Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
1ZhE3yY8rV.ps1
|
ASCII text, with very long lines (4140), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_5bc72c5f64839fc18b3a4df19d39ebd45ce3fdf_e3b0f337_08931ada-a270-4980-913c-625c1f123ee4\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC7F.tmp.dmp
|
Mini DuMP crash report, 16 streams, Fri Oct 25 18:05:28 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF5F.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFDD.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwlhj2gb.4al.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uavqn0lg.tef.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BMBGDFPUTMDU8FTQYSF7.temp
|
data
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\1ZhE3yY8rV.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\WerFault.exe
|
C:\Windows\system32\WerFault.exe -u -p 7552 -s 2028
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://217.195.153.196/assets/paleo
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
http://217.195.153.196/assets/paleochorologyma.exe
|
217.195.153.196
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://217.195.153.196
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 5 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
217.195.153.196
|
unknown
|
Netherlands
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
ProgramId
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
FileId
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
LongPathHash
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Name
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
OriginalFileName
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Publisher
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Version
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
BinFileVersion
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
BinaryType
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
ProductName
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
ProductVersion
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
LinkDate
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
BinProductVersion
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Size
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Language
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
IsOsComponent
|
||
|
\REGISTRY\A\{237e2807-30c2-5043-0f8d-5cada8033ce8}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
|
Usn
|
There are 24 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
866FF7D000
|
stack
|
page read and write
|
||
|
199527AF000
|
trusted library allocation
|
page read and write
|
||
|
1995A856000
|
heap
|
page read and write
|
||
|
199424C1000
|
trusted library allocation
|
page read and write
|
||
|
866FEFE000
|
stack
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page read and write
|
||
|
19943B89000
|
trusted library allocation
|
page read and write
|
||
|
1995A5E0000
|
heap
|
page read and write
|
||
|
7FFD9B69C000
|
trusted library allocation
|
page execute and read and write
|
||
|
19942463000
|
trusted library allocation
|
page read and write
|
||
|
866FE7E000
|
stack
|
page read and write
|
||
|
19940497000
|
heap
|
page read and write
|
||
|
7FFD9B660000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B822000
|
trusted library allocation
|
page read and write
|
||
|
199403F8000
|
heap
|
page read and write
|
||
|
1995A82D000
|
heap
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page read and write
|
||
|
19940402000
|
heap
|
page read and write
|
||
|
7FFD9B910000
|
trusted library allocation
|
page read and write
|
||
|
8670139000
|
stack
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
86700B6000
|
stack
|
page read and write
|
||
|
19940635000
|
heap
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B643000
|
trusted library allocation
|
page execute and read and write
|
||
|
199406A0000
|
trusted library allocation
|
page read and write
|
||
|
1995A548000
|
heap
|
page read and write
|
||
|
19952677000
|
trusted library allocation
|
page read and write
|
||
|
19940360000
|
heap
|
page read and write
|
||
|
19940670000
|
trusted library section
|
page read and write
|
||
|
7FFD9B810000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B7F1000
|
trusted library allocation
|
page read and write
|
||
|
199404DE000
|
heap
|
page read and write
|
||
|
19940380000
|
heap
|
page read and write
|
||
|
7FFD9B890000
|
trusted library allocation
|
page read and write
|
||
|
1995A7F3000
|
heap
|
page read and write
|
||
|
1994049D000
|
heap
|
page read and write
|
||
|
7FFD9B840000
|
trusted library allocation
|
page read and write
|
||
|
19940680000
|
trusted library allocation
|
page read and write
|
||
|
1995A4C0000
|
heap
|
page read and write
|
||
|
19943322000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B827000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page read and write
|
||
|
199524C1000
|
trusted library allocation
|
page read and write
|
||
|
1995A807000
|
heap
|
page read and write
|
||
|
867104A000
|
stack
|
page read and write
|
||
|
7FFD9B850000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B760000
|
trusted library allocation
|
page execute and read and write
|
||
|
866F9FE000
|
stack
|
page read and write
|
||
|
1995A59F000
|
heap
|
page read and write
|
||
|
19940690000
|
heap
|
page readonly
|
||
|
7FFD9B8C0000
|
trusted library allocation
|
page read and write
|
||
|
867023E000
|
stack
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B940000
|
trusted library allocation
|
page read and write
|
||
|
1995A6C0000
|
direct allocation
|
page execute and read and write
|
||
|
199403C0000
|
heap
|
page read and write
|
||
|
19943D1A000
|
trusted library allocation
|
page read and write
|
||
|
8670ECF000
|
stack
|
page read and write
|
||
|
86701B7000
|
stack
|
page read and write
|
||
|
7FFD9B726000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B6FC000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B880000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7FA000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8D0000
|
trusted library allocation
|
page read and write
|
||
|
19940630000
|
heap
|
page read and write
|
||
|
7FFD9B8A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B825000
|
trusted library allocation
|
page read and write
|
||
|
19942210000
|
trusted library allocation
|
page read and write
|
||
|
19943CB7000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B640000
|
trusted library allocation
|
page read and write
|
||
|
19940660000
|
trusted library section
|
page read and write
|
||
|
199527BE000
|
trusted library allocation
|
page read and write
|
||
|
199404AF000
|
heap
|
page read and write
|
||
|
8670DC1000
|
stack
|
page read and write
|
||
|
19940493000
|
heap
|
page read and write
|
||
|
867043C000
|
stack
|
page read and write
|
||
|
867033E000
|
stack
|
page read and write
|
||
|
8670F4E000
|
stack
|
page read and write
|
||
|
7FFD9B900000
|
trusted library allocation
|
page read and write
|
||
|
19940620000
|
heap
|
page read and write
|
||
|
866FDFB000
|
stack
|
page read and write
|
||
|
866FCFE000
|
stack
|
page read and write
|
||
|
7FFD9B6F6000
|
trusted library allocation
|
page read and write
|
||
|
8670E0F000
|
stack
|
page read and write
|
||
|
199403F0000
|
heap
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
86702BE000
|
stack
|
page read and write
|
||
|
1995A770000
|
heap
|
page execute and read and write
|
||
|
19942213000
|
trusted library allocation
|
page read and write
|
||
|
19943B6E000
|
trusted library allocation
|
page read and write
|
||
|
19942440000
|
heap
|
page execute and read and write
|
||
|
86703BE000
|
stack
|
page read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
866FFF9000
|
stack
|
page read and write
|
||
|
1994048F000
|
heap
|
page read and write
|
||
|
7FFD9B642000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
866FD7D000
|
stack
|
page read and write
|
||
|
7FFD9B7F4000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8F0000
|
trusted library allocation
|
page read and write
|
||
|
1995A84A000
|
heap
|
page read and write
|
||
|
867003E000
|
stack
|
page read and write
|
||
|
19943B67000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B65B000
|
trusted library allocation
|
page read and write
|
||
|
8670E8D000
|
stack
|
page read and write
|
||
|
19952535000
|
trusted library allocation
|
page read and write
|
||
|
19943D23000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7E0000
|
trusted library allocation
|
page read and write
|
||
|
1995A7E9000
|
heap
|
page read and write
|
||
|
19940650000
|
trusted library allocation
|
page read and write
|
||
|
199404D8000
|
heap
|
page read and write
|
||
|
199406F0000
|
heap
|
page read and write
|
||
|
866F975000
|
stack
|
page read and write
|
||
|
866FC7E000
|
stack
|
page read and write
|
||
|
7FFD9B830000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B860000
|
trusted library allocation
|
page read and write
|
||
|
1995A84C000
|
heap
|
page read and write
|
||
|
7FFD9B64D000
|
trusted library allocation
|
page execute and read and write
|
||
|
19942460000
|
trusted library allocation
|
page read and write
|
||
|
1995A875000
|
heap
|
page read and write
|
||
|
19942922000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B82A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8B0000
|
trusted library allocation
|
page read and write
|
||
|
1995A777000
|
heap
|
page execute and read and write
|
||
|
19942320000
|
heap
|
page read and write
|
||
|
19942331000
|
heap
|
page read and write
|
||
|
7FFD9B870000
|
trusted library allocation
|
page read and write
|
||
|
199426F2000
|
trusted library allocation
|
page read and write
|
||
|
19940350000
|
heap
|
page read and write
|
||
|
7FFD9B650000
|
trusted library allocation
|
page read and write
|
||
|
199406F5000
|
heap
|
page read and write
|
||
|
199424B0000
|
heap
|
page execute and read and write
|
||
|
1995A7DA000
|
heap
|
page read and write
|
||
|
1995A780000
|
heap
|
page read and write
|
||
|
1995A5A8000
|
heap
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
199524D0000
|
trusted library allocation
|
page read and write
|
||
|
19940499000
|
heap
|
page read and write
|
||
|
7DF4FD2C0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1995A803000
|
heap
|
page read and write
|
||
|
1994254B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
8670FC7000
|
stack
|
page read and write
|
||
|
7FFD9B644000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B800000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B6F0000
|
trusted library allocation
|
page read and write
|
There are 140 hidden memdumps, click here to show them.