IOC Report
Sage.Eb.UniSign.Windows.exe

loading gif

Files

File Path
Type
Category
Malicious
Sage.Eb.UniSign.Windows.exe
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sage.Eb.UniSign._a8dc996360e27a186e21d34387658fe9deb15b6e_1b1e0b3a_84ca524c-8023-4351-a0a9-eb435429f075\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C54.tmp.dmp
Mini DuMP crash report, 15 streams, Thu Nov 21 09:46:23 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D30.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D5F.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
\Device\ConDrv
ASCII text, with CRLF, LF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe
"C:\Users\user\Desktop\Sage.Eb.UniSign.Windows.exe"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 872

URLs

Name
IP
Malicious
http://upx.sf.net
unknown
http://www.symauth.com/cps0(
unknown
http://www.symauth.com/rpa00
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
ProgramId
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
FileId
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
LowerCaseLongPath
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
LongPathHash
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
Name
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
OriginalFileName
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
Publisher
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
Version
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
BinFileVersion
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
BinaryType
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
ProductName
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
ProductVersion
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
LinkDate
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
BinProductVersion
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
AppxPackageFullName
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
AppxPackageRelativeId
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
Size
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
Language
\REGISTRY\A\{95965c70-69bb-ade5-9d53-6f45166baa13}\Root\InventoryApplicationFile\sage.eb.unisign.|c7b514432f89a118
Usn
There are 9 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
167E000
stack
page read and write
1680000
trusted library allocation
page read and write
5C6E000
stack
page read and write
334E000
stack
page read and write
16C6000
heap
page read and write
14CE000
stack
page read and write
158E000
stack
page read and write
1600000
trusted library allocation
page read and write
1500000
heap
page read and write
1690000
heap
page read and write
43A1000
trusted library allocation
page read and write
1630000
heap
page execute and read and write
1AAF000
stack
page read and write
15C4000
trusted library allocation
page read and write
15E0000
trusted library allocation
page read and write
338D000
stack
page read and write
5D6E000
stack
page read and write
15B4000
trusted library allocation
page read and write
15E7000
trusted library allocation
page execute and read and write
13A0000
heap
page read and write
170F000
heap
page read and write
F72000
unkown
page readonly
15A0000
heap
page read and write
553D000
stack
page read and write
169E000
heap
page read and write
154E000
stack
page read and write
F9E000
unkown
page readonly
15EB000
trusted library allocation
page execute and read and write
5B60000
heap
page execute and read and write
5AEE000
stack
page read and write
3390000
heap
page read and write
123C000
stack
page read and write
1610000
trusted library allocation
page execute and read and write
15C2000
trusted library allocation
page read and write
198E000
stack
page read and write
1590000
trusted library allocation
page read and write
1620000
trusted library allocation
page read and write
5A6E000
stack
page read and write
5E6F000
stack
page read and write
1711000
heap
page read and write
33A1000
trusted library allocation
page read and write
F70000
unkown
page readonly
1480000
heap
page read and write
15BD000
trusted library allocation
page execute and read and write
16D5000
heap
page read and write
16BA000
heap
page read and write
16BF000
heap
page read and write
5AAE000
stack
page read and write
19A0000
heap
page read and write
1684000
trusted library allocation
page read and write
15B3000
trusted library allocation
page execute and read and write
188E000
stack
page read and write
1338000
stack
page read and write
1698000
heap
page read and write
There are 44 hidden memdumps, click here to show them.