Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
Sage.Eb.UniSign.Windows.exe
|
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
||
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sage.Eb.UniSign._a8dc996360e27a186e21d34387658fe9deb15b6e_1b1e0b3a_84ca524c-8023-4351-a0a9-eb435429f075\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C54.tmp.dmp
|
Mini DuMP crash report, 15 streams, Thu Nov 21 09:46:23 2024, 0x1205a4 type
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D30.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D5F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
\Device\ConDrv
|
ASCII text, with CRLF, LF line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe
|
"C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 872
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://upx.sf.net
|
unknown
|
||
http://www.symauth.com/cps0(
|
unknown
|
||
http://www.symauth.com/rpa00
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
ProgramId
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
FileId
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
LowerCaseLongPath
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
LongPathHash
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
Name
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
OriginalFileName
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
Publisher
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
Version
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
BinFileVersion
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
BinaryType
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
ProductName
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
ProductVersion
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
LinkDate
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
BinProductVersion
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
AppxPackageFullName
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
AppxPackageRelativeId
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
Size
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
Language
|
||
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
|
Usn
|
There are 9 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
167E000
|
stack
|
page read and write
|
||
1680000
|
trusted library allocation
|
page read and write
|
||
5C6E000
|
stack
|
page read and write
|
||
334E000
|
stack
|
page read and write
|
||
16C6000
|
heap
|
page read and write
|
||
14CE000
|
stack
|
page read and write
|
||
158E000
|
stack
|
page read and write
|
||
1600000
|
trusted library allocation
|
page read and write
|
||
1500000
|
heap
|
page read and write
|
||
1690000
|
heap
|
page read and write
|
||
43A1000
|
trusted library allocation
|
page read and write
|
||
1630000
|
heap
|
page execute and read and write
|
||
1AAF000
|
stack
|
page read and write
|
||
15C4000
|
trusted library allocation
|
page read and write
|
||
15E0000
|
trusted library allocation
|
page read and write
|
||
338D000
|
stack
|
page read and write
|
||
5D6E000
|
stack
|
page read and write
|
||
15B4000
|
trusted library allocation
|
page read and write
|
||
15E7000
|
trusted library allocation
|
page execute and read and write
|
||
13A0000
|
heap
|
page read and write
|
||
170F000
|
heap
|
page read and write
|
||
F72000
|
unkown
|
page readonly
|
||
15A0000
|
heap
|
page read and write
|
||
553D000
|
stack
|
page read and write
|
||
169E000
|
heap
|
page read and write
|
||
154E000
|
stack
|
page read and write
|
||
F9E000
|
unkown
|
page readonly
|
||
15EB000
|
trusted library allocation
|
page execute and read and write
|
||
5B60000
|
heap
|
page execute and read and write
|
||
5AEE000
|
stack
|
page read and write
|
||
3390000
|
heap
|
page read and write
|
||
123C000
|
stack
|
page read and write
|
||
1610000
|
trusted library allocation
|
page execute and read and write
|
||
15C2000
|
trusted library allocation
|
page read and write
|
||
198E000
|
stack
|
page read and write
|
||
1590000
|
trusted library allocation
|
page read and write
|
||
1620000
|
trusted library allocation
|
page read and write
|
||
5A6E000
|
stack
|
page read and write
|
||
5E6F000
|
stack
|
page read and write
|
||
1711000
|
heap
|
page read and write
|
||
33A1000
|
trusted library allocation
|
page read and write
|
||
F70000
|
unkown
|
page readonly
|
||
1480000
|
heap
|
page read and write
|
||
15BD000
|
trusted library allocation
|
page execute and read and write
|
||
16D5000
|
heap
|
page read and write
|
||
16BA000
|
heap
|
page read and write
|
||
16BF000
|
heap
|
page read and write
|
||
5AAE000
|
stack
|
page read and write
|
||
19A0000
|
heap
|
page read and write
|
||
1684000
|
trusted library allocation
|
page read and write
|
||
15B3000
|
trusted library allocation
|
page execute and read and write
|
||
188E000
|
stack
|
page read and write
|
||
1338000
|
stack
|
page read and write
|
||
1698000
|
heap
|
page read and write
|
There are 44 hidden memdumps, click here to show them.