Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
update.ps1
|
Unicode text, UTF-8 text, with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Roaming\7z.dll
|
HTML document, ASCII text, with very long lines (394)
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\b.vue
|
HTML document, ASCII text, with very long lines (394)
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\z.exe
|
HTML document, ASCII text, with very long lines (394)
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0rbbqa42.tje.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bditglij.afd.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlt15x2w.ovr.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpo0hh5v.z43.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QX4KAU2VD6IRIUHLFJK1.temp
|
data
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\update.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://www.cloudflare.com/learning/access-management/phishing-attack/
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelp
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelpX
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
https://serviceupdate32.com/xbe.vue
|
104.21.8.137
|
||
|
http://go.micros
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://www.cloudflare.com/5xx-error-landing
|
unknown
|
||
|
https://serviceupdate32.com
|
unknown
|
||
|
https://serviceupdate32.com/info2.php
|
104.21.8.137
|
||
|
https://serviceupdate32.com/xz.vue
|
104.21.8.137
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
http://serviceupdate32.com
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://serviceupdate32.com/info3.php
|
104.21.8.137
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://serviceupdate32.com/x7.vue
|
104.21.8.137
|
There are 16 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
serviceupdate32.com
|
104.21.8.137
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
104.21.8.137
|
serviceupdate32.com
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
Manager
|
There are 5 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
14865476000
|
trusted library allocation
|
page read and write
|
||
|
14872776000
|
trusted library allocation
|
page read and write
|
||
|
14862320000
|
heap
|
page read and write
|
||
|
7FFD9BB40000
|
trusted library allocation
|
page read and write
|
||
|
14862B28000
|
trusted library allocation
|
page read and write
|
||
|
1487A8B4000
|
heap
|
page read and write
|
||
|
14872A5A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC44000
|
trusted library allocation
|
page read and write
|
||
|
14862260000
|
trusted library allocation
|
page read and write
|
||
|
148607C0000
|
heap
|
page read and write
|
||
|
1487B150000
|
heap
|
page read and write
|
||
|
21197FE000
|
stack
|
page read and write
|
||
|
7FFD9BAB0000
|
trusted library allocation
|
page read and write
|
||
|
1487ABEA000
|
heap
|
page read and write
|
||
|
148626A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB50000
|
trusted library allocation
|
page read and write
|
||
|
14862B34000
|
trusted library allocation
|
page read and write
|
||
|
1487ACF6000
|
heap
|
page read and write
|
||
|
1486546E000
|
trusted library allocation
|
page read and write
|
||
|
14862761000
|
trusted library allocation
|
page read and write
|
||
|
1487AB00000
|
heap
|
page read and write
|
||
|
14862730000
|
heap
|
page execute and read and write
|
||
|
7FFD9BAE0000
|
trusted library allocation
|
page read and write
|
||
|
1487AB7D000
|
heap
|
page read and write
|
||
|
1487B12A000
|
heap
|
page read and write
|
||
|
1487A8D2000
|
heap
|
page read and write
|
||
|
2119AFD000
|
stack
|
page read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page read and write
|
||
|
14863094000
|
trusted library allocation
|
page read and write
|
||
|
2119F3A000
|
stack
|
page read and write
|
||
|
14863742000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA90000
|
trusted library allocation
|
page read and write
|
||
|
2119D79000
|
stack
|
page read and write
|
||
|
14865400000
|
trusted library allocation
|
page read and write
|
||
|
14864EE0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page read and write
|
||
|
14864B1E000
|
trusted library allocation
|
page read and write
|
||
|
148636AE000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC42000
|
trusted library allocation
|
page read and write
|
||
|
1487AB16000
|
heap
|
page read and write
|
||
|
148621B0000
|
heap
|
page read and write
|
||
|
1487ABA0000
|
heap
|
page read and write
|
||
|
14860800000
|
heap
|
page read and write
|
||
|
211AF4C000
|
stack
|
page read and write
|
||
|
7FFD9B940000
|
trusted library allocation
|
page execute and read and write
|
||
|
148622B0000
|
trusted library allocation
|
page read and write
|
||
|
148727D1000
|
trusted library allocation
|
page read and write
|
||
|
14862B49000
|
trusted library allocation
|
page read and write
|
||
|
14862750000
|
heap
|
page read and write
|
||
|
14860918000
|
heap
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB14000
|
trusted library allocation
|
page read and write
|
||
|
148608DD000
|
heap
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
14862325000
|
heap
|
page read and write
|
||
|
7FFD9B856000
|
trusted library allocation
|
page execute and read and write
|
||
|
1487ACE7000
|
heap
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB59000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B770000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page execute and read and write
|
||
|
1487AC2C000
|
heap
|
page read and write
|
||
|
7FFD9B890000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BB3D000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B78B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B826000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB44000
|
trusted library allocation
|
page read and write
|
||
|
21196F5000
|
stack
|
page read and write
|
||
|
14862670000
|
trusted library allocation
|
page read and write
|
||
|
14862B89000
|
trusted library allocation
|
page read and write
|
||
|
14862B8D000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBB0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC20000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BCD0000
|
trusted library allocation
|
page read and write
|
||
|
1487AB29000
|
heap
|
page read and write
|
||
|
1487ACDF000
|
heap
|
page read and write
|
||
|
14864AC3000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB28000
|
trusted library allocation
|
page read and write
|
||
|
148643D9000
|
trusted library allocation
|
page read and write
|
||
|
1487AB8B000
|
heap
|
page read and write
|
||
|
148630A5000
|
trusted library allocation
|
page read and write
|
||
|
148635E0000
|
trusted library allocation
|
page read and write
|
||
|
14872761000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B820000
|
trusted library allocation
|
page read and write
|
||
|
2119A7E000
|
stack
|
page read and write
|
||
|
14860830000
|
heap
|
page read and write
|
||
|
1486308B000
|
trusted library allocation
|
page read and write
|
||
|
7DF423090000
|
trusted library allocation
|
page execute and read and write
|
||
|
148607F5000
|
heap
|
page read and write
|
||
|
14864ADD000
|
trusted library allocation
|
page read and write
|
||
|
211A23C000
|
stack
|
page read and write
|
||
|
2119EBE000
|
stack
|
page read and write
|
||
|
1487A96D000
|
heap
|
page read and write
|
||
|
1486091C000
|
heap
|
page read and write
|
||
|
148627E7000
|
trusted library allocation
|
page read and write
|
||
|
211AC0E000
|
stack
|
page read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
14863091000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
||
|
1487ABE4000
|
heap
|
page read and write
|
||
|
1487ABDE000
|
heap
|
page read and write
|
||
|
7FFD9B774000
|
trusted library allocation
|
page read and write
|
||
|
148608CF000
|
heap
|
page read and write
|
||
|
1487B12C000
|
heap
|
page read and write
|
||
|
1487A90A000
|
heap
|
page read and write
|
||
|
14863789000
|
trusted library allocation
|
page read and write
|
||
|
14862987000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC00000
|
trusted library allocation
|
page read and write
|
||
|
1486371B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAA0000
|
trusted library allocation
|
page read and write
|
||
|
148640CF000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B830000
|
trusted library allocation
|
page execute and read and write
|
||
|
2119C7F000
|
stack
|
page read and write
|
||
|
1487ACCB000
|
heap
|
page read and write
|
||
|
1487A979000
|
heap
|
page read and write
|
||
|
1486396B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B77D000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
14860842000
|
heap
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
148608ED000
|
heap
|
page read and write
|
||
|
14864CDB000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBF0000
|
trusted library allocation
|
page execute and read and write
|
||
|
2119B7E000
|
stack
|
page read and write
|
||
|
14864461000
|
trusted library allocation
|
page read and write
|
||
|
1487A76F000
|
heap
|
page read and write
|
||
|
1486301F000
|
trusted library allocation
|
page read and write
|
||
|
1487AC02000
|
heap
|
page read and write
|
||
|
7FFD9BB20000
|
trusted library allocation
|
page read and write
|
||
|
1487ACEB000
|
heap
|
page read and write
|
||
|
7DF4230A0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1487A9F7000
|
heap
|
page execute and read and write
|
||
|
1487A880000
|
heap
|
page read and write
|
||
|
1487A8C0000
|
heap
|
page read and write
|
||
|
1487AFB0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BCC8000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B910000
|
trusted library allocation
|
page read and write
|
||
|
1487B137000
|
heap
|
page read and write
|
||
|
148608CC000
|
heap
|
page read and write
|
||
|
2119E3E000
|
stack
|
page read and write
|
||
|
7FFD9BAD0000
|
trusted library allocation
|
page read and write
|
||
|
1487A9F0000
|
heap
|
page execute and read and write
|
||
|
148622A0000
|
heap
|
page readonly
|
||
|
14863016000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
211AD4E000
|
stack
|
page read and write
|
||
|
14864B44000
|
trusted library allocation
|
page read and write
|
||
|
14864A2C000
|
trusted library allocation
|
page read and write
|
||
|
14862B30000
|
trusted library allocation
|
page read and write
|
||
|
2119CFF000
|
stack
|
page read and write
|
||
|
1487AC90000
|
heap
|
page read and write
|
||
|
148643AC000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB19000
|
trusted library allocation
|
page read and write
|
||
|
1487AB91000
|
heap
|
page read and write
|
||
|
211AC8E000
|
stack
|
page read and write
|
||
|
7FFD9BAF3000
|
trusted library allocation
|
page read and write
|
||
|
148607D0000
|
heap
|
page read and write
|
||
|
148622E0000
|
heap
|
page execute and read and write
|
||
|
7FFD9B790000
|
trusted library allocation
|
page read and write
|
||
|
211ADCF000
|
stack
|
page read and write
|
||
|
1486543D000
|
trusted library allocation
|
page read and write
|
||
|
1487B118000
|
heap
|
page read and write
|
||
|
148621D0000
|
heap
|
page read and write
|
||
|
14862290000
|
trusted library allocation
|
page read and write
|
||
|
1487AC3C000
|
heap
|
page read and write
|
||
|
14864AD0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBEC000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAF0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB2C000
|
trusted library allocation
|
page read and write
|
||
|
2119EB7000
|
stack
|
page read and write
|
||
|
148647C9000
|
trusted library allocation
|
page read and write
|
||
|
211AD0D000
|
stack
|
page read and write
|
||
|
1487277F000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B773000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B772000
|
trusted library allocation
|
page read and write
|
||
|
1487AC72000
|
heap
|
page read and write
|
||
|
14864A7B000
|
trusted library allocation
|
page read and write
|
||
|
1487B13D000
|
heap
|
page read and write
|
||
|
14862B26000
|
trusted library allocation
|
page read and write
|
||
|
1487A94A000
|
heap
|
page read and write
|
||
|
14872778000
|
trusted library allocation
|
page read and write
|
||
|
1487ACE2000
|
heap
|
page read and write
|
||
|
14863012000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B952000
|
trusted library allocation
|
page read and write
|
||
|
1487AC80000
|
heap
|
page read and write
|
||
|
14864A04000
|
trusted library allocation
|
page read and write
|
||
|
1487A8C8000
|
heap
|
page read and write
|
||
|
1487B0D7000
|
heap
|
page read and write
|
||
|
14862B18000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBE0000
|
trusted library allocation
|
page read and write
|
||
|
1487B0F2000
|
heap
|
page read and write
|
||
|
211AECB000
|
stack
|
page read and write
|
||
|
7FFD9BBB3000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC0000
|
trusted library allocation
|
page read and write
|
||
|
14863022000
|
trusted library allocation
|
page read and write
|
||
|
1486496F000
|
trusted library allocation
|
page read and write
|
||
|
211A03E000
|
stack
|
page read and write
|
||
|
7FFD9BC50000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page read and write
|
||
|
1486301C000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B921000
|
trusted library allocation
|
page read and write
|
||
|
148647A3000
|
trusted library allocation
|
page read and write
|
||
|
211A1BB000
|
stack
|
page read and write
|
||
|
7FFD9BBC0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page read and write
|
||
|
14872790000
|
trusted library allocation
|
page read and write
|
||
|
1487B0EC000
|
heap
|
page read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page execute and read and write
|
||
|
148636F7000
|
trusted library allocation
|
page read and write
|
||
|
211977E000
|
stack
|
page read and write
|
||
|
7FFD9BBD0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB10000
|
trusted library allocation
|
page read and write
|
||
|
1487B114000
|
heap
|
page read and write
|
||
|
211A0BF000
|
stack
|
page read and write
|
||
|
148636D4000
|
trusted library allocation
|
page read and write
|
||
|
2119BFB000
|
stack
|
page read and write
|
||
|
7FFD9BB37000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B82C000
|
trusted library allocation
|
page execute and read and write
|
||
|
211A13E000
|
stack
|
page read and write
|
||
|
2119DF9000
|
stack
|
page read and write
|
||
|
148643CA000
|
trusted library allocation
|
page read and write
|
||
|
148642C9000
|
trusted library allocation
|
page read and write
|
||
|
1487AA20000
|
heap
|
page read and write
|
||
|
7FFD9B7CC000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BB30000
|
trusted library allocation
|
page read and write
|
||
|
148607F0000
|
heap
|
page read and write
|
||
|
14862B38000
|
trusted library allocation
|
page read and write
|
||
|
1487B0C0000
|
heap
|
page read and write
|
||
|
7DF4230B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
211AE4B000
|
stack
|
page read and write
|
||
|
7FFD9B92A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B780000
|
trusted library allocation
|
page read and write
|
||
|
2119FB8000
|
stack
|
page read and write
|
||
|
7FFD9BCE0000
|
trusted library allocation
|
page read and write
|
||
|
1487ACCF000
|
heap
|
page read and write
|
There are 231 hidden memdumps, click here to show them.