Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
CustomPayload.exe
|
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CustomPayload.ex_5035bc726e39bdc2f26a93f32e1c85a4add9d2_22e67bdd_eabe1e55-6226-428b-b477-e1d723350c71\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEE5.tmp.dmp
|
Mini DuMP crash report, 16 streams, Tue Sep 10 13:37:39 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB09C.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0CB.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
\Device\ConDrv
|
ASCII text, with CRLF, LF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\CustomPayload.exe
|
"C:\Users\user\Desktop\CustomPayload.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 3796 -s 856
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://upx.sf.net
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
ProgramId
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
FileId
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
LowerCaseLongPath
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
LongPathHash
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
Name
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
OriginalFileName
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
Publisher
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
Version
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
BinFileVersion
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
BinaryType
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
ProductName
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
ProductVersion
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
LinkDate
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
BinProductVersion
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
AppxPackageFullName
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
Size
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
Language
|
||
\REGISTRY\A\{500d31a8-cb3b-65c2-2aa5-0dac286bdd7f}\Root\InventoryApplicationFile\custompayload.ex|5d8de544a688b1c
|
Usn
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018000DDABBE6B3
|
There are 13 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
7FFD34660000
|
trusted library allocation
|
page execute and read and write
|
||
17DB968B000
|
heap
|
page read and write
|
||
17DB9695000
|
heap
|
page read and write
|
||
7FFD34543000
|
trusted library allocation
|
page execute and read and write
|
||
7FFD3454D000
|
trusted library allocation
|
page execute and read and write
|
||
17DCB337000
|
trusted library allocation
|
page read and write
|
||
17DB9640000
|
heap
|
page read and write
|
||
7FFD345F0000
|
trusted library allocation
|
page read and write
|
||
17DB9683000
|
heap
|
page read and write
|
||
17DB971A000
|
heap
|
page read and write
|
||
17DB9580000
|
unkown
|
page readonly
|
||
17DB96A0000
|
heap
|
page read and write
|
||
17DBB331000
|
trusted library allocation
|
page read and write
|
||
7FFD34544000
|
trusted library allocation
|
page read and write
|
||
25A9FFE000
|
stack
|
page read and write
|
||
17DD3CD0000
|
heap
|
page execute and read and write
|
||
25AA2FE000
|
stack
|
page read and write
|
||
17DB9666000
|
heap
|
page read and write
|
||
25AA1FD000
|
stack
|
page read and write
|
||
17DB9693000
|
heap
|
page read and write
|
||
7FFD3459C000
|
trusted library allocation
|
page execute and read and write
|
||
25A9EFF000
|
stack
|
page read and write
|
||
17DB96D3000
|
heap
|
page read and write
|
||
25A9CEF000
|
stack
|
page read and write
|
||
17DBB320000
|
heap
|
page read and write
|
||
17DB9610000
|
heap
|
page read and write
|
||
17DCB331000
|
trusted library allocation
|
page read and write
|
||
25AA0FF000
|
stack
|
page read and write
|
||
17DB9920000
|
heap
|
page execute and read and write
|
||
17DB96CC000
|
heap
|
page read and write
|
||
17DB9600000
|
heap
|
page read and write
|
||
17DB966C000
|
heap
|
page read and write
|
||
17DB9580000
|
unkown
|
page readonly
|
||
17DB9660000
|
heap
|
page read and write
|
||
17DB96A2000
|
heap
|
page read and write
|
||
7FFD34600000
|
trusted library allocation
|
page execute and read and write
|
||
25A9DFF000
|
stack
|
page read and write
|
||
17DB9645000
|
heap
|
page read and write
|
||
7FFD34626000
|
trusted library allocation
|
page execute and read and write
|
||
17DB98A0000
|
trusted library allocation
|
page read and write
|
||
17DB968D000
|
heap
|
page read and write
|
||
7FFD34557000
|
trusted library allocation
|
page read and write
|
||
17DB9880000
|
trusted library allocation
|
page read and write
|
||
17DB98B0000
|
trusted library allocation
|
page read and write
|
||
7FFD34542000
|
trusted library allocation
|
page read and write
|
||
7FFD34552000
|
trusted library allocation
|
page read and write
|
||
17DB99F0000
|
heap
|
page read and write
|
||
25AA4FE000
|
stack
|
page read and write
|
||
7FF4C9080000
|
trusted library allocation
|
page execute and read and write
|
||
17DB9582000
|
unkown
|
page readonly
|
||
17DB98B3000
|
trusted library allocation
|
page read and write
|
||
17DB9850000
|
heap
|
page read and write
|
||
17DB99F5000
|
heap
|
page read and write
|
||
17DCB333000
|
trusted library allocation
|
page read and write
|
||
25AA3FE000
|
stack
|
page read and write
|
||
17DB9729000
|
heap
|
page read and write
|
||
17DB9830000
|
heap
|
page read and write
|
||
7FFD345FC000
|
trusted library allocation
|
page execute and read and write
|
There are 48 hidden memdumps, click here to show them.