Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
load_startup_camper.txt.ps1
|
ASCII text
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pxpbh21.pun.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmyrilbp.ozv.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\42AX6XYNXC96WRVY1YGQ.temp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\load_startup_camper.txt.ps1"
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
|
|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://194.163.130.194:8088
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
http://194.163.130.194:8088/gco_startup.bat
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
http://www.microsoft.co
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 4 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
194.163.130.194
|
unknown
|
Germany
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FF848ED0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF848EC0000
|
trusted library allocation
|
page read and write
|
||
|
78D897E000
|
stack
|
page read and write
|
||
|
1CB817DD000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FF2000
|
trusted library allocation
|
page read and write
|
||
|
78D978E000
|
stack
|
page read and write
|
||
|
1CB81619000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E1D000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF849000000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF848FCA000
|
trusted library allocation
|
page read and write
|
||
|
1CBF567F000
|
heap
|
page read and write
|
||
|
1CBF7020000
|
heap
|
page read and write
|
||
|
1CBF6FE0000
|
trusted library allocation
|
page read and write
|
||
|
1CBF56E0000
|
heap
|
page read and write
|
||
|
7FF848E2B000
|
trusted library allocation
|
page read and write
|
||
|
7FF849100000
|
trusted library allocation
|
page read and write
|
||
|
7FF849140000
|
trusted library allocation
|
page read and write
|
||
|
7FF849080000
|
trusted library allocation
|
page read and write
|
||
|
7FF849060000
|
trusted library allocation
|
page read and write
|
||
|
7FF848ECC000
|
trusted library allocation
|
page execute and read and write
|
||
|
1CBF78FA000
|
heap
|
page read and write
|
||
|
78D970E000
|
stack
|
page read and write
|
||
|
78D810E000
|
stack
|
page read and write
|
||
|
7FF849170000
|
trusted library allocation
|
page read and write
|
||
|
1CBF74AD000
|
heap
|
page read and write
|
||
|
78D857B000
|
stack
|
page read and write
|
||
|
1CBF5683000
|
heap
|
page read and write
|
||
|
7FF848EF6000
|
trusted library allocation
|
page execute and read and write
|
||
|
78D867E000
|
stack
|
page read and write
|
||
|
1CB81854000
|
trusted library allocation
|
page read and write
|
||
|
1CBF5775000
|
heap
|
page read and write
|
||
|
7FF849130000
|
trusted library allocation
|
page read and write
|
||
|
7FF849010000
|
trusted library allocation
|
page read and write
|
||
|
1CBF7871000
|
heap
|
page read and write
|
||
|
7FF848E12000
|
trusted library allocation
|
page read and write
|
||
|
78D85FF000
|
stack
|
page read and write
|
||
|
1CBF7906000
|
heap
|
page read and write
|
||
|
78D81CE000
|
stack
|
page read and write
|
||
|
78D8B7C000
|
stack
|
page read and write
|
||
|
1CBF5580000
|
heap
|
page read and write
|
||
|
1CBF7471000
|
heap
|
page read and write
|
||
|
7FF8490B0000
|
trusted library allocation
|
page read and write
|
||
|
1CB8008A000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E10000
|
trusted library allocation
|
page read and write
|
||
|
78D847D000
|
stack
|
page read and write
|
||
|
7DF4EA910000
|
trusted library allocation
|
page execute and read and write
|
||
|
1CB80C32000
|
trusted library allocation
|
page read and write
|
||
|
1CB902FB000
|
trusted library allocation
|
page read and write
|
||
|
1CBF741A000
|
heap
|
page read and write
|
||
|
78D960F000
|
stack
|
page read and write
|
||
|
1CBF74B6000
|
heap
|
page read and write
|
||
|
7FF848E30000
|
trusted library allocation
|
page read and write
|
||
|
7FF849050000
|
trusted library allocation
|
page read and write
|
||
|
1CB90010000
|
trusted library allocation
|
page read and write
|
||
|
7FF8490A0000
|
trusted library allocation
|
page read and write
|
||
|
1CB81D72000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FC1000
|
trusted library allocation
|
page read and write
|
||
|
7FF849090000
|
trusted library allocation
|
page read and write
|
||
|
78D87F7000
|
stack
|
page read and write
|
||
|
7FF848FB0000
|
trusted library allocation
|
page read and write
|
||
|
1CBF5668000
|
heap
|
page read and write
|
||
|
1CB90072000
|
trusted library allocation
|
page read and write
|
||
|
1CBF6F30000
|
trusted library allocation
|
page read and write
|
||
|
1CBF569F000
|
heap
|
page read and write
|
||
|
1CB902EC000
|
trusted library allocation
|
page read and write
|
||
|
78D968F000
|
stack
|
page read and write
|
||
|
78D89FE000
|
stack
|
page read and write
|
||
|
1CB81A30000
|
trusted library allocation
|
page read and write
|
||
|
1CBF74F5000
|
heap
|
page read and write
|
||
|
1CBF56C8000
|
heap
|
page read and write
|
||
|
1CBF74D4000
|
heap
|
page read and write
|
||
|
7FF849110000
|
trusted library allocation
|
page read and write
|
||
|
1CBF746F000
|
heap
|
page read and write
|
||
|
7FF848E13000
|
trusted library allocation
|
page execute and read and write
|
||
|
1CBF55E0000
|
heap
|
page read and write
|
||
|
7FF849150000
|
trusted library allocation
|
page read and write
|
||
|
78D980A000
|
stack
|
page read and write
|
||
|
1CBF7090000
|
heap
|
page read and write
|
||
|
7FF848E6C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1CB81620000
|
trusted library allocation
|
page read and write
|
||
|
7FF849180000
|
trusted library allocation
|
page read and write
|
||
|
1CB901B4000
|
trusted library allocation
|
page read and write
|
||
|
1CBF7770000
|
heap
|
page read and write
|
||
|
1CBF76A0000
|
heap
|
page execute and read and write
|
||
|
1CBF73E0000
|
heap
|
page read and write
|
||
|
1CB80001000
|
trusted library allocation
|
page read and write
|
||
|
78D88F9000
|
stack
|
page read and write
|
||
|
78D954E000
|
stack
|
page read and write
|
||
|
1CBF6FE3000
|
trusted library allocation
|
page read and write
|
||
|
78D988A000
|
stack
|
page read and write
|
||
|
1CBF56CE000
|
heap
|
page read and write
|
||
|
78D8877000
|
stack
|
page read and write
|
||
|
7FF849040000
|
trusted library allocation
|
page read and write
|
||
|
7FF849120000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E20000
|
trusted library allocation
|
page read and write
|
||
|
1CBF7740000
|
heap
|
page execute and read and write
|
||
|
78D8779000
|
stack
|
page read and write
|
||
|
78D8A7E000
|
stack
|
page read and write
|
||
|
7FF8490F0000
|
trusted library allocation
|
page read and write
|
||
|
7FF8490C0000
|
trusted library allocation
|
page read and write
|
||
|
1CB90001000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E14000
|
trusted library allocation
|
page read and write
|
||
|
78D95CD000
|
stack
|
page read and write
|
||
|
78D818E000
|
stack
|
page read and write
|
||
|
1CBF6F70000
|
heap
|
page readonly
|
||
|
7FF849160000
|
trusted library allocation
|
page read and write
|
||
|
1CB81D08000
|
trusted library allocation
|
page read and write
|
||
|
78D8AF8000
|
stack
|
page read and write
|
||
|
1CBF54A0000
|
heap
|
page read and write
|
||
|
1CBF7850000
|
heap
|
page read and write
|
||
|
7FF848F30000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF849020000
|
trusted library allocation
|
page read and write
|
||
|
1CBF6FA0000
|
heap
|
page read and write
|
||
|
1CBF55A0000
|
heap
|
page read and write
|
||
|
1CBF74E0000
|
heap
|
page execute and read and write
|
||
|
1CBF78F3000
|
heap
|
page read and write
|
||
|
1CBF5770000
|
heap
|
page read and write
|
||
|
78D84FD000
|
stack
|
page read and write
|
||
|
1CBF55E8000
|
heap
|
page read and write
|
||
|
1CB80232000
|
trusted library allocation
|
page read and write
|
||
|
78D86FD000
|
stack
|
page read and write
|
||
|
7FF8490E0000
|
trusted library allocation
|
page read and write
|
||
|
1CBF55F2000
|
heap
|
page read and write
|
||
|
7FF849030000
|
trusted library allocation
|
page read and write
|
||
|
1CB81CDC000
|
trusted library allocation
|
page read and write
|
||
|
7FF848EC6000
|
trusted library allocation
|
page read and write
|
||
|
1CBF6F60000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF8490D0000
|
trusted library allocation
|
page read and write
|
||
|
1CBF6F80000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FD0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1CB81D70000
|
trusted library allocation
|
page read and write
|
||
|
7FF849070000
|
trusted library allocation
|
page read and write
|
||
|
1CBF7747000
|
heap
|
page execute and read and write
|
||
|
1CBF78C7000
|
heap
|
page read and write
|
||
|
78D8085000
|
stack
|
page read and write
|
||
|
1CBF7095000
|
heap
|
page read and write
|
There are 127 hidden memdumps, click here to show them.