IOC Report
OCVOXxB3d1.dll

loading gif

Files

File Path
Type
Category
Malicious
OCVOXxB3d1.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_76b43c6d9c1a2a81832137409fd652e3d2404ae8_7cac0383_17015320\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16914f67\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16bd4e9c\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp.dmp
Mini DuMP crash report, 14 streams, Wed Aug 31 21:47:16 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F3A.tmp.dmp
Mini DuMP crash report, 14 streams, Wed Aug 31 21:47:16 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4507.tmp.dmp
Mini DuMP crash report, 15 streams, Wed Aug 31 21:47:17 2022, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4575.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4640.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER473B.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4806.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER495D.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B81.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
There are 3 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll"
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580

URLs

Name
IP
Malicious
http://gandcrab2pie73et.onion/cb44cde56c4e43dc
unknown
malicious
http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
unknown
https://www.torproject.org/
unknown
https://psi-im.org/download/
unknown
http://sj.ms/register.php
unknown

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProgramId
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
FileId
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LowerCaseLongPath
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LongPathHash
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Name
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Publisher
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Version
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinFileVersion
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinaryType
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductName
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductVersion
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LinkDate
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinProductVersion
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Size
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Language
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsPeFile
\REGISTRY\A\{1a1e7d09-340c-2d0e-c48a-917c89d42600}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsOsComponent
There are 10 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
707B3000
unkown
page write copy
malicious
707B3000
unkown
page write copy
malicious
707AB000
unkown
page readonly
malicious
707AB000
unkown
page readonly
malicious
146B000
heap
page read and write
malicious
707B3000
unkown
page write copy
malicious
707AB000
unkown
page readonly
malicious
707B3000
unkown
page write copy
malicious
707B3000
unkown
page write copy
malicious
3590000
heap
page read and write
malicious
3590000
heap
page read and write
malicious
707AB000
unkown
page readonly
malicious
3590000
heap
page read and write
malicious
146B000
heap
page read and write
malicious
707AB000
unkown
page readonly
malicious
707B3000
unkown
page write copy
malicious
707AB000
unkown
page readonly
malicious
146B000
heap
page read and write
malicious
35B7000
heap
page read and write
29E4FD7C000
heap
page read and write
284DA570000
heap
page read and write
29E4F24A000
heap
page read and write
6790000
trusted library allocation
page read and write
1EA48120000
heap
page read and write
D81817E000
stack
page read and write
AF7431E000
stack
page read and write
29E4F249000
heap
page read and write
1EE15402000
heap
page read and write
169E000
stack
page read and write
2E2A5C3C000
heap
page read and write
29E4FD7C000
heap
page read and write
31BE000
stack
page read and write
707B5000
unkown
page readonly
29E4FDF9000
heap
page read and write
AC4BFEE000
stack
page read and write
35B2000
heap
page read and write
1EE14FE0000
heap
page read and write
29E4F24D000
heap
page read and write
31FF000
stack
page read and write
29E4FD7F000
heap
page read and write
24F15967000
heap
page read and write
1EE15500000
heap
page read and write
29E4F24B000
heap
page read and write
29E4F302000
heap
page read and write
3580000
remote allocation
page read and write
24F15BA0000
heap
page read and write