Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
readme.md.ps1
|
ASCII text
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk
|
MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600,
atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_myn4dfiv.rgh.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruey3bbm.go5.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3QLEGYJBF4EB110VHD3X.temp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\readme.md.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
|
|
|
https://go.micro
|
unknown
|
|
|
|
https://github.com/Pester/Pester
|
unknown
|
|
|
|
http://87.120.113.125
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://87.120.113.125/re.exe
|
87.120.113.125
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
There are 3 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
87.120.113.125
|
unknown
|
Bulgaria
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
E7A8FB000
|
stack
|
page read and write
|
||
|
E7B98D000
|
stack
|
page read and write
|
||
|
1DE160D1000
|
trusted library allocation
|
page read and write
|
||
|
E7BA4E000
|
stack
|
page read and write
|
||
|
1DE14360000
|
heap
|
page read and write
|
||
|
7FFD349D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34810000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34940000
|
trusted library allocation
|
page read and write
|
||
|
7DF468A20000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE2E557000
|
heap
|
page read and write
|
||
|
1DE143A3000
|
heap
|
page read and write
|
||
|
7FFD3468B000
|
trusted library allocation
|
page read and write
|
||
|
E7AE3E000
|
stack
|
page read and write
|
||
|
1DE2E567000
|
heap
|
page read and write
|
||
|
1DE2E64B000
|
heap
|
page read and write
|
||
|
1DE2E64E000
|
heap
|
page read and write
|
||
|
E7AEBC000
|
stack
|
page read and write
|
||
|
7FFD3482A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD349C0000
|
trusted library allocation
|
page read and write
|
||
|
E7A6FE000
|
stack
|
page read and write
|
||
|
7FFD34855000
|
trusted library allocation
|
page read and write
|
||
|
E7ACBA000
|
stack
|
page read and write
|
||
|
7FFD34840000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD34730000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE141D0000
|
heap
|
page read and write
|
||
|
1DE14410000
|
heap
|
page read and write
|
||
|
1DE2E0DF000
|
heap
|
page read and write
|
||
|
1DE16010000
|
trusted library allocation
|
page read and write
|
||
|
1DE2E5DF000
|
heap
|
page read and write
|
||
|
1DE15FC0000
|
trusted library allocation
|
page read and write
|
||
|
E7A97F000
|
stack
|
page read and write
|
||
|
E7ABB7000
|
stack
|
page read and write
|
||
|
1DE2E520000
|
heap
|
page read and write
|
||
|
1DE2E5C8000
|
heap
|
page read and write
|
||
|
7FFD34790000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE2E1F0000
|
heap
|
page read and write
|
||
|
E7A7FD000
|
stack
|
page read and write
|
||
|
E7AC37000
|
stack
|
page read and write
|
||
|
7FFD348B0000
|
trusted library allocation
|
page read and write
|
||
|
1DE1437C000
|
heap
|
page read and write
|
||
|
7FFD34690000
|
trusted library allocation
|
page read and write
|
||
|
1DE142B0000
|
heap
|
page read and write
|
||
|
1DE17718000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34880000
|
trusted library allocation
|
page read and write
|
||
|
1DE2E615000
|
heap
|
page read and write
|
||
|
7FFD34830000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD34860000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD348D0000
|
trusted library allocation
|
page read and write
|
||
|
1DE2E619000
|
heap
|
page read and write
|
||
|
1DE2E227000
|
heap
|
page read and write
|
||
|
7FFD348A0000
|
trusted library allocation
|
page read and write
|
||
|
1DE1727D000
|
trusted library allocation
|
page read and write
|
||
|
E7A77E000
|
stack
|
page read and write
|
||
|
1DE1435B000
|
heap
|
page read and write
|
||
|
1DE14430000
|
heap
|
page read and write
|
||
|
E7ADBE000
|
stack
|
page read and write
|
||
|
7FFD346CC000
|
trusted library allocation
|
page execute and read and write
|
||
|
E7A3D5000
|
stack
|
page read and write
|
||
|
1DE143B0000
|
heap
|
page read and write
|
||
|
7FFD34960000
|
trusted library allocation
|
page read and write
|
||
|
1DE176F8000
|
trusted library allocation
|
page read and write
|
||
|
E7A67E000
|
stack
|
page read and write
|
||
|
7FFD34674000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34680000
|
trusted library allocation
|
page read and write
|
||
|
1DE2E370000
|
heap
|
page execute and read and write
|
||
|
1DE263C9000
|
trusted library allocation
|
page read and write
|
||
|
E7B9CF000
|
stack
|
page read and write
|
||
|
1DE1774E000
|
trusted library allocation
|
page read and write
|
||
|
7FFD3467D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE16040000
|
heap
|
page read and write
|
||
|
7FFD34970000
|
trusted library allocation
|
page read and write
|
||
|
1DE15C65000
|
heap
|
page read and write
|
||
|
E7AF3B000
|
stack
|
page read and write
|
||
|
7FFD34673000
|
trusted library allocation
|
page execute and read and write
|
||
|
E7BB4B000
|
stack
|
page read and write
|
||
|
1DE2E58D000
|
heap
|
page read and write
|
||
|
7FFD34857000
|
trusted library allocation
|
page read and write
|
||
|
1DE263BA000
|
trusted library allocation
|
page read and write
|
||
|
1DE14440000
|
heap
|
page read and write
|
||
|
7FFD34900000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34930000
|
trusted library allocation
|
page read and write
|
||
|
1DE160C0000
|
heap
|
page execute and read and write
|
||
|
1DE2E5FC000
|
heap
|
page read and write
|
||
|
1DE2E22E000
|
heap
|
page read and write
|
||
|
1DE1783A000
|
trusted library allocation
|
page read and write
|
||
|
1DE16083000
|
trusted library allocation
|
page read and write
|
||
|
1DE260D1000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34920000
|
trusted library allocation
|
page read and write
|
||
|
1DE2E5AF000
|
heap
|
page read and write
|
||
|
7FFD34890000
|
trusted library allocation
|
page read and write
|
||
|
E7AD3E000
|
stack
|
page read and write
|
||
|
1DE2E2D3000
|
heap
|
page read and write
|
||
|
E7AA7D000
|
stack
|
page read and write
|
||
|
7FFD34756000
|
trusted library allocation
|
page execute and read and write
|
||
|
E7A87E000
|
stack
|
page read and write
|
||
|
1DE2E3A7000
|
heap
|
page execute and read and write
|
||
|
1DE26282000
|
trusted library allocation
|
page read and write
|
||
|
1DE2E440000
|
heap
|
page read and write
|
||
|
7FFD349E0000
|
trusted library allocation
|
page read and write
|
||
|
1DE2E5C2000
|
heap
|
page read and write
|
||
|
7FFD34950000
|
trusted library allocation
|
page read and write
|
||
|
1DE178A6000
|
trusted library allocation
|
page read and write
|
||
|
1DE1436A000
|
heap
|
page read and write
|
||
|
1DE16000000
|
heap
|
page readonly
|
||
|
1DE15FF0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34870000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34672000
|
trusted library allocation
|
page read and write
|
||
|
1DE17714000
|
trusted library allocation
|
page read and write
|
||
|
E7AB3E000
|
stack
|
page read and write
|
||
|
1DE260E0000
|
trusted library allocation
|
page read and write
|
||
|
1DE143D0000
|
heap
|
page read and write
|
||
|
7FFD34720000
|
trusted library allocation
|
page read and write
|
||
|
1DE176F2000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34990000
|
trusted library allocation
|
page read and write
|
||
|
1DE26140000
|
trusted library allocation
|
page read and write
|
||
|
1DE14366000
|
heap
|
page read and write
|
||
|
1DE16D02000
|
trusted library allocation
|
page read and write
|
||
|
1DE16080000
|
trusted library allocation
|
page read and write
|
||
|
1DE15C60000
|
heap
|
page read and write
|
||
|
7FFD34910000
|
trusted library allocation
|
page read and write
|
||
|
7FFD3472C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE14445000
|
heap
|
page read and write
|
||
|
7FFD34980000
|
trusted library allocation
|
page read and write
|
||
|
1DE16302000
|
trusted library allocation
|
page read and write
|
||
|
7FFD349B0000
|
trusted library allocation
|
page read and write
|
||
|
E7A9FE000
|
stack
|
page read and write
|
||
|
1DE2E63F000
|
heap
|
page read and write
|
||
|
1DE14364000
|
heap
|
page read and write
|
||
|
1DE2E5B4000
|
heap
|
page read and write
|
||
|
7FFD348E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD348C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34852000
|
trusted library allocation
|
page read and write
|
||
|
1DE2E3A0000
|
heap
|
page execute and read and write
|
||
|
7FFD34821000
|
trusted library allocation
|
page read and write
|
||
|
1DE1789D000
|
trusted library allocation
|
page read and write
|
||
|
1DE176FE000
|
trusted library allocation
|
page read and write
|
||
|
E7B90F000
|
stack
|
page read and write
|
||
|
7FFD34726000
|
trusted library allocation
|
page read and write
|
||
|
7FFD348F0000
|
trusted library allocation
|
page read and write
|
||
|
E7BAC8000
|
stack
|
page read and write
|
||
|
1DE2E234000
|
heap
|
page read and write
|
||
|
1DE1615B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD349A0000
|
trusted library allocation
|
page read and write
|
||
|
E7AAF9000
|
stack
|
page read and write
|
||
|
1DE2E626000
|
heap
|
page read and write
|
There are 135 hidden memdumps, click here to show them.