IOC Report
Loader.exe

loading gifFilesProcessesURLsDomainsIPsRegistryMemdumps21010010Label

Files

File Path
Type
Category
Malicious
Download
Loader.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Loader.exe_8dcc4324461f59bfdcb2c175c98292557e5e67_a9d5a74d_8a0312fc-c1bb-4b1c-9b0d-eb9f858d665e\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30B8.tmp.dmp
Mini DuMP crash report, 15 streams, Sun Jan 26 14:50:31 2025, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER34EF.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER351F.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Loader.exe
"C:\Users\user\Desktop\Loader.exe"
malicious
C:\Users\user\Desktop\Loader.exe
"C:\Users\user\Desktop\Loader.exe"
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 800

URLs

Name
IP
Malicious
https://guardeduppe.com/api
188.114.96.3
malicious
https://guardeduppe.com/pi
unknown
http://upx.sf.net
unknown
https://guardeduppe.com/
unknown
https://guardeduppe.com:443/apis92o4p.default-release/key4.dbPK
unknown
https://guardeduppe.com:443/api
unknown
https://parentingadvice.click:443/api
unknown
https://guardeduppe.com/apiF
unknown

Domains

Name
IP
Malicious
guardeduppe.com
188.114.96.3
malicious
parentingadvice.click
unknown

IPs

IP
Domain
Country
Malicious
188.114.96.3
guardeduppe.com
European Union
malicious

Registry

Path
Value
Malicious
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
ProgramId
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
FileId
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
LowerCaseLongPath
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
LongPathHash
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
Name
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
OriginalFileName
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
Publisher
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
Version
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
BinFileVersion
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
BinaryType
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
ProductName
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
ProductVersion
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
LinkDate
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
BinProductVersion
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
AppxPackageFullName
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
AppxPackageRelativeId
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
Size
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
Language
\REGISTRY\A\{a942115e-2c1f-d5b9-7460-c451a14f2b76}\Root\InventoryApplicationFile\loader.exe|60fb736a8c936ec5
Usn
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
There are 11 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
E22000
unkown
page readonly
malicious
61E1000
trusted library allocation
page read and write
malicious
1185000
heap
page read and write
11BD000
heap
page read and write
38A0000
trusted library allocation
page readonly
1896000
trusted library allocation
page read and write
1310000
trusted library allocation
page read and write
1246000
heap
page read and write
3AC7000
trusted library allocation
page read and write
15A0000
trusted library allocation
page execute and read and write
34DE000
stack
page read and write
3AB5000
trusted library allocation
page read and write
1487000
trusted library allocation
page execute and read and write
1490000
heap
page read and write
31F4000
trusted library allocation
page read and write
10FB000
stack
page read and write
314F000
stack
page read and write
1477000
trusted library allocation
page read and write
11C3000
heap
page read and write
3A4A000
trusted library allocation
page read and write
15B0000
heap
page execute and read and write
4249000
trusted library allocation
page read and write
1150000
heap
page read and write
325D000
stack
page read and write
E38000
unkown
page readonly
533D000
stack
page read and write
1348000
heap
page read and write
335C000
stack
page read and write
132E000
heap
page read and write
38FE000
stack
page read and write
318E000
stack
page read and write
2ED0000
heap
page read and write
3204000
trusted library allocation
page read and write
3216000
trusted library allocation
page read and write
3230000
heap
page read and write
123F000
heap
page read and write
F90000
heap
page read and write
3890000
heap
page read and write
3225000
trusted library allocation
page read and write
1100000
heap
page read and write
12F8000
stack
page read and write
388E000
stack
page read and write
3241000
trusted library allocation
page read and write
1328000
heap
page read and write
18A0000
heap
page read and write
170E000
stack
page read and write
1870000
trusted library allocation
page read and write
363E000
stack
page read and write
1570000
trusted library allocation
page read and write
148A000
trusted library allocation
page execute and read and write
4241000
trusted library allocation
page read and write
E34000
unkown
page readonly
1320000
heap
page read and write
F1C000
stack
page read and write
11E7000
heap
page read and write
15FE000
stack
page read and write
458000
remote allocation
page execute and read and write
F80000
heap
page read and write
1600000
heap
page read and write
3A6F000
trusted library allocation
page read and write
3C36000
trusted library allocation
page read and write
35DF000
stack
page read and write
123C000
heap
page read and write
1495000
heap
page read and write
FDE000
stack
page read and write
11C6000
heap
page read and write
3A33000
trusted library allocation
page read and write
57F0000
heap
page execute and read and write
349F000
stack
page read and write
1198000
heap
page read and write
3246000
trusted library allocation
page read and write
39FF000
stack
page read and write
2D9D000
stack
page read and write
3A8F000
trusted library allocation
page read and write
13A8000
heap
page read and write
1190000
heap
page read and write
11F8000
heap
page read and write
3E7E000
stack
page read and write
339E000
stack
page read and write
3A40000
trusted library allocation
page read and write
1850000
heap
page read and write
157B000
trusted library allocation
page execute and read and write
1203000
heap
page read and write
2D40000
heap
page read and write
38A2000
trusted library allocation
page readonly
3ABC000
trusted library allocation
page read and write
1366000
heap
page read and write
378D000
stack
page read and write
1257000
heap
page read and write
1460000
trusted library allocation
page read and write
3B30000
heap
page read and write
134D000
heap
page read and write
38A1000
trusted library allocation
page execute read
D9B000
stack
page read and write
1474000
trusted library allocation
page read and write
3AD1000
trusted library allocation
page read and write
1480000
trusted library allocation
page read and write
1271000
heap
page read and write
1464000
trusted library allocation
page read and write
400000
remote allocation
page execute and read and write
3A30000
trusted library allocation
page read and write
1369000
heap
page read and write
5680000
trusted library allocation
page read and write
E20000
unkown
page readonly
1180000
heap
page read and write
5813000
trusted library allocation
page read and write
3A37000
trusted library allocation
page read and write
11EF000
heap
page read and write
11AC000
heap
page read and write
1577000
trusted library allocation
page execute and read and write
1890000
trusted library allocation
page read and write
1470000
trusted library allocation
page read and write
11DF000
heap
page read and write
2E9E000
stack
page read and write
3245000
trusted library allocation
page execute and read and write
1463000
trusted library allocation
page execute and read and write
1590000
trusted library allocation
page read and write
180E000
stack
page read and write
3D7C000
stack
page read and write
578E000
stack
page read and write
184E000
stack
page read and write
3219000
trusted library allocation
page read and write
1356000
heap
page read and write
126E000
heap
page read and write
373F000
stack
page read and write
1363000
heap
page read and write
145E000
stack
page read and write
There are 117 hidden memdumps, click here to show them.