Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_4141afb346d51f202ef326a3bf650244e2e58b2_75709460_597e72f2-2d68-41ea-b9f9-1d952267e7f1\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_4141afb346d51f202ef326a3bf650244e2e58b2_75709460_597e72f2-2d68-41ea-b9f9-1d952267e7f1\Report.wer
Category:	dropped
Dump:	Report.wer.5.dr
ID:	dr_3
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.8000953689524233
Encrypted:	false
Ssdeep:	384:qmybPKuJxMPcjt/iCbJJ0zuiF3Y4lO8p:qXPKuJqUjyzuiF3Y4lO8
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C35.tmp.dmp

Mini DuMP crash report, 16 streams, Mon Sep 30 05:16:41 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C35.tmp.dmp
Category:	dropped
Dump:	WER8C35.tmp.dmp.5.dr
ID:	dr_0
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	Mini DuMP crash report, 16 streams, Mon Sep 30 05:16:41 2024, 0x1205a4 type
Entropy:	1.7943184839011186
Encrypted:	false
Ssdeep:	384:9AXfARIN0wy7U7m8Cmd1VdZXRmjCmIBau8ui:9AX4RIN0w5/CmbUz+cui
Size:	74926
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CD2.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CD2.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER8CD2.tmp.WERInternalMetadata.xml.5.dr
ID:	dr_1
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.692652307858403
Encrypted:	false
Ssdeep:	192:R6l7wVeJVsUA6YI26dgmf8mZG0qgCprq89bzfC+fZgxm:R6lXJVPA6Yx6dgmf8mZG0qTzfjfZb
Size:	8764
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D02.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D02.tmp.xml
Category:	dropped
Dump:	WER8D02.tmp.xml.5.dr
ID:	dr_2
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.451423312460963
Encrypted:	false
Ssdeep:	48:cvIwWl8zsZJg771I9O/LWpW8VYaYm8M4Jp1jSPFO1PyAcWE85MfXRsXlxBLzAd:uIjfrI7D67VKJpx31PGDf+VxBLzAd
Size:	4865
Whitelisted:	false
Reputation:	low

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.5.dr
ID:	dr_4
Target ID:	5
Process:	C:\Windows\System32\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.4629519501953006
Encrypted:	false
Ssdeep:	6144:dIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABlKuN2dwBCswSbn:OXD94+WlLZMM6YFtg+n
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

cmd /C ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=yes --field-trial-handle=2420,i,11779009155098719741,8172115586603878713,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:3"

Details

Is windows:	true
Is dropped:	false
PID:	7268
Target ID:	0
Parent PID:	1816
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd /C ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=yes --field-trial-handle=2420,i,11779009155098719741,8172115586603878713,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:3"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	01:16:40
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7276
Target ID:	1
Parent PID:	7268
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	01:16:40
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=yes --field-trial-handle=2420,i,11779009155098719741,8172115586603878713,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:3

Details

Is windows:	true
Is dropped:	false
PID:	7324
Target ID:	2
Parent PID:	7268
Name:	msedge.exe
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=yes --field-trial-handle=2420,i,11779009155098719741,8172115586603878713,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:3
Size:	4210216
MD5:	69222B8101B0601CC6663F8381E7E00F
Time:	01:16:41
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff67dcd0000
Modulesize:	4308992
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7324 -s 428

Details

Is windows:	true
Is dropped:	false
PID:	7400
Target ID:	5
Parent PID:	7324
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7324 -s 428
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	01:16:41
Date:	30/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6315d0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://upx.sf.net

unknown

Memdumps

Base Address

Regiontype

Protect

Malicious

4E4C0025C000

unkown

page read and write

F5493FE000

unkown

page readonly

1384002FC000

unkown

page read and write

4AF4002B0000

unkown

page read and write

4E4C0029C000

unkown

page read and write

4AF400270000

unkown

page read and write

1384002BC000

unkown

page read and write

13840020C000

unkown

page read and write

F5473FE000

unkown

page readonly

4E4C0028C000

unkown

page read and write

4E4C00248000

unkown

page read and write

256F5300000

unkown

page readonly

25682D61000

unkown

page readonly

1384002D8000

unkown

page read and write

256F5310000

heap

page read and write

4E4C00210000

unkown

page read and write

4E4C002B8000

unkown

page read and write

4AF400248000

unkown

page read and write

4E4C00280000

unkown

page read and write

4AF400258000

unkown

page read and write

256F52F0000

heap

page read and write

13840026C000

unkown

page read and write

4E4C0026C000

unkown

page read and write

1384002CC000

unkown

page read and write

256F5400000

unkown

page read and write

4AF400268000

unkown

page read and write

F546BFE000

unkown

page read and write

256F5411000

unkown

page read and write

F545BFC000

stack

page read and write

1384002AC000

unkown

page read and write

4AF4002A4000

unkown

page read and write

F547BFE000

unkown

page read and write

1384002EC000

unkown

page read and write

138400230000

unkown

page read and write

138400258000

unkown

page read and write

4E4C00234000

unkown

page read and write

256F542B000

unkown

page read and write

4E4C00258000

unkown

page read and write

138400220000

unkown

page read and write

138400404000

unkown

page read and write

13840025C000

unkown

page read and write

4AF40025C000

unkown

page read and write

138400280000

unkown

page read and write

256F5402000

unkown

page read and write

4E4C0027C000

unkown

page read and write

256F5970000

unkown

page read and write

4AF400220000

unkown

page read and write

4E4C00220000

unkown

page read and write

4E4C00201000

unkown

page read and write

256F53F0000

unkown

page readonly

256F5600000

unkown

page readonly

256F5502000

unkown

page read and write

F548BFE000

unkown

page read and write

138400290000

unkown

page read and write

138400318000

unkown

page read and write

138400248000

unkown

page read and write

4AF4002B8000

unkown

page read and write

4E4C00290000

unkown

page read and write

4AF400201000

unkown

page read and write

4E4C002E0000

unkown

page read and write

4E4C00230000

unkown

page read and write

256F5610000

heap

page read and write

4E4C002D8000

unkown

page read and write

1384002E4000

unkown

page read and write

4AF400290000

unkown

page read and write

4AF400230000

unkown

page read and write

138400270000

unkown

page read and write

138400268000

unkown

page read and write

13840032C000

unkown

page read and write

4E4C002B4000

unkown

page read and write

138400201000

unkown

page read and write

1384002B0000

unkown

page read and write

256F5413000

unkown

page read and write

F5483FE000

unkown

page readonly

4AF400210000

unkown

page read and write

4AF400238000

unkown

page read and write

4AF40026C000

unkown

page read and write

1384002A4000

unkown

page read and write

4E4C002A0000

unkown

page read and write

25680000000

unkown

page readonly

138400210000

unkown

page read and write

138400238000

unkown

page read and write

4AF400280000

unkown

page read and write

4AF4002D0000

unkown

page read and write

138400408000

unkown

page read and write

There are 75 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Memdumps