
|
|
|
146B000
|
heap
|
page read and write
|
|
|
|
707AB000
|
unkown
|
page readonly
|
|
|
|
707B3000
|
unkown
|
page write copy
|
|
|
|
707AB000
|
unkown
|
page readonly
|
|
|
|
146B000
|
heap
|
page read and write
|
|
|
|
35B7000
|
heap
|
page read and write
|
||
|
29E4FD7C000
|
heap
|
page read and write
|
||
|
284DA570000
|
heap
|
page read and write
|
||
|
29E4F24A000
|
heap
|
page read and write
|
||
|
6790000
|
trusted library allocation
|
page read and write
|
||
|
1EA48120000
|
heap
|
page read and write
|
||
|
D81817E000
|
stack
|
page read and write
|
||
|
AF7431E000
|
stack
|
page read and write
|
||
|
29E4F249000
|
heap
|
page read and write
|
||
|
1EE15402000
|
heap
|
page read and write
|
||
|
169E000
|
stack
|
page read and write
|
||
|
2E2A5C3C000
|
heap
|
page read and write
|
||
|
29E4FD7C000
|
heap
|
page read and write
|
||
|
31BE000
|
stack
|
page read and write
|
||
|
707B5000
|
unkown
|
page readonly
|
||
|
29E4FDF9000
|
heap
|
page read and write
|
||
|
AC4BFEE000
|
stack
|
page read and write
|
||
|
35B2000
|
heap
|
page read and write
|
||
|
1EE14FE0000
|
heap
|
page read and write
|
||
|
29E4F24D000
|
heap
|
page read and write
|
||
|
31FF000
|
stack
|
page read and write
|
||
|
29E4FD7F000
|
heap
|
page read and write
|
||
|
24F15967000
|
heap
|
page read and write
|
||
|
1EE15500000
|
heap
|
page read and write
|
||
|
29E4F24B000
|
heap
|
page read and write
|
||
|
29E4F302000
|
heap
|
page read and write
|
||
|
3580000
|
remote allocation
|
page read and write
|
||
|
24F15BA0000
|
heap
|
page read and write
|