Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
untrippingvT.ps1
|
ASCII text, with very long lines (4140), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_a9c567789ad651e7b48413341b6e7a9ac98a27_e3b0f337_1beaffd2-f887-4017-9219-fc6a734818ee\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER78.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8E5.tmp.dmp
|
Mini DuMP crash report, 16 streams, Tue Dec 3 08:17:04 2024, 0x1205a4 type
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25ooazca.h2o.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_untyfegk.l5d.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\K0FYLYR2YR7A6TG274FK.temp
|
data
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\untrippingvT.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7648 -s 1976
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://www.italialife24.it/wp-content/uploads/2021/05/hypervitalizationVA.exe
|
46.254.34.201
|
|
|
|
https://www.italialife24.it
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0
|
unknown
|
||
|
http://crl.micro
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://oneget.orgX
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://oneget.org
|
unknown
|
||
|
http://italialife24.it
|
unknown
|
||
|
http://www.italialife24.it
|
unknown
|
There are 10 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
italialife24.it
|
46.254.34.201
|
|
|
|
s-part-0035.t-0009.t-msedge.net
|
13.107.246.63
|
||
|
www.italialife24.it
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
46.254.34.201
|
italialife24.it
|
Italy
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
ProgramId
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
FileId
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
LongPathHash
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Name
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
OriginalFileName
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Publisher
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Version
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
BinFileVersion
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
BinaryType
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
ProductName
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
ProductVersion
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
LinkDate
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
BinProductVersion
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Size
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Language
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
IsOsComponent
|
||
|
\REGISTRY\A\{e9e19b6c-b97f-967c-68ae-bc6f0bfb30e2}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Usn
|
There are 24 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FF887E50000
|
trusted library allocation
|
page read and write
|
||
|
1F9CF113000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB8A0000
|
heap
|
page read and write
|
||
|
1F9DD7B1000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB91D000
|
heap
|
page read and write
|
||
|
5033579000
|
stack
|
page read and write
|
||
|
7FF887F00000
|
trusted library allocation
|
page read and write
|
||
|
7FF887E10000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5B50000
|
heap
|
page read and write
|
||
|
503460F000
|
stack
|
page read and write
|
||
|
1F9E5AC0000
|
trusted library allocation
|
page read and write
|
||
|
7FF887EF0000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB740000
|
heap
|
page read and write
|
||
|
7FF887C13000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF887E90000
|
trusted library allocation
|
page read and write
|
||
|
503337B000
|
stack
|
page read and write
|
||
|
1F9CB954000
|
heap
|
page read and write
|
||
|
1F9CB995000
|
heap
|
page read and write
|
||
|
1F9CD220000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD210000
|
heap
|
page readonly
|
||
|
1F9E5B71000
|
heap
|
page read and write
|
||
|
1F9CB968000
|
heap
|
page read and write
|
||
|
503387E000
|
stack
|
page read and write
|
||
|
7FF887E70000
|
trusted library allocation
|
page read and write
|
||
|
7FF887C1D000
|
trusted library allocation
|
page execute and read and write
|
||
|
5034303000
|
stack
|
page read and write
|
||
|
1F9CD380000
|
heap
|
page execute and read and write
|
||
|
1F9CD250000
|
heap
|
page read and write
|
||
|
50343CD000
|
stack
|
page read and write
|
||
|
503347E000
|
stack
|
page read and write
|
||
|
1F9CDBAE000
|
trusted library allocation
|
page read and write
|
||
|
1F9CE2FE000
|
trusted library allocation
|
page read and write
|
||
|
503450C000
|
stack
|
page read and write
|
||
|
7FF887E60000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5900000
|
heap
|
page read and write
|
||
|
503377E000
|
stack
|
page read and write
|
||
|
7FF887C14000
|
trusted library allocation
|
page read and write
|
||
|
7FF887DCA000
|
trusted library allocation
|
page read and write
|
||
|
7FF887F20000
|
trusted library allocation
|
page read and write
|
||
|
1F9DD823000
|
trusted library allocation
|
page read and write
|
||
|
7FF887F30000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD2C5000
|
heap
|
page read and write
|
||
|
7FF887FA0000
|
trusted library allocation
|
page read and write
|
||
|
503327E000
|
stack
|
page read and write
|
||
|
1F9E598E000
|
heap
|
page read and write
|
||
|
1F9E5C0E000
|
heap
|
page read and write
|
||
|
1F9CF3EF000
|
trusted library allocation
|
page read and write
|
||
|
7FF887CF6000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F9E5C28000
|
heap
|
page read and write
|
||
|
50337FF000
|
stack
|
page read and write
|
||
|
50338FB000
|
stack
|
page read and write
|
||
|
1F9CF16D000
|
trusted library allocation
|
page read and write
|
||
|
7FF887DF2000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5BAF000
|
heap
|
page read and write
|
||
|
1F9CEE56000
|
trusted library allocation
|
page read and write
|
||
|
50336F8000
|
stack
|
page read and write
|
||
|
1F9CEE73000
|
trusted library allocation
|
page read and write
|
||
|
50335F7000
|
stack
|
page read and write
|
||
|
1F9CEE68000
|
trusted library allocation
|
page read and write
|
||
|
7FF887DF7000
|
trusted library allocation
|
page read and write
|
||
|
7FF887F50000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5B47000
|
heap
|
page execute and read and write
|
||
|
5032EB5000
|
stack
|
page read and write
|
||
|
1F9CB950000
|
heap
|
page read and write
|
||
|
7FF887EE0000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB94E000
|
heap
|
page read and write
|
||
|
1F9CD460000
|
heap
|
page read and write
|
||
|
7FF887F40000
|
trusted library allocation
|
page read and write
|
||
|
7FF887C20000
|
trusted library allocation
|
page read and write
|
||
|
7FF887CC0000
|
trusted library allocation
|
page read and write
|
||
|
7FF887C12000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5BBE000
|
heap
|
page read and write
|
||
|
1F9CDBA1000
|
trusted library allocation
|
page read and write
|
||
|
7FF887ED0000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD2C0000
|
heap
|
page read and write
|
||
|
1F9E59E0000
|
heap
|
page read and write
|
||
|
1F9CD403000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5941000
|
heap
|
page read and write
|
||
|
1F9CDBC6000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD2D0000
|
trusted library allocation
|
page read and write
|
||
|
5032FFE000
|
stack
|
page read and write
|
||
|
1F9CEE86000
|
trusted library allocation
|
page read and write
|
||
|
1F9CEE5A000
|
trusted library allocation
|
page read and write
|
||
|
1F9E58C0000
|
heap
|
page read and write
|
||
|
1F9E5AD0000
|
trusted library allocation
|
page read and write
|
||
|
7FF887C10000
|
trusted library allocation
|
page read and write
|
||
|
7FF887F60000
|
trusted library allocation
|
page read and write
|
||
|
1F9CECFE000
|
trusted library allocation
|
page read and write
|
||
|
1F9E57B7000
|
heap
|
page read and write
|
||
|
7FF887F54000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5997000
|
heap
|
page read and write
|
||
|
503434F000
|
stack
|
page read and write
|
||
|
5032FBE000
|
stack
|
page read and write
|
||
|
7FF887DFA000
|
trusted library allocation
|
page read and write
|
||
|
1F9DDA9E000
|
trusted library allocation
|
page read and write
|
||
|
503367C000
|
stack
|
page read and write
|
||
|
1F9E5C67000
|
heap
|
page read and write
|
||
|
1F9CBA30000
|
heap
|
page read and write
|
||
|
7FF887E40000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5C31000
|
heap
|
page read and write
|
||
|
7FF887F70000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5B85000
|
heap
|
page read and write
|
||
|
50332FD000
|
stack
|
page read and write
|
||
|
1F9CB990000
|
heap
|
page read and write
|
||
|
1F9CEE82000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB820000
|
heap
|
page read and write
|
||
|
1F9CF0E8000
|
trusted library allocation
|
page read and write
|
||
|
7DF49EC40000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF887DD0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF887E30000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5C9E000
|
heap
|
page read and write
|
||
|
7FF887CC6000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD1E0000
|
trusted library section
|
page read and write
|
||
|
7FF887DE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF887E20000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD450000
|
direct allocation
|
page execute and read and write
|
||
|
1F9DD99B000
|
trusted library allocation
|
page read and write
|
||
|
7FF887DF5000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5B6C000
|
heap
|
page read and write
|
||
|
1F9CEE96000
|
trusted library allocation
|
page read and write
|
||
|
1F9CF4B8000
|
trusted library allocation
|
page read and write
|
||
|
1F9CDB94000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5B81000
|
heap
|
page read and write
|
||
|
1F9CD7B1000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5B89000
|
heap
|
page read and write
|
||
|
503458B000
|
stack
|
page read and write
|
||
|
7FF887CCC000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F9CB948000
|
heap
|
page read and write
|
||
|
1F9CD200000
|
trusted library allocation
|
page read and write
|
||
|
1F9DDAAD000
|
trusted library allocation
|
page read and write
|
||
|
1F9CBA35000
|
heap
|
page read and write
|
||
|
1F9E5CA1000
|
heap
|
page read and write
|
||
|
50333FE000
|
stack
|
page read and write
|
||
|
1F9CD400000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD360000
|
heap
|
page execute and read and write
|
||
|
7FF887E00000
|
trusted library allocation
|
page execute and read and write
|
||
|
503397B000
|
stack
|
page read and write
|
||
|
7FF887E80000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB8A8000
|
heap
|
page read and write
|
||
|
7FF887C2B000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5B75000
|
heap
|
page read and write
|
||
|
1F9CEE88000
|
trusted library allocation
|
page read and write
|
||
|
7FF887D30000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F9E5C04000
|
heap
|
page read and write
|
||
|
1F9CD9D9000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5935000
|
heap
|
page read and write
|
||
|
503440F000
|
stack
|
page read and write
|
||
|
7FF887DC1000
|
trusted library allocation
|
page read and write
|
||
|
50334FE000
|
stack
|
page read and write
|
||
|
7FF887F90000
|
trusted library allocation
|
page read and write
|
||
|
7FF887CD0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F9CB92B000
|
heap
|
page read and write
|
||
|
1F9CD1F0000
|
trusted library section
|
page read and write
|
||
|
7FF887F10000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD838000
|
trusted library allocation
|
page read and write
|
||
|
1F9E5932000
|
heap
|
page read and write
|
||
|
7FF887EC0000
|
trusted library allocation
|
page read and write
|
||
|
1F9CF4B4000
|
trusted library allocation
|
page read and write
|
||
|
1F9CBA20000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB840000
|
heap
|
page read and write
|
||
|
1F9E5B40000
|
heap
|
page execute and read and write
|
||
|
7FF887EA0000
|
trusted library allocation
|
page read and write
|
||
|
1F9DD7C0000
|
trusted library allocation
|
page read and write
|
||
|
7FF887EB0000
|
trusted library allocation
|
page read and write
|
||
|
1F9CD300000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB8B2000
|
heap
|
page read and write
|
||
|
5032F3E000
|
stack
|
page read and write
|
||
|
1F9E5C63000
|
heap
|
page read and write
|
||
|
7FF887DB0000
|
trusted library allocation
|
page read and write
|
||
|
1F9CEE8A000
|
trusted library allocation
|
page read and write
|
||
|
7FF887F80000
|
trusted library allocation
|
page read and write
|
||
|
1F9CB880000
|
heap
|
page read and write
|
||
|
503448F000
|
stack
|
page read and write
|
There are 163 hidden memdumps, click here to show them.