IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_d999f0f0b1f227484f85bc2cc26b79339739acb8_5facf7d1_dea071a4-dea4-4c3a-a892-62da3058aa0e\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WER963F.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Sep 30 13:50:49 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER96FB.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER972B.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7272 -s 252

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
http://www.enigmaprotector.com/
unknown

Domains

Name
IP
Malicious
206.23.85.13.in-addr.arpa
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
ProgramId
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
FileId
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
LowerCaseLongPath
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
LongPathHash
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
Name
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
OriginalFileName
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
Publisher
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
Version
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
BinFileVersion
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
BinaryType
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
ProductName
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
ProductVersion
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
LinkDate
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
BinProductVersion
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
AppxPackageFullName
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
AppxPackageRelativeId
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
Size
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
Language
 malicious
\REGISTRY\A\{482d96fb-70d3-690a-42b8-23ba4717e0bd}\Root\InventoryApplicationFile\file.exe|ff8e65d6b06db8e5
Usn
 malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
There are 11 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
401000
unkown
page execute and write copy
 malicious
401000
unkown
page execute and write copy
 malicious
6D9000
unkown
page execute and write copy
7B0000
heap
page read and write
400000
unkown
page readonly
C4E000
stack
page read and write
41F000
unkown
page execute and write copy
890000
heap
page read and write
400000
unkown
page readonly
D4F000
stack
page read and write
ACF000
stack
page read and write
6D9000
unkown
page read and write
B0D000
stack
page read and write
C0E000
stack
page read and write
9D000
stack
page read and write
898000
heap
page read and write
790000
heap
page read and write
89E000
heap
page read and write
41F000
unkown
page execute and write copy
19D000
stack
page read and write
9CE000
stack
page read and write
780000
heap
page read and write
There are 12 hidden memdumps, click here to show them.