Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
123.ps1
|
ASCII text, with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o5pz0pvb.dm4.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tue1hq1h.2il.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FCF919820GQBCRXUD505.temp
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\123.ps1"
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
http://www.microsoft.co
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
There are 2 hidden URLs, click here to show them.
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Powermanager\NetworkProvider
|
Class
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Powermanager\NetworkProvider
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Powermanager\NetworkProvider
|
ProviderPath
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\Order
|
PROVIDERORDER
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FFAAC5C0000
|
trusted library allocation
|
page read and write
|
||
|
1F137560000
|
heap
|
page read and write
|
||
|
7FFB1E3C5000
|
unkown
|
page readonly
|
||
|
7FFAAC520000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F137470000
|
trusted library allocation
|
page read and write
|
||
|
1F14FA18000
|
heap
|
page read and write
|
||
|
1F135AB4000
|
heap
|
page read and write
|
||
|
1F14FDA2000
|
heap
|
page read and write
|
||
|
7FFAAC620000
|
trusted library allocation
|
page read and write
|
||
|
1F1378B7000
|
heap
|
page read and write
|
||
|
1F14FADC000
|
heap
|
page read and write
|
||
|
7FFAAC590000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC660000
|
trusted library allocation
|
page read and write
|
||
|
1F137490000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5E0000
|
trusted library allocation
|
page read and write
|
||
|
BCFE2FE000
|
stack
|
page read and write
|
||
|
7FFAAC630000
|
trusted library allocation
|
page read and write
|
||
|
BCFDDF5000
|
stack
|
page read and write
|
||
|
1F1379E1000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC354000
|
trusted library allocation
|
page read and write
|
||
|
1F14FDC0000
|
heap
|
page read and write
|
||
|
7FFAAC680000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC690000
|
trusted library allocation
|
page read and write
|
||
|
BCFE6BE000
|
stack
|
page read and write
|
||
|
1F14FD6C000
|
heap
|
page read and write
|
||
|
7FFB1E3B6000
|
unkown
|
page readonly
|
||
|
7FFAAC40C000
|
trusted library allocation
|
page execute and read and write
|
||
|
BCFE8BB000
|
stack
|
page read and write
|
||
|
1F14F9E0000
|
heap
|
page read and write
|
||
|
7FFAAC510000
|
trusted library allocation
|
page execute and read and write
|
||
|
BCFE0FE000
|
stack
|
page read and write
|
||
|
BCFE83E000
|
stack
|
page read and write
|
||
|
1F14FA5E000
|
heap
|
page read and write
|
||
|
1F135DA0000
|
heap
|
page read and write
|
||
|
7FFAAC600000
|
trusted library allocation
|
page read and write
|
||
|
7FFB1E3C0000
|
unkown
|
page read and write
|
||
|
1F1374F0000
|
trusted library allocation
|
page read and write
|
||
|
1F14FD74000
|
heap
|
page read and write
|
||
|
1F1359B0000
|
heap
|
page read and write
|
||
|
BCFE07E000
|
stack
|
page read and write
|
||
|
7FFAAC570000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC670000
|
trusted library allocation
|
page read and write
|
||
|
BCFF28F000
|
stack
|
page read and write
|
||
|
7FFAAC560000
|
trusted library allocation
|
page read and write
|
||
|
BCFE37E000
|
stack
|
page read and write
|
||
|
1F137A6A000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC352000
|
trusted library allocation
|
page read and write
|
||
|
1F135AD4000
|
heap
|
page read and write
|
||
|
7FFAAC36B000
|
trusted library allocation
|
page read and write
|
||
|
1F135DA5000
|
heap
|
page read and write
|
||
|
1F14FBA0000
|
heap
|
page execute and read and write
|
||
|
7FFAAC35D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F14FAD3000
|
heap
|
page read and write
|
||
|
1F14FA6B000
|
heap
|
page read and write
|
||
|
7FFAAC470000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F14FC80000
|
heap
|
page read and write
|
||
|
7FFB1E3A0000
|
unkown
|
page readonly
|
||
|
1F14FDB8000
|
heap
|
page read and write
|
||
|
1F1359A0000
|
heap
|
page read and write
|
||
|
1F135D90000
|
heap
|
page read and write
|
||
|
1F14FC57000
|
heap
|
page execute and read and write
|
||
|
7FFAAC353000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFAAC6C0000
|
trusted library allocation
|
page read and write
|
||
|
1F14FA1B000
|
heap
|
page read and write
|
||
|
1F1479F0000
|
trusted library allocation
|
page read and write
|
||
|
1F135B02000
|
heap
|
page read and write
|
||
|
7FFB1E3A1000
|
unkown
|
page execute read
|
||
|
1F135D95000
|
heap
|
page read and write
|
||
|
7FFAAC650000
|
trusted library allocation
|
page read and write
|
||
|
1F1379D0000
|
heap
|
page read and write
|
||
|
BCFE1FE000
|
stack
|
page read and write
|
||
|
1F1374B0000
|
heap
|
page execute and read and write
|
||
|
7FFAAC360000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC550000
|
trusted library allocation
|
page read and write
|
||
|
BCFE17D000
|
stack
|
page read and write
|
||
|
1F138612000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC501000
|
trusted library allocation
|
page read and write
|
||
|
BCFE5B9000
|
stack
|
page read and write
|
||
|
BCFE63A000
|
stack
|
page read and write
|
||
|
1F135A9C000
|
heap
|
page read and write
|
||
|
BCFE4BE000
|
stack
|
page read and write
|
||
|
1F139930000
|
trusted library allocation
|
page read and write
|
||
|
1F135A18000
|
heap
|
page read and write
|
||
|
7FFAAC5A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC532000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC6A0000
|
trusted library allocation
|
page read and write
|
||
|
BCFE73E000
|
stack
|
page read and write
|
||
|
1F135AB8000
|
heap
|
page read and write
|
||
|
7FFAAC406000
|
trusted library allocation
|
page read and write
|
||
|
7FFB1E3C2000
|
unkown
|
page readonly
|
||
|
1F1359D0000
|
heap
|
page read and write
|
||
|
BCFE478000
|
stack
|
page read and write
|
||
|
1F135D70000
|
heap
|
page read and write
|
||
|
1F135A22000
|
heap
|
page read and write
|
||
|
1F138E7E000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC6B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC610000
|
trusted library allocation
|
page read and write
|
||
|
1F147A50000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC436000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F137480000
|
heap
|
page readonly
|
||
|
BCFE27B000
|
stack
|
page read and write
|
||
|
7FFAAC5D0000
|
trusted library allocation
|
page read and write
|
||
|
1F14FE18000
|
heap
|
page read and write
|
||
|
1F14FD60000
|
heap
|
page read and write
|
||
|
7FFAAC580000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC540000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F1479E1000
|
trusted library allocation
|
page read and write
|
||
|
1F14FE25000
|
heap
|
page read and write
|
||
|
1F135A10000
|
heap
|
page read and write
|
||
|
1F1391BD000
|
trusted library allocation
|
page read and write
|
||
|
1F14FC50000
|
heap
|
page execute and read and write
|
||
|
7FFAAC640000
|
trusted library allocation
|
page read and write
|
||
|
1F135ABE000
|
heap
|
page read and write
|
||
|
BCFE47E000
|
stack
|
page read and write
|
||
|
1F1374F3000
|
trusted library allocation
|
page read and write
|
||
|
1F137C12000
|
trusted library allocation
|
page read and write
|
||
|
1F14FA38000
|
heap
|
page read and write
|
||
|
1F14FE04000
|
heap
|
page read and write
|
||
|
7FFAAC4F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC50A000
|
trusted library allocation
|
page read and write
|
||
|
1F14FA1F000
|
heap
|
page read and write
|
||
|
1F135A98000
|
heap
|
page read and write
|
||
|
1F147B93000
|
trusted library allocation
|
page read and write
|
||
|
1F137440000
|
trusted library allocation
|
page read and write
|
||
|
BCFE537000
|
stack
|
page read and write
|
||
|
1F14FE20000
|
heap
|
page read and write
|
||
|
BCFE3FD000
|
stack
|
page read and write
|
||
|
7FFAAC400000
|
trusted library allocation
|
page read and write
|
||
|
1F135AFD000
|
heap
|
page read and write
|
||
|
7FFAAC410000
|
trusted library allocation
|
page execute and read and write
|
||
|
7DF457E60000
|
trusted library allocation
|
page execute and read and write
|
There are 123 hidden memdumps, click here to show them.