IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_2f6dbba0-17a5-4a1a-8cb9-77733719e7ba\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_40863313-8c37-4cc6-94d9-423ab9d146ca\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_787f3a4b-fbba-4f88-bfc1-e8c5ed65ad86\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_7d989db4-cfd3-48a7-9c97-e7906e6376f5\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_f0f65fa3-ef24-4b74-abe3-6938cc277839\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_78c55c679f8506e83b264a0515cdac9a43dd6c2_17595469_f685cb8d-656a-4568-bf4b-035c02b730f9\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_b74f308923c8e8441a81d87f1d6d177acdd8a4_85207d7d_3f7ce61f-b630-4548-969c-0704773cacc8\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8932.tmp.dmp
Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:06 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER89C0.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A2E.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C6E.tmp.dmp
Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:07 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CCD.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D0D.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EDF.tmp.dmp
Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:08 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F4E.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F6E.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9373.tmp.dmp
Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:09 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9401.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9421.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9855.tmp.dmp
Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:10 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9912.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9942.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DD4.tmp.dmp
Mini DuMP crash report, 15 streams, Mon Sep 30 12:02:12 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E52.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E91.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3CF.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3FE.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\WERA40E.tmp.WERDataCollectionStatus.txt
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 20 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 1668

URLs

Name
IP
Malicious
possiwreeste.site
malicious
commandejorsk.site
malicious
https://steamcommunity.com/profiles/76561199724331900i
unknown
 malicious
famikyjdiag.site
malicious
https://steamcommunity.com/profiles/76561199724331900
unknown
 malicious
writekdmsnu.site
malicious
agentyanlark.site
malicious
diskegraciw.onli
malicious
https://diskegraciw.online/api
188.114.96.3
 malicious
delaylacedmn.site
malicious
https://underlinemdsj.site/api
172.67.129.166
 malicious
underlinemdsj.site
malicious
bellykmrebk.site
malicious
https://delaylacedmn.site/apiu49
unknown
https://bellykmrebk.site/api
unknown
https://delaylacedmn.site/api
unknown
https://writekdmsnu.site/api
unknown
https://delaylacedmn.site/apiH4j
unknown
http://upx.sf.net
unknown
https://delaylacedmn.site/api_;
unknown
https://steamcommunity.com/#
unknown
https://steamcommunity.com/
unknown
https://famikyjdiag.site/api
unknown
https://agentyanlark.site/api
unknown
There are 14 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
diskegraciw.online
188.114.96.3
 malicious
underlinemdsj.site
172.67.129.166
 malicious
possiwreeste.site
unknown
 malicious
commandejorsk.site
unknown
 malicious
famikyjdiag.site
unknown
 malicious
writekdmsnu.site
unknown
 malicious
agentyanlark.site
unknown
 malicious
delaylacedmn.site
unknown
 malicious
bellykmrebk.site
unknown
 malicious
steamcommunity.com
104.102.49.254

IPs

IP
Domain
Country
Malicious
188.114.96.3
diskegraciw.online
European Union
malicious
172.67.129.166
underlinemdsj.site
United States
malicious
104.102.49.254
steamcommunity.com
United States

Registry

Path
Value
Malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
ProgramId
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
FileId
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
LowerCaseLongPath
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
LongPathHash
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
Name
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
OriginalFileName
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
Publisher
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
Version
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
BinFileVersion
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
BinaryType
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
ProductName
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
ProductVersion
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
LinkDate
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
BinProductVersion
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
AppxPackageFullName
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
AppxPackageRelativeId
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
Size
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
Language
 malicious
\REGISTRY\A\{86ab6002-2110-be0c-bea1-704fec4b93e8}\Root\InventoryApplicationFile\file.exe|7bc5a156b3ccd649
Usn
 malicious
There are 9 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page execute and read and write
 malicious
560000
heap
page read and write
5FE000
stack
page read and write
538000
unkown
page readonly
610000
heap
page read and write
691000
heap
page read and write
21E0000
direct allocation
page read and write
19D000
stack
page read and write
5BE000
stack
page read and write
21E0000
heap
page read and write
61E000
heap
page read and write
6ED000
heap
page read and write
2D4E000
stack
page read and write
1F0000
heap
page read and write
6E4000
heap
page read and write
43A000
unkown
page readonly
26BD000
stack
page read and write
66E000
heap
page read and write
2BFE000
stack
page read and write
43D000
unkown
page write copy
25BE000
stack
page read and write
538000
unkown
page readonly
2180000
direct allocation
page execute and read and write
27BE000
stack
page read and write
668000
heap
page read and write
2310000
remote allocation
page read and write
570000
heap
page read and write
223D000
stack
page read and write
40D000
unkown
page execute read
61B000
heap
page read and write
6ED000
heap
page read and write
68D000
heap
page read and write
9DF000
stack
page read and write
2340000
heap
page read and write
65B000
heap
page read and write
400000
unkown
page readonly
8DF000
stack
page read and write
24AD000
stack
page read and write
6E4000
heap
page read and write
6E8000
heap
page read and write
24B0000
heap
page read and write
244D000
stack
page read and write
668000
heap
page read and write
2C4D000
stack
page read and write
22CD000
stack
page read and write
6E7000
heap
page read and write
691000
heap
page read and write
6ED000
heap
page read and write
6E4000
heap
page read and write
9C000
stack
page read and write
228D000
stack
page read and write
68F000
heap
page read and write
6ED000
heap
page read and write
2240000
heap
page read and write
2310000
remote allocation
page read and write
401000
unkown
page execute read
1F5000
heap
page read and write
230D000
stack
page read and write
45E000
unkown
page execute and read and write
68D000
heap
page read and write
2310000
remote allocation
page read and write
663000
heap
page read and write
691000
heap
page read and write
66E000
heap
page read and write
62E000
heap
page execute and read and write
There are 55 hidden memdumps, click here to show them.