Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
initial sample
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0aumyvkw.nef.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g45535fo.20t.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kseaghrs.m5x.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xo1yfyfk.ljk.psm1
|
ASCII text, with no line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe
|
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe"
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
|
||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Meterpreter.14735.10805.exe'"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\wbem\WmiPrvSE.exe
|
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
|
unknown
|
||
https://cleversquad.online/0
|
unknown
|
||
https://sectigo.com/CPS0
|
unknown
|
||
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
|
unknown
|
||
http://ocsp.sectigo.com0
|
unknown
|
||
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
|
unknown
|
||
https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exeFailed
|
unknown
|
||
https://cdn.cleversquad.online/cdn/CleverClient/CleverLauncher.exe
|
unknown
|
||
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
|
unknown
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
19733E80000
|
heap
|
page read and write
|
||
19733CF0000
|
heap
|
page read and write
|
||
7FF79EA85000
|
unkown
|
page read and write
|
||
19733DD0000
|
heap
|
page read and write
|
||
7FF79EA83000
|
unkown
|
page readonly
|
||
19733E84000
|
heap
|
page read and write
|
||
40844FB000
|
stack
|
page read and write
|
||
40845FE000
|
stack
|
page read and write
|
||
19733E89000
|
heap
|
page read and write
|
||
19733E80000
|
heap
|
page read and write
|
||
7FF79EA86000
|
unkown
|
page readonly
|
||
197357A5000
|
heap
|
page read and write
|
||
19733E5C000
|
heap
|
page read and write
|
||
19737040000
|
heap
|
page read and write
|
||
7FF79EA83000
|
unkown
|
page readonly
|
||
197357A0000
|
heap
|
page read and write
|
||
19735AF0000
|
heap
|
page read and write
|
||
7FF79EA81000
|
unkown
|
page execute read
|
||
19737043000
|
heap
|
page read and write
|
||
7FF79EA80000
|
unkown
|
page readonly
|
||
7FF79EA85000
|
unkown
|
page write copy
|
||
40846FF000
|
stack
|
page read and write
|
||
19737150000
|
trusted library allocation
|
page read and write
|
||
7FF79EA80000
|
unkown
|
page readonly
|
||
7FF79EA81000
|
unkown
|
page execute read
|
||
19733E50000
|
heap
|
page read and write
|
||
19733E77000
|
heap
|
page read and write
|
||
19733E77000
|
heap
|
page read and write
|
||
19735700000
|
heap
|
page read and write
|
||
7FF79EA86000
|
unkown
|
page readonly
|
||
19733E00000
|
heap
|
page read and write
|
||
197357AA000
|
heap
|
page read and write
|
||
19733E8E000
|
heap
|
page read and write
|
There are 23 hidden memdumps, click here to show them.