IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_d999f0f0b1f227484f85bc2cc26b79339739acb8_5facf7d1_e9a8f4c3-b15a-4291-b547-170ee6102fdf\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6686.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Sep 30 13:48:26 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6994.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER69F3.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 232

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
http://www.enigmaprotector.com/
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
ProgramId
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
FileId
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
LowerCaseLongPath
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
LongPathHash
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
Name
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
OriginalFileName
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
Publisher
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
Version
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
BinFileVersion
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
BinaryType
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
ProductName
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
ProductVersion
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
LinkDate
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
BinProductVersion
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
AppxPackageFullName
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
AppxPackageRelativeId
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
Size
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
Language
 malicious
\REGISTRY\A\{08bf2fe0-dec6-d8dd-b689-caae5b0e269a}\Root\InventoryApplicationFile\file.exe|1e0d0082804ed91a
Usn
 malicious
There are 9 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
401000
unkown
page execute and write copy
 malicious
401000
unkown
page execute and write copy
 malicious
19D000
stack
page read and write
8AE000
stack
page read and write
C2E000
stack
page read and write
9FA000
heap
page read and write
C6D000
stack
page read and write
9FE000
heap
page read and write
9D000
stack
page read and write
8D0000
heap
page read and write
41F000
unkown
page execute and write copy
860000
heap
page read and write
9DF000
stack
page read and write
400000
unkown
page readonly
400000
unkown
page readonly
780000
heap
page read and write
6D9000
unkown
page read and write
B2E000
stack
page read and write
41F000
unkown
page execute and write copy
D6E000
stack
page read and write
6D9000
unkown
page execute and write copy
9F0000
heap
page read and write
There are 12 hidden memdumps, click here to show them.