IOC Report
PO-SINCO-PDF.exe

loading gif

Files

File Path
Type
Category
Malicious
PO-SINCO-PDF.exe
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PO-SINCO-PDF.exe_2124842be94b53df48482161971cf6d3b1c6d74_f89742f5_046ffd4c-7bee-4f4d-bb98-98cece3cb9e1\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
malicious
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC63D.tmp.dmp
Mini DuMP crash report, 16 streams, Mon Oct 21 11:17:07 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC90D.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC96C.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4egxohx.mgi.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvixqlf4.mpp.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbs3lj2r.twe.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zi5uq1v5.0ld.ps1
ASCII text, with no line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\PO-SINCO-PDF.exe
"C:\Users\user\Desktop\PO-SINCO-PDF.exe"
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO-SINCO-PDF.exe" -Force
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7460 -s 896
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

URLs

Name
IP
Malicious
http://upx.sf.net
unknown

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA
malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
Enabled
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
ProgramId
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
FileId
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
LowerCaseLongPath
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
LongPathHash
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
Name
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
OriginalFileName
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
Publisher
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
Version
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
BinFileVersion
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
BinaryType
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
ProductName
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
ProductVersion
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
LinkDate
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
BinProductVersion
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
AppxPackageFullName
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
AppxPackageRelativeId
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
Size
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
Language
\REGISTRY\A\{5e22ef72-fd0f-58a7-71b4-a2cdcb237e13}\Root\InventoryApplicationFile\po-sinco-pdf.exe|7625de9b19bf8dcb
Usn
There are 11 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
3073000
trusted library allocation
page read and write
malicious
400000
remote allocation
page execute and read and write
malicious
5270000
direct allocation
page read and write
malicious
7FFB4B2C6000
trusted library allocation
page read and write
5B1D000
direct allocation
page execute and read and write
ED3000
heap
page read and write
503D000
stack
page read and write
57DF000
stack
page read and write
ED0000
heap
page read and write
7FFB4B417000
trusted library allocation
page read and write
11F5000
heap
page read and write
7FFB4B3C5000
trusted library allocation
page read and write
7FFB4B3DF000
trusted library allocation
page read and write
7FFB4B212000
trusted library allocation
page read and write
5B01000
direct allocation
page execute and read and write
1BC2B000
heap
page read and write
5318000
heap
page read and write
7FFB4B3F0000
trusted library allocation
page read and write
131B9000
trusted library allocation
page read and write
5300000
heap
page read and write
513C000
stack
page read and write
1B8E0000
trusted library section
page read and write
3336000
trusted library allocation
page read and write
11C0000
trusted library allocation
page read and write
1C1AE000
stack
page read and write
7FFB4B2C0000
trusted library allocation
page read and write
12E8C000
trusted library allocation
page read and write
1AE10000
trusted library allocation
page read and write
7FFB4B222000
trusted library allocation
page read and write
E9C000
heap
page read and write
CF1000
stack
page read and write
2E00000
trusted library allocation
page read and write
2EDF000
trusted library allocation
page read and write
5310000
heap
page read and write
5B98000
direct allocation
page execute and read and write
7FF4F97E0000
trusted library allocation
page execute and read and write
7FFB4B3CB000
trusted library allocation
page read and write
54E0000
heap
page read and write
7FFB4B330000
trusted library allocation
page execute and read and write
131E7000
trusted library allocation
page read and write
2B9E000
stack
page read and write
E45000
heap
page read and write
1B25C000
stack
page read and write
1BBDE000
stack
page read and write
E90000
heap
page read and write
7FFB4B21D000
trusted library allocation
page execute and read and write
DF0000
heap
page read and write
7FFB4B26C000
trusted library allocation
page execute and read and write
D10000
heap
page read and write
1C2AB000
stack
page read and write
1BC38000
heap
page read and write
1C0AD000
stack
page read and write
118E000
stack
page read and write
5850000
direct allocation
page execute and read and write
E96000
heap
page read and write
F50000
heap
page read and write
1BEA0000
heap
page read and write
7FFB4B3C0000
trusted library allocation
page read and write
EFA000
heap
page read and write
7FFB4B220000
trusted library allocation
page read and write
E50000
heap
page read and write
5B16000
direct allocation
page execute and read and write
EB3000
heap
page read and write
EBA000
heap
page read and write
59EE000
direct allocation
page execute and read and write
13471000
trusted library allocation
page read and write
12FE000
stack
page read and write
12DE1000
trusted library allocation
page read and write
7FFB4B2F6000
trusted library allocation
page execute and read and write
5260000
heap
page read and write
1B69D000
stack
page read and write
EAF000
heap
page read and write
5979000
direct allocation
page execute and read and write
7FFB4B400000
trusted library allocation
page execute and read and write
108E000
stack
page read and write
1BADE000
stack
page read and write
2DD0000
heap
page execute and read and write
7FFB4B2D0000
trusted library allocation
page execute and read and write
11B0000
trusted library allocation
page read and write
7FFB4B23B000
trusted library allocation
page execute and read and write
11F0000
heap
page read and write
597D000
direct allocation
page execute and read and write
7FFB4B3D0000
trusted library allocation
page read and write
5230000
heap
page read and write
7FFB4B3B0000
trusted library allocation
page read and write
7FFB4B230000
trusted library allocation
page read and write
135C6000
trusted library allocation
page read and write
7FFB4B3E0000
trusted library allocation
page read and write
12FC9000
trusted library allocation
page read and write
51EE000
stack
page read and write
7FFB4B2CC000
trusted library allocation
page execute and read and write
11C3000
trusted library allocation
page read and write
7FFB4B410000
trusted library allocation
page read and write
EFC000
heap
page read and write
1190000
trusted library allocation
page read and write
7FFB4B234000
trusted library allocation
page read and write
1BBE0000
heap
page read and write
56DF000
stack
page read and write
2C30000
heap
page read and write
F5B000
heap
page read and write
1B9D0000
heap
page execute and read and write
522E000
stack
page read and write
7FFB4B23D000
trusted library allocation
page execute and read and write
990000
unkown
page readonly
992000
unkown
page readonly
7FFB4B22D000
trusted library allocation
page execute and read and write
F03000
heap
page read and write
7FFB4B214000
trusted library allocation
page read and write
2DE1000
trusted library allocation
page read and write
2E57000
trusted library allocation
page read and write
51A0000
heap
page read and write
7FFB4B213000
trusted library allocation
page execute and read and write
7FFB4B420000
trusted library allocation
page read and write
E40000
heap
page read and write
E10000
heap
page read and write
1B8DE000
stack
page read and write
7FFB4B210000
trusted library allocation
page read and write
12DE7000
trusted library allocation
page read and write
2C48000
heap
page read and write
There are 109 hidden memdumps, click here to show them.