IOC Report
CustomPayload.exe

loading gif

Files

File Path
Type
Category
Malicious
CustomPayload.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CustomPayload.ex_5035bc726e39bdc2f26a93f32e1c85a4add9d2_22e67bdd_eabe1e55-6226-428b-b477-e1d723350c71\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEE5.tmp.dmp
Mini DuMP crash report, 16 streams, Tue Sep 10 13:37:39 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB09C.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0CB.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
\Device\ConDrv
ASCII text, with CRLF, LF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\CustomPayload.exe
"C:\Users\user\Desktop\CustomPayload.exe"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3796 -s 856

URLs

Name
IP
Malicious
http://upx.sf.net
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
ProgramId
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
FileId
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
LowerCaseLongPath
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
LongPathHash
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
Name
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
OriginalFileName
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
Publisher
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
Version
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
BinFileVersion
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
BinaryType
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
ProductName
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
ProductVersion
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
LinkDate
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
BinProductVersion
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
AppxPackageFullName
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
AppxPackageRelativeId
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
Size
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
Language
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
Usn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018000DDABBE6B3
There are 13 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
7FFD34660000
trusted library allocation
page execute and read and write
17DB968B000
heap
page read and write
17DB9695000
heap
page read and write
7FFD34543000
trusted library allocation
page execute and read and write
7FFD3454D000
trusted library allocation
page execute and read and write
17DCB337000
trusted library allocation
page read and write
17DB9640000
heap
page read and write
7FFD345F0000
trusted library allocation
page read and write
17DB9683000
heap
page read and write
17DB971A000
heap
page read and write
17DB9580000
unkown
page readonly
17DB96A0000
heap
page read and write
17DBB331000
trusted library allocation
page read and write
7FFD34544000
trusted library allocation
page read and write
25A9FFE000
stack
page read and write
17DD3CD0000
heap
page execute and read and write
25AA2FE000
stack
page read and write
17DB9666000
heap
page read and write
25AA1FD000
stack
page read and write
17DB9693000
heap
page read and write
7FFD3459C000
trusted library allocation
page execute and read and write
25A9EFF000
stack
page read and write
17DB96D3000
heap
page read and write
25A9CEF000
stack
page read and write
17DBB320000
heap
page read and write
17DB9610000
heap
page read and write
17DCB331000
trusted library allocation
page read and write
25AA0FF000
stack
page read and write
17DB9920000
heap
page execute and read and write
17DB96CC000
heap
page read and write
17DB9600000
heap
page read and write
17DB966C000
heap
page read and write
17DB9580000
unkown
page readonly
17DB9660000
heap
page read and write
17DB96A2000
heap
page read and write
7FFD34600000
trusted library allocation
page execute and read and write
25A9DFF000
stack
page read and write
17DB9645000
heap
page read and write
7FFD34626000
trusted library allocation
page execute and read and write
17DB98A0000
trusted library allocation
page read and write
17DB968D000
heap
page read and write
7FFD34557000
trusted library allocation
page read and write
17DB9880000
trusted library allocation
page read and write
17DB98B0000
trusted library allocation
page read and write
7FFD34542000
trusted library allocation
page read and write
7FFD34552000
trusted library allocation
page read and write
17DB99F0000
heap
page read and write
25AA4FE000
stack
page read and write
7FF4C9080000
trusted library allocation
page execute and read and write
17DB9582000
unkown
page readonly
17DB98B3000
trusted library allocation
page read and write
17DB9850000
heap
page read and write
17DB99F5000
heap
page read and write
17DCB333000
trusted library allocation
page read and write
25AA3FE000
stack
page read and write
17DB9729000
heap
page read and write
17DB9830000
heap
page read and write
7FFD345FC000
trusted library allocation
page execute and read and write
There are 48 hidden memdumps, click here to show them.