IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_d999f0f0b1f227484f85bc2cc26b79339739acb8_5facf7d1_60cb4309-e0aa-4c88-8316-5fec0f26cdfa\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB310.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Sep 30 14:21:51 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3BD.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3ED.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 244

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
http://www.enigmaprotector.com/
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
ProgramId
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
FileId
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
LowerCaseLongPath
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
LongPathHash
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Name
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
OriginalFileName
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Publisher
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Version
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
BinFileVersion
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
BinaryType
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
ProductName
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
ProductVersion
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
LinkDate
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
BinProductVersion
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
AppxPackageFullName
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
AppxPackageRelativeId
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Size
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Language
 malicious
\REGISTRY\A\{6093c0da-f5ef-955a-88b7-1954e55bb915}\Root\InventoryApplicationFile\file.exe|5c6ea74fda3dfec0
Usn
 malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018000DDABBE6B3
There are 13 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
401000
unkown
page execute and write copy
 malicious
401000
unkown
page execute and write copy
 malicious
890000
heap
page read and write
91D000
stack
page read and write
95E000
stack
page read and write
9AE000
heap
page read and write
8DE000
stack
page read and write
9A0000
heap
page read and write
C9E000
stack
page read and write
400000
unkown
page readonly
9D000
stack
page read and write
6D9000
unkown
page read and write
B9F000
stack
page read and write
41F000
unkown
page execute and write copy
D9F000
stack
page read and write
19D000
stack
page read and write
780000
heap
page read and write
41F000
unkown
page execute and write copy
860000
heap
page read and write
400000
unkown
page readonly
9AA000
heap
page read and write
6D9000
unkown
page execute and write copy
There are 12 hidden memdumps, click here to show them.