IOC Report
test2.bin

loading gif

Files

File Path
Type
Category
Malicious
test2.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_10651bfd\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF153.tmp.dmp
Mini DuMP crash report, 14 streams, Thu Mar 16 19:45:30 2023, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AC.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF31A.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\test2.dll"
 malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
 malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636

URLs

Name
IP
Malicious
http://upx.sf.net
unknown

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProgramId
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
FileId
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LowerCaseLongPath
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LongPathHash
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Name
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Publisher
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Version
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinFileVersion
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinaryType
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductName
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
ProductVersion
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
LinkDate
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
BinProductVersion
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Size
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
Language
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsPeFile
\REGISTRY\A\{c1686e3e-13cd-bb01-bb25-883f3709b64a}\Root\InventoryApplicationFile\rundll32.exe|ab97b57a
IsOsComponent
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
0018800A9E8AF603
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
There are 14 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
173C3813000
unkown
page read and write
10004000
unkown
page write copy
1D1C2560000
trusted library allocation
page read and write
1D1C18B0000
heap
page read and write
1D1C19F0000
trusted library allocation
page read and write
173C383A000
heap
page read and write
10001000
unkown
page execute read
140000
heap
page read and write
173C3B02000
heap
page read and write
1FF000
stack
page read and write
9C000
stack
page read and write
B1B000
heap
page read and write
57C63F9000
stack
page read and write
1D1C181D000
heap
page read and write
173C3802000
unkown
page read and write
AD0000
heap
page read and write
57C5FCC000
stack
page read and write
1D1C1950000
trusted library allocation
page read and write
85C000
stack
page read and write
1D1C1A70000
trusted library allocation
page read and write
10006000
unkown
page readonly
1D1C1A00000
heap
page readonly
10001000
unkown
page execute read
173C3B00000
heap
page read and write
10003000
unkown
page readonly
173C3829000
heap
page read and write
5F0000
heap
page read and write
173C3800000
unkown
page read and write
30000
heap
page read and write
560000
heap
page read and write
173C3923000
heap
page read and write
75A000
heap
page read and write
173C3A13000
heap
page read and write
1D1C17FD000
heap
page read and write
1D1C17B0000
heap
page read and write
10008000
unkown
page readonly
173C3680000
heap
page read and write
1D1C1670000
heap
page read and write
A30000
heap
page read and write
173C3B13000
heap
page read and write
B10000
heap
page read and write
10000000
unkown
page readonly
1D1C18D0000
heap
page read and write
1D1C19B0000
trusted library allocation
page read and write
173C3A02000
heap
page read and write
173C3823000
unkown
page read and write
173C3900000
trusted library allocation
page read and write
1D1C1680000
trusted library allocation
page read and write
57C637D000
stack
page read and write
1D1C1A10000
trusted library allocation
page read and write
10004000
unkown
page write copy
57C647E000
stack
page read and write
173C3849000
heap
page read and write
57C64F9000
stack
page read and write
1D1C2780000
trusted library allocation
page read and write
173C3690000
trusted library allocation
page read and write
10008000
unkown
page readonly
1D1C1A69000
heap
page read and write
10003000
unkown
page read and write
173C3848000
heap
page read and write
1D1C1A60000
heap
page read and write
DB000
stack
page read and write
1D1C17FD000
heap
page read and write
5F6FCD000
stack
page read and write
1D1C1A20000
trusted library allocation
page read and write
173C3915000
trusted library allocation
page read and write
1D1C1815000
heap
page read and write
750000
heap
page read and write
5F73FE000
stack
page read and write
1D1C17F5000
heap
page read and write
1D1C17FD000
heap
page read and write
173C3902000
trusted library allocation
page read and write
1BE000
stack
page read and write
A90000
heap
page read and write
5F76F9000
stack
page read and write
95D000
stack
page read and write
1D1C1A65000
heap
page read and write
173C36F0000
heap
page read and write
10000000
unkown
page readonly
10006000
unkown
page readonly
1D1C1940000
trusted library allocation
page read and write
173C3810000
unkown
page read and write
There are 72 hidden memdumps, click here to show them.