IOC Report
unpacked (1).dll

loading gif

Files

File Path
Type
Category
Malicious
unpacked (1).dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_049ebf60\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER962D.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Mar 16 19:02:29 2023, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER97E3.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9852.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_1492a377\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9984.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Mar 17 02:54:08 2023, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C05.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C74.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\unpacked (1).dll"
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\unpacked (1).dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 644

URLs

Name
IP
Malicious
http://upx.sf.net
unknown

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProgramId
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
FileId
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LowerCaseLongPath
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LongPathHash
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Name
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Publisher
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Version
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinFileVersion
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinaryType
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductName
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductVersion
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LinkDate
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinProductVersion
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Size
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Language
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsPeFile
\REGISTRY\A\{df7da023-c581-cc97-75cf-8a23aca8c356}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsOsComponent
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
0018000BD8FEF13D
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProgramId
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
FileId
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LowerCaseLongPath
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LongPathHash
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Name
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Publisher
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Version
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinFileVersion
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinaryType
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductName
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductVersion
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LinkDate
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinProductVersion
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Size
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Language
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsPeFile
\REGISTRY\A\{860d3b95-22c5-1cf1-5e3f-b2b7548e796f}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsOsComponent
There are 31 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
2D70000
heap
page read and write
8FF14FD000
stack
page read and write
10001000
unkown
page execute read
1B4B2E80000
heap
page read and write
1B4B3150000
trusted library allocation
page read and write
880000
heap
page read and write
10004000
unkown
page write copy
10004000
unkown
page write copy
2622BC00000
unkown
page read and write
1B4B3F40000
trusted library allocation
page read and write
1B4B3F10000
trusted library allocation
page read and write
8FF1479000
stack
page read and write
2622BC02000
unkown
page read and write
2622BA70000
heap
page read and write
FB4E35D000
stack
page read and write
2622BE13000
heap
page read and write
73C000
stack
page read and write
73C000
stack
page read and write
85E000
stack
page read and write
1B4B3F90000
trusted library allocation
page read and write
2622BD00000
trusted library allocation
page read and write
7E0000
heap
page read and write
1B4B3190000
trusted library allocation
page read and write
2622BE02000
heap
page read and write
1B4B304F000
heap
page read and write
2F3A000
heap
page read and write
1B4B2FE8000
heap
page read and write
1B4B2FC0000
heap
page read and write
2622BAE0000
heap
page read and write
2622BC13000
unkown
page read and write
1B4B3CD0000
trusted library allocation
page read and write
2622BF02000
heap
page read and write
2622BC67000
heap
page read and write
1B4B3185000
heap
page read and write
1B4B302E000
heap
page read and write
8FF1379000
stack
page read and write
2622BC28000
heap
page read and write
83D000
stack
page read and write
1B4B2E90000
trusted library allocation
page read and write
2F30000
heap
page read and write
2622BF00000
heap
page read and write
8FF13FE000
stack
page read and write
FB4E6FE000
stack
page read and write
1B4B3F30000
trusted library allocation
page read and write
1B4B3F20000
heap
page readonly
1B4B3160000
trusted library allocation
page read and write
2622BF13000
heap
page read and write
DF0000
heap
page read and write
10006000
unkown
page readonly
1B4B30E0000
heap
page read and write
1B4B2FE0000
heap
page read and write
1B4B3170000
trusted library allocation
page read and write
10003000
unkown
page read and write
10008000
unkown
page readonly
2622BD02000
trusted library allocation
page read and write
8FF0F1B000
stack
page read and write
1B4B302C000
heap
page read and write
2622BD23000
heap
page read and write
10000000
unkown
page readonly
8FF12F9000
stack
page read and write
950000
heap
page read and write
1B4B3189000
heap
page read and write
1B4B302C000
heap
page read and write
2622BC3A000
heap
page read and write
2F10000
heap
page read and write
FB4EA79000
stack
page read and write
6D0000
heap
page read and write
6D0000
heap
page read and write
10001000
unkown
page execute read
2622BA80000
trusted library allocation
page read and write
77B000
stack
page read and write
2622BD15000
trusted library allocation
page read and write
1B4B3180000
heap
page read and write
1B4B302C000
heap
page read and write
299F000
stack
page read and write
10003000
unkown
page readonly
DFB000
heap
page read and write
10008000
unkown
page readonly
2622BC0F000
unkown
page read and write
2622BC0D000
unkown
page read and write
10006000
unkown
page readonly
10000000
unkown
page readonly
1B4B3041000
heap
page read and write
There are 73 hidden memdumps, click here to show them.