IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_83fa5e9210c6fbce43ffc96abb41376cebcb4714_ccf28a54_f0802044-7401-487d-b321-f4eccac389be\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1643.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Nov 1 07:50:58 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1692.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16C2.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 232

URLs

Name
IP
Malicious
http://upx.sf.net
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
ProgramId
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
FileId
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
LowerCaseLongPath
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
LongPathHash
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Name
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
OriginalFileName
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Publisher
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Version
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
BinFileVersion
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
BinaryType
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
ProductName
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
ProductVersion
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
LinkDate
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
BinProductVersion
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
AppxPackageFullName
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
AppxPackageRelativeId
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Size
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Language
 malicious
\REGISTRY\A\{ad225988-f5f3-a2e1-5ed2-a7e542fa84e9}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Usn
 malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018000DDABBE6B3
There are 13 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
C91000
unkown
page execute and write copy
EBC000
stack
page read and write
1220000
heap
page read and write
721000
unkown
page execute and write copy
FBD000
stack
page read and write
720000
unkown
page readonly
1380000
heap
page read and write
C91000
unkown
page execute and write copy
1270000
heap
page read and write
720000
unkown
page readonly
127E000
heap
page read and write
721000
unkown
page execute and write copy
127A000
heap
page read and write
1210000
heap
page read and write
There are 4 hidden memdumps, click here to show them.