Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
PO454355 Pdf.exe
|
PE32+ executable (GUI) x86-64, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_ce89fc30-2665-47d9-b3d6-2c5173e453ca\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER258B.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2618.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\WER15BB.tmp.WERDataCollectionStatus.txt
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\PO454355 Pdf.exe
|
"C:\Users\user\Desktop\PO454355 Pdf.exe"
|
||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 20
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://upx.sf.net
|
unknown
|
||
https://aka.ms/GlobalizationInvariantMode
|
unknown
|
||
https://aka.ms/nativeaot-c
|
unknown
|
||
https://aka.ms/nativeaot-compatibility
|
unknown
|
||
https://aka.ms/nativeaot-compatibilityY
|
unknown
|
||
https://aka.ms/nativeaot-compatibilityy
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
15.164.165.52.in-addr.arpa
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
ProgramId
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
FileId
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
LowerCaseLongPath
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
LongPathHash
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
Name
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
OriginalFileName
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
Publisher
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
Version
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
BinFileVersion
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
BinaryType
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
ProductName
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
ProductVersion
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
LinkDate
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
BinProductVersion
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
AppxPackageFullName
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
Size
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
Language
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
IsOsComponent
|
||
\REGISTRY\A\{4f84ccc1-697a-ba4c-ffc9-172e7e0a99df}\Root\InventoryApplicationFile\csc.exe|151e2b3228d75f8e
|
Usn
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceTicket
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
DeviceId
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
|
ApplicationFlags
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
|
0018000DDABBE6B3
|
There are 14 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
88C1AFF000
|
stack
|
page read and write
|
||
22E92000000
|
direct allocation
|
page read and write
|
||
7FF6E8F70000
|
unkown
|
page readonly
|
||
7FF6E8D21000
|
unkown
|
page execute read
|
||
26F21EC0000
|
heap
|
page read and write
|
||
400000
|
remote allocation
|
page execute and read and write
|
||
22E8B920000
|
heap
|
page read and write
|
||
22E8F400000
|
direct allocation
|
page read and write
|
||
7FF6E8E6B000
|
unkown
|
page read and write
|
||
7FF6E8D20000
|
unkown
|
page readonly
|
||
22E8F403000
|
direct allocation
|
page read and write
|
||
22E8B910000
|
heap
|
page read and write
|
||
22E8B9F0000
|
heap
|
page read and write
|
||
7FF6E8F61000
|
unkown
|
page write copy
|
||
22E8B980000
|
direct allocation
|
page read and write
|
||
7FF6E8EB8000
|
unkown
|
page readonly
|
||
22E8B990000
|
heap
|
page read and write
|
||
7FF6E8F68000
|
unkown
|
page read and write
|
||
22E8B970000
|
direct allocation
|
page read and write
|
||
22E8BBE0000
|
heap
|
page read and write
|
||
7FF6E8F6D000
|
unkown
|
page read and write
|
||
26F21F89000
|
heap
|
page read and write
|
||
7FF6E8D20000
|
unkown
|
page readonly
|
||
22E92A00000
|
direct allocation
|
page read and write
|
||
22E8D400000
|
direct allocation
|
page read and write
|
||
22E8B99C000
|
heap
|
page read and write
|
||
88C1C7F000
|
stack
|
page read and write
|
||
26F21FAF000
|
heap
|
page read and write
|
||
22E8B996000
|
heap
|
page read and write
|
||
22E93400000
|
direct allocation
|
page read and write
|
||
26EA13BF000
|
direct allocation
|
page read and write
|
||
7FF6E8F70000
|
unkown
|
page readonly
|
||
88C197F000
|
stack
|
page read and write
|
||
7FF6E8EB8000
|
unkown
|
page readonly
|
||
22E8F803000
|
direct allocation
|
page read and write
|
||
22E90084000
|
direct allocation
|
page read and write
|
||
22E8F800000
|
direct allocation
|
page read and write
|
||
22E8FC00000
|
direct allocation
|
page read and write
|
||
88C15C9000
|
stack
|
page read and write
|
||
503C000
|
stack
|
page read and write
|
||
7FF6E8F61000
|
unkown
|
page read and write
|
||
22E8B940000
|
heap
|
page read and write
|
||
22E90104000
|
direct allocation
|
page read and write
|
||
7FF6E8D21000
|
unkown
|
page execute read
|
There are 34 hidden memdumps, click here to show them.