Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
7950COPY.exe
|
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7950COPY.exe_e07bac6fc75f0dd754c80383f3a605ac56aa5_579a01df_e20d6790-64c5-4ba2-a7a8-e1f22217ea1c\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER40CA.tmp.dmp
|
Mini DuMP crash report, 16 streams, Sat Oct 26 18:11:33 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E2.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4531.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mwi2efp.lkh.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mr4flysb.5fq.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocm30u3u.1vl.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2lohtxg.gea.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\7950COPY.exe
|
"C:\Users\user\Desktop\7950COPY.exe"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe"
-Force
|
|
|
|
C:\Windows\regedit.exe
|
"C:\Windows\regedit.exe"
|
|
|
|
C:\Windows\System32\cmd.exe
|
"C:\Windows\System32\cmd.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
|
|
|
|
C:\Windows\SysWOW64\fltMC.exe
|
"C:\Windows\SysWOW64\fltMC.exe"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 6908 -s 1532
|
||
|
C:\Windows\System32\wbem\WmiPrvSE.exe
|
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
|
||
|
C:\Windows\SysWOW64\psr.exe
|
"C:\Windows\SysWOW64\psr.exe"
|
There are 1 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
|
EnableLUA
|
|
|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
|
Enabled
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
ProgramId
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
FileId
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
LongPathHash
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
Name
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
OriginalFileName
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
Publisher
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
Version
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
BinFileVersion
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
BinaryType
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
ProductName
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
ProductVersion
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
LinkDate
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
BinProductVersion
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
Size
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
Language
|
||
|
\REGISTRY\A\{c2722128-8f37-bcba-95bd-580fd3f1a9bd}\Root\InventoryApplicationFile\7950copy.exe|ecd39fcff9d767d6
|
Usn
|
There are 11 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
C50000
|
system
|
page execute and read and write
|
|
|
|
400000
|
remote allocation
|
page execute and read and write
|
|
|
|
3110000
|
trusted library allocation
|
page read and write
|
|
|
|
3160000
|
trusted library allocation
|
page read and write
|
|
|
|
5DB0000
|
system
|
page execute and read and write
|
|
|
|
17097B34000
|
trusted library allocation
|
page read and write
|
|
|
|
17095CCF000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
2E93000
|
heap
|
page read and write
|
||
|
2E8A000
|
heap
|
page read and write
|
||
|
3106000
|
heap
|
page read and write
|
||
|
17095C66000
|
heap
|
page read and write
|
||
|
170A851F000
|
trusted library allocation
|
page read and write
|
||
|
17095EC0000
|
heap
|
page read and write
|
||
|
170977F0000
|
heap
|
page read and write
|
||
|
170AB942000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
17095CA6000
|
heap
|
page read and write
|
||
|
17095CA4000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
3690000
|
trusted library allocation
|
page read and write
|
||
|
170B08C1000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
17095E43000
|
trusted library allocation
|
page read and write
|
||
|
51CC000
|
stack
|
page read and write
|
||
|
17097B7A000
|
trusted library allocation
|
page read and write
|
||
|
170AE142000
|
trusted library allocation
|
page read and write
|
||
|
17095BA0000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
170A7C4E000
|
trusted library allocation
|
page read and write
|
||
|
2FD4000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
3682000
|
direct allocation
|
page execute and read and write
|
||
|
31B0000
|
trusted library allocation
|
page read and write
|
||
|
35F52FF000
|
stack
|
page read and write
|
||
|
17095B02000
|
unkown
|
page readonly
|
||
|
170A9B42000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
3469000
|
direct allocation
|
page execute and read and write
|
||
|
2E8C000
|
heap
|
page read and write
|
||
|
2EED000
|
heap
|
page read and write
|
||
|
5BB8000
|
heap
|
page read and write
|
||
|
17095BD0000
|
heap
|
page read and write
|
||
|
170AC342000
|
trusted library allocation
|
page read and write
|
||
|
2E90000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
9DC000
|
stack
|
page read and write
|
||
|
32C2000
|
heap
|
page read and write
|
||
|
3260000
|
trusted library allocation
|
page execute and read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
6111000
|
direct allocation
|
page execute and read and write
|
||
|
59E0000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
170A7E71000
|
trusted library allocation
|
page read and write
|
||
|
3611000
|
direct allocation
|
page execute and read and write
|
||
|
17095C6C000
|
heap
|
page read and write
|
||
|
346D000
|
direct allocation
|
page execute and read and write
|
||
|
34DE000
|
direct allocation
|
page execute and read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
170A7801000
|
trusted library allocation
|
page read and write
|
||
|
17095EC5000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
2FD4000
|
heap
|
page read and write
|
||
|
32C6000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
17097801000
|
trusted library allocation
|
page read and write
|
||
|
170B12C1000
|
trusted library allocation
|
page read and write
|
||
|
6370000
|
heap
|
page read and write
|
||
|
3690000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
17095E60000
|
heap
|
page execute and read and write
|
||
|
5F8D000
|
direct allocation
|
page execute and read and write
|
||
|
30F0000
|
heap
|
page read and write
|
||
|
5E60000
|
direct allocation
|
page execute and read and write
|
||
|
170A82FD000
|
trusted library allocation
|
page read and write
|
||
|
17095CD2000
|
heap
|
page read and write
|
||
|
5990000
|
heap
|
page read and write
|
||
|
17095CDB000
|
heap
|
page read and write
|
||
|
15DDC000
|
system
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
170AAF42000
|
trusted library allocation
|
page read and write
|
||
|
170A8742000
|
trusted library allocation
|
page read and write
|
||
|
30E0000
|
trusted library allocation
|
page read and write
|
||
|
170AFEC1000
|
trusted library allocation
|
page read and write
|
||
|
360D000
|
direct allocation
|
page execute and read and write
|
||
|
35F4FFE000
|
stack
|
page read and write
|
||
|
17095C8F000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
17095BD5000
|
heap
|
page read and write
|
||
|
2E88000
|
heap
|
page read and write
|
||
|
17095B06000
|
unkown
|
page readonly
|
||
|
594E000
|
stack
|
page read and write
|
||
|
5DAE000
|
stack
|
page read and write
|
||
|
2E93000
|
heap
|
page read and write
|
||
|
2FE3000
|
heap
|
page read and write
|
||
|
17097825000
|
trusted library allocation
|
page read and write
|
||
|
59F0000
|
heap
|
page read and write
|
||
|
5BB0000
|
heap
|
page read and write
|
||
|
5B40000
|
direct allocation
|
page read and write
|
||
|
17095C00000
|
heap
|
page read and write
|
||
|
170AA542000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
17095E40000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
170A9142000
|
trusted library allocation
|
page read and write
|
||
|
612D000
|
direct allocation
|
page execute and read and write
|
||
|
170A7807000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
CD0000
|
heap
|
page read and write
|
||
|
17095B00000
|
unkown
|
page readonly
|
||
|
17095C60000
|
heap
|
page read and write
|
||
|
6B50000
|
unclassified section
|
page execute and read and write
|
||
|
2E80000
|
heap
|
page read and write
|
||
|
63DE000
|
stack
|
page read and write
|
||
|
39AC000
|
unclassified section
|
page read and write
|
||
|
6ADE000
|
unclassified section
|
page execute and read and write
|
||
|
5F89000
|
direct allocation
|
page execute and read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
35F55FF000
|
stack
|
page read and write
|
||
|
36D2000
|
unclassified section
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
2FC0000
|
heap
|
page read and write
|
||
|
3199000
|
heap
|
page read and write
|
||
|
61A8000
|
direct allocation
|
page execute and read and write
|
||
|
5AF0000
|
direct allocation
|
page read and write
|
||
|
17095C40000
|
trusted library allocation
|
page read and write
|
||
|
6126000
|
direct allocation
|
page execute and read and write
|
||
|
6380000
|
unclassified section
|
page execute and read and write
|
||
|
2E8A000
|
heap
|
page read and write
|
||
|
35F58FD000
|
stack
|
page read and write
|
||
|
170A7A2C000
|
trusted library allocation
|
page read and write
|
||
|
35F53FE000
|
stack
|
page read and write
|
||
|
30E0000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
641E000
|
stack
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
35F54FF000
|
stack
|
page read and write
|
||
|
170AD742000
|
trusted library allocation
|
page read and write
|
||
|
35F4BD2000
|
stack
|
page read and write
|
||
|
17097B68000
|
trusted library allocation
|
page read and write
|
||
|
35F50FE000
|
stack
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
170ACD42000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
17095BE0000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
62AF000
|
stack
|
page read and write
|
||
|
5FFE000
|
direct allocation
|
page execute and read and write
|
||
|
17095B90000
|
heap
|
page read and write
|
||
|
35F59FE000
|
stack
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
400000
|
remote allocation
|
page execute and read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
35F51FC000
|
stack
|
page read and write
|
||
|
3337000
|
heap
|
page read and write
|
||
|
3340000
|
direct allocation
|
page execute and read and write
|
||
|
2E88000
|
heap
|
page read and write
|
||
|
17095E30000
|
trusted library allocation
|
page read and write
|
||
|
2FD0000
|
heap
|
page read and write
|
||
|
5830000
|
heap
|
page read and write
|
||
|
57FA000
|
stack
|
page read and write
|
||
|
400000
|
remote allocation
|
page execute and read and write
|
||
|
15B02000
|
system
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
170A7ACE000
|
trusted library allocation
|
page read and write
|
||
|
5B85000
|
direct allocation
|
page execute and read and write
|
||
|
598E000
|
stack
|
page read and write
|
||
|
2FE0000
|
heap
|
page read and write
|
||
|
2E8F000
|
heap
|
page read and write
|
||
|
3690000
|
trusted library allocation
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
||
|
2FD4000
|
heap
|
page read and write
|
||
|
C3B000
|
stack
|
page read and write
|
||
|
17095E90000
|
heap
|
page execute and read and write
|
||
|
35F4EFE000
|
stack
|
page read and write
|
||
|
2E8D000
|
heap
|
page read and write
|
||
|
2FE1000
|
heap
|
page read and write
|
There are 168 hidden memdumps, click here to show them.