Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
powershell.ps1
|
ASCII text, with very long lines (1022), with no line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eydyruyo.dga.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbvjqnxs.ijs.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1v3czn5.spw.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4usykrq.eng.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GB7LU0PQ56V4Z5RQUTFA.temp
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\powershell.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
|
|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelp
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://194.163.130.194:443/news.php
|
194.163.130.194
|
||
|
http://www.microsoft.co
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelpX
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://194.163.130.194:443/news.php
|
unknown
|
||
|
http://194.163.130.194:443
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
http://go.micros
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 10 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
194.163.130.194
|
unknown
|
Germany
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FF7C1D1C000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1AE0000
|
trusted library allocation
|
page read and write
|
||
|
212AF121000
|
heap
|
page read and write
|
||
|
21298D69000
|
trusted library allocation
|
page read and write
|
||
|
212AF200000
|
heap
|
page read and write
|
||
|
212AEE30000
|
heap
|
page read and write
|
||
|
21294F55000
|
heap
|
page read and write
|
||
|
212AEF50000
|
heap
|
page read and write
|
||
|
212AF509000
|
heap
|
page read and write
|
||
|
1AB3E8D000
|
stack
|
page read and write
|
||
|
7FF7C1A80000
|
trusted library allocation
|
page execute and read and write
|
||
|
21297910000
|
trusted library allocation
|
page read and write
|
||
|
212AF26A000
|
heap
|
page read and write
|
||
|
7FF7C1AA0000
|
trusted library allocation
|
page read and write
|
||
|
212AF252000
|
heap
|
page read and write
|
||
|
7FF7C1946000
|
trusted library allocation
|
page read and write
|
||
|
1AB2EF9000
|
stack
|
page read and write
|
||
|
7FF7C189D000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF7C1AF0000
|
trusted library allocation
|
page read and write
|
||
|
21294EA1000
|
heap
|
page read and write
|
||
|
7FF7C1C49000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C194C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1AB294E000
|
stack
|
page read and write
|
||
|
7FF7C1D30000
|
trusted library allocation
|
page read and write
|
||
|
212AEEFD000
|
heap
|
page read and write
|
||
|
212A6D94000
|
trusted library allocation
|
page read and write
|
||
|
21296780000
|
heap
|
page readonly
|
||
|
21297AD8000
|
trusted library allocation
|
page read and write
|
||
|
21294F50000
|
heap
|
page read and write
|
||
|
7FF7C1B50000
|
trusted library allocation
|
page read and write
|
||
|
21298F10000
|
trusted library allocation
|
page read and write
|
||
|
1AB2E7E000
|
stack
|
page read and write
|
||
|
7FF7C1C58000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1D72000
|
trusted library allocation
|
page read and write
|
||
|
7DF490310000
|
trusted library allocation
|
page execute and read and write
|
||
|
21296DA7000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1976000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF7C1D00000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1C23000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1BF0000
|
trusted library allocation
|
page read and write
|
||
|
212967C0000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1BE0000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1C10000
|
trusted library allocation
|
page read and write
|
||
|
21298A01000
|
trusted library allocation
|
page read and write
|
||
|
21297DBC000
|
trusted library allocation
|
page read and write
|
||
|
21297DD1000
|
trusted library allocation
|
page read and write
|
||
|
212AED21000
|
heap
|
page read and write
|
||
|
7FF7C1C40000
|
trusted library allocation
|
page read and write
|
||
|
1AB2D7B000
|
stack
|
page read and write
|
||
|
2129716D000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1C44000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1C00000
|
trusted library allocation
|
page read and write
|
||
|
21296800000
|
trusted library allocation
|
page read and write
|
||
|
21294EE7000
|
heap
|
page read and write
|
||
|
21296D21000
|
trusted library allocation
|
page read and write
|
||
|
1AB3037000
|
stack
|
page read and write
|
||
|
212AF260000
|
heap
|
page read and write
|
||
|
1AB323E000
|
stack
|
page read and write
|
||
|
212AF067000
|
heap
|
page execute and read and write
|
||
|
7FF7C1B00000
|
trusted library allocation
|
page read and write
|
||
|
2129890E000
|
trusted library allocation
|
page read and write
|
||
|
1AB31BE000
|
stack
|
page read and write
|
||
|
212AF1D9000
|
heap
|
page read and write
|
||
|
1AB3E0E000
|
stack
|
page read and write
|
||
|
21297CEB000
|
trusted library allocation
|
page read and write
|
||
|
21298226000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1B40000
|
trusted library allocation
|
page read and write
|
||
|
212AEF30000
|
heap
|
page read and write
|
||
|
1AB33BC000
|
stack
|
page read and write
|
||
|
7FF7C18EC000
|
trusted library allocation
|
page execute and read and write
|
||
|
21296740000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1D10000
|
trusted library allocation
|
page read and write
|
||
|
1AB28C5000
|
stack
|
page read and write
|
||
|
7DF4902F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF7C1890000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1A90000
|
trusted library allocation
|
page read and write
|
||
|
21294EBB000
|
heap
|
page read and write
|
||
|
212A6D49000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1D20000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF7C18BD000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF7C1D50000
|
trusted library allocation
|
page read and write
|
||
|
212A6D39000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1A41000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1A50000
|
trusted library allocation
|
page execute and read and write
|
||
|
21297F0E000
|
trusted library allocation
|
page read and write
|
||
|
21296815000
|
heap
|
page read and write
|
||
|
212AF500000
|
heap
|
page read and write
|
||
|
212AF23A000
|
heap
|
page read and write
|
||
|
21294CB0000
|
heap
|
page read and write
|
||
|
21298FCD000
|
trusted library allocation
|
page read and write
|
||
|
2129901C000
|
trusted library allocation
|
page read and write
|
||
|
21296F47000
|
trusted library allocation
|
page read and write
|
||
|
21294F00000
|
heap
|
page read and write
|
||
|
7FF7C1D74000
|
trusted library allocation
|
page read and write
|
||
|
1AB2C7D000
|
stack
|
page read and write
|
||
|
212AEE79000
|
heap
|
page read and write
|
||
|
1AB3138000
|
stack
|
page read and write
|
||
|
7FF7C18B0000
|
trusted library allocation
|
page read and write
|
||
|
1AB2CFE000
|
stack
|
page read and write
|
||
|
7FF7C1C50000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1A30000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1940000
|
trusted library allocation
|
page read and write
|
||
|
21296770000
|
trusted library allocation
|
page read and write
|
||
|
1AB2FBE000
|
stack
|
page read and write
|
||
|
2129715C000
|
trusted library allocation
|
page read and write
|
||
|
212AEEE4000
|
heap
|
page read and write
|
||
|
1AB3D8F000
|
stack
|
page read and write
|
||
|
21296D10000
|
heap
|
page execute and read and write
|
||
|
1AB29CE000
|
stack
|
page read and write
|
||
|
7FF7C1B90000
|
trusted library allocation
|
page read and write
|
||
|
212AF208000
|
heap
|
page read and write
|
||
|
7FF7C1C20000
|
trusted library allocation
|
page read and write
|
||
|
212AF0A8000
|
heap
|
page read and write
|
||
|
7FF7C1893000
|
trusted library allocation
|
page execute and read and write
|
||
|
212AEE6C000
|
heap
|
page read and write
|
||
|
7FF7C1894000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C18A0000
|
trusted library allocation
|
page read and write
|
||
|
1AB32BE000
|
stack
|
page read and write
|
||
|
21297D27000
|
trusted library allocation
|
page read and write
|
||
|
21296D00000
|
trusted library allocation
|
page read and write
|
||
|
21294E74000
|
heap
|
page read and write
|
||
|
212AF0F7000
|
heap
|
page read and write
|
||
|
1AB30BC000
|
stack
|
page read and write
|
||
|
7FF7C1C5C000
|
trusted library allocation
|
page read and write
|
||
|
1AB3F0C000
|
stack
|
page read and write
|
||
|
7DF490300000
|
trusted library allocation
|
page execute and read and write
|
||
|
21294E12000
|
heap
|
page read and write
|
||
|
212968B0000
|
heap
|
page read and write
|
||
|
7FF7C19B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
21294DB0000
|
heap
|
page read and write
|
||
|
7FF7C1CE3000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1CE0000
|
trusted library allocation
|
page read and write
|
||
|
212AEF2C000
|
heap
|
page read and write
|
||
|
7FF7C1A72000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1B60000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1892000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1BD0000
|
trusted library allocation
|
page read and write
|
||
|
1AB333E000
|
stack
|
page read and write
|
||
|
7FF7C1BC0000
|
trusted library allocation
|
page read and write
|
||
|
21294EA3000
|
heap
|
page read and write
|
||
|
212A6D21000
|
trusted library allocation
|
page read and write
|
||
|
212A701D000
|
trusted library allocation
|
page read and write
|
||
|
21294E9B000
|
heap
|
page read and write
|
||
|
2129897A000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1BA0000
|
trusted library allocation
|
page read and write
|
||
|
212AF166000
|
heap
|
page read and write
|
||
|
7FF7C1CF0000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1AC0000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1B70000
|
trusted library allocation
|
page read and write
|
||
|
212AEEAF000
|
heap
|
page read and write
|
||
|
21294E9D000
|
heap
|
page read and write
|
||
|
21294E00000
|
heap
|
page read and write
|
||
|
21298D43000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1AB0000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1AD0000
|
trusted library allocation
|
page read and write
|
||
|
21298670000
|
trusted library allocation
|
page read and write
|
||
|
21294EE5000
|
heap
|
page read and write
|
||
|
212AEE64000
|
heap
|
page read and write
|
||
|
21296C90000
|
heap
|
page execute and read and write
|
||
|
212AF0CE000
|
heap
|
page read and write
|
||
|
212AF168000
|
heap
|
page read and write
|
||
|
7FF7C1BB0000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1A60000
|
trusted library allocation
|
page execute and read and write
|
||
|
212A700E000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1D80000
|
trusted library allocation
|
page read and write
|
||
|
2129896B000
|
trusted library allocation
|
page read and write
|
||
|
212A6F2F000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1B10000
|
trusted library allocation
|
page read and write
|
||
|
212AF08C000
|
heap
|
page read and write
|
||
|
21296930000
|
heap
|
page read and write
|
||
|
1AB2F79000
|
stack
|
page read and write
|
||
|
21296810000
|
heap
|
page read and write
|
||
|
1AB2DFE000
|
stack
|
page read and write
|
||
|
21294EA7000
|
heap
|
page read and write
|
||
|
7FF7C18AB000
|
trusted library allocation
|
page read and write
|
||
|
212AF1FA000
|
heap
|
page read and write
|
||
|
21296790000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C1B80000
|
trusted library allocation
|
page read and write
|
||
|
212AF070000
|
heap
|
page read and write
|
||
|
7FF7C1A4A000
|
trusted library allocation
|
page read and write
|
||
|
212A7022000
|
trusted library allocation
|
page read and write
|
||
|
21294EEB000
|
heap
|
page read and write
|
||
|
21294D90000
|
heap
|
page read and write
|
||
|
7FF7C1B30000
|
trusted library allocation
|
page read and write
|
||
|
212AF060000
|
heap
|
page execute and read and write
|
||
|
7FF7C1B20000
|
trusted library allocation
|
page read and write
|
There are 176 hidden memdumps, click here to show them.