Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
download.ps1
|
ASCII text, with very long lines (10727), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ljiurby.jcp.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijrnu1c5.jon.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhqx1wqh.ptw.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skwa3h3f.rzf.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UUQGGPAFNQD1WXHX4HQO.temp
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://crl.microsoft
|
unknown
|
||
|
https://photos.google.com/?tab=wq&pageId=none
|
unknown
|
||
|
http://www.google.com/preferences?hl=enX
|
unknown
|
||
|
https://csp.withgoogle.com/csp/gws/other-hp
|
unknown
|
||
|
http://$w2aqei9sf5xubhl/$ra8ocgp2zyk0sqn.php?id=$env:computername&key=$pzsnuxq&s=527
|
unknown
|
||
|
http://bkkeiekjfcdaaen.top
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://news.google.com/?tab=wn
|
unknown
|
||
|
https://docs.google.com/document/?usp=docs_alc
|
unknown
|
||
|
http://schema.org/WebPage
|
unknown
|
||
|
https://0.google.com/
|
unknown
|
||
|
https://www.google.com/webhp?tab=ww
|
unknown
|
||
|
http://schema.org/WebPageX
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://www.google.com/finance?tab=we
|
unknown
|
||
|
http://maps.google.com/maps?hl=en&tab=wl
|
unknown
|
||
|
http://www.google.com
|
unknown
|
||
|
http://crl.micft.cMicRosof
|
unknown
|
||
|
https://apis.google.com
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
http://www.blogger.com/?tab=wj
|
unknown
|
||
|
http://bkkeiekjfcdaaen.top/57r28djmi4htr.php?id=user-PC&key=89603564784&s=527
|
168.100.10.140
|
||
|
http://www.google.com/mobile/?hl=en&tab=wD
|
unknown
|
||
|
https://play.google.com/?hl=en&tab=w8
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://www.google.com/imghp?hl=en&tab=wi
|
unknown
|
||
|
https://www.google.com/shopping?hl=en&source=og&tab=wf
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s96
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://drive.google.com/?tab=wo
|
unknown
|
||
|
http://crl.mic
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://0.google
|
unknown
|
||
|
https://mail.google.com/mail/?tab=wm
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://www.youtube.com/?tab=w1
|
unknown
|
||
|
http://0.google.
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s96X
|
unknown
|
||
|
http://0.google.com/
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s24
|
unknown
|
||
|
http://www.google.com/history/optout?hl=en
|
unknown
|
||
|
https://books.google.com/?hl=en&tab=wp
|
unknown
|
||
|
https://translate.google.com/?hl=en&tab=wT
|
unknown
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
https://www.google.com/intl/en/about/products?tab=whX
|
unknown
|
||
|
https://calendar.google.com/calendar?tab=wc
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s24X
|
unknown
|
||
|
http://www.google.com/
|
172.217.21.36
|
There are 42 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
bkkeiekjfcdaaen.top
|
168.100.10.140
|
||
|
www.google.com
|
172.217.21.36
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
172.217.21.36
|
www.google.com
|
United States
|
||
|
168.100.10.140
|
bkkeiekjfcdaaen.top
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
EEDDCFE000
|
stack
|
page read and write
|
||
|
7FFD9B79D000
|
trusted library allocation
|
page execute and read and write
|
||
|
238C9184000
|
trusted library allocation
|
page read and write
|
||
|
238C5A25000
|
heap
|
page read and write
|
||
|
EEDF00D000
|
stack
|
page read and write
|
||
|
238C91EE000
|
trusted library allocation
|
page read and write
|
||
|
238C86C4000
|
trusted library allocation
|
page read and write
|
||
|
EEDDB7A000
|
stack
|
page read and write
|
||
|
238C59E4000
|
heap
|
page read and write
|
||
|
7FFD9BC70000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
238CA09E000
|
trusted library allocation
|
page read and write
|
||
|
238CA081000
|
trusted library allocation
|
page read and write
|
||
|
238C7861000
|
trusted library allocation
|
page read and write
|
||
|
238C85CE000
|
trusted library allocation
|
page read and write
|
||
|
238DFC60000
|
heap
|
page read and write
|
||
|
7FFD9BB10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB90000
|
trusted library allocation
|
page read and write
|
||
|
238D7B59000
|
trusted library allocation
|
page read and write
|
||
|
EEDE1BC000
|
stack
|
page read and write
|
||
|
EEDDAFE000
|
stack
|
page read and write
|
||
|
238C59DC000
|
heap
|
page read and write
|
||
|
7FFD9B974000
|
trusted library allocation
|
page read and write
|
||
|
EEDDE78000
|
stack
|
page read and write
|
||
|
7FFD9BC50000
|
trusted library allocation
|
page read and write
|
||
|
238C9D79000
|
trusted library allocation
|
page read and write
|
||
|
238C9DB4000
|
trusted library allocation
|
page read and write
|
||
|
238CA090000
|
trusted library allocation
|
page read and write
|
||
|
EEDED8D000
|
stack
|
page read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
||
|
238C7400000
|
heap
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
238DFE11000
|
heap
|
page read and write
|
||
|
EEDEE8B000
|
stack
|
page read and write
|
||
|
238DFDD5000
|
heap
|
page read and write
|
||
|
7FFD9B978000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B941000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B84C000
|
trusted library allocation
|
page execute and read and write
|
||
|
238D7A39000
|
trusted library allocation
|
page read and write
|
||
|
238DFC00000
|
heap
|
page execute and read and write
|
||
|
7FFD9BAD0000
|
trusted library allocation
|
page read and write
|
||
|
EEDEF8E000
|
stack
|
page read and write
|
||
|
238D7861000
|
trusted library allocation
|
page read and write
|
||
|
238C73A0000
|
trusted library allocation
|
page read and write
|
||
|
238C5B45000
|
heap
|
page read and write
|
||
|
238DFD1F000
|
heap
|
page read and write
|
||
|
7FFD9BB70000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC80000
|
trusted library allocation
|
page read and write
|
||
|
238CA099000
|
trusted library allocation
|
page read and write
|
||
|
238C9166000
|
trusted library allocation
|
page read and write
|
||
|
238C9D65000
|
trusted library allocation
|
page read and write
|
||
|
238C5B00000
|
heap
|
page read and write
|
||
|
7FFD9B7B0000
|
trusted library allocation
|
page read and write
|
||
|
238C7850000
|
heap
|
page execute and read and write
|
||
|
EEDEE0B000
|
stack
|
page read and write
|
||
|
238C8D34000
|
trusted library allocation
|
page read and write
|
||
|
238C9D74000
|
trusted library allocation
|
page read and write
|
||
|
238C59F6000
|
heap
|
page read and write
|
||
|
7FFD9BB50000
|
trusted library allocation
|
page read and write
|
||
|
238DF970000
|
heap
|
page read and write
|
||
|
238CA07C000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBD0000
|
trusted library allocation
|
page read and write
|
||
|
238C77A0000
|
heap
|
page read and write
|
||
|
238DFA57000
|
heap
|
page read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
238C9D7E000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBA8000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B794000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page execute and read and write
|
||
|
EEDDEBE000
|
stack
|
page read and write
|
||
|
238C8488000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBAC000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC60000
|
trusted library allocation
|
page execute and read and write
|
||
|
EEDE23C000
|
stack
|
page read and write
|
||
|
7FFD9B792000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page read and write
|
||
|
7DF417AE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
EEDE2BC000
|
stack
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page execute and read and write
|
||
|
EEDF0CE000
|
stack
|
page read and write
|
||
|
7FFD9BAF0000
|
trusted library allocation
|
page read and write
|
||
|
238C59D8000
|
heap
|
page read and write
|
||
|
238CA0B1000
|
trusted library allocation
|
page read and write
|
||
|
238DFC50000
|
heap
|
page execute and read and write
|
||
|
7FFD9BC40000
|
trusted library allocation
|
page read and write
|
||
|
238D7ACB000
|
trusted library allocation
|
page read and write
|
||
|
EEDDC7B000
|
stack
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
238C73E0000
|
heap
|
page readonly
|
||
|
238DFD48000
|
heap
|
page read and write
|
||
|
7FFD9BAB0000
|
trusted library allocation
|
page read and write
|
||
|
EEDE039000
|
stack
|
page read and write
|
||
|
EEDDFB8000
|
stack
|
page read and write
|
||
|
238DFDF8000
|
heap
|
page read and write
|
||
|
7FFD9BAE0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B876000
|
trusted library allocation
|
page execute and read and write
|
||
|
238C7A88000
|
trusted library allocation
|
page read and write
|
||
|
238DFD72000
|
heap
|
page read and write
|
||
|
238DFB20000
|
heap
|
page read and write
|
||
|
238C85C5000
|
trusted library allocation
|
page read and write
|
||
|
EEDDF37000
|
stack
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page read and write
|
||
|
EEDE13E000
|
stack
|
page read and write
|
||
|
238C5938000
|
heap
|
page read and write
|
||
|
238C9EE4000
|
trusted library allocation
|
page read and write
|
||
|
238C918A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB73000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB40000
|
trusted library allocation
|
page read and write
|
||
|
238DFC57000
|
heap
|
page execute and read and write
|
||
|
238C9D6A000
|
trusted library allocation
|
page read and write
|
||
|
7DF417AF0000
|
trusted library allocation
|
page execute and read and write
|
||
|
EEDED0E000
|
stack
|
page read and write
|
||
|
7FFD9B7AB000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB94000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B972000
|
trusted library allocation
|
page read and write
|
||
|
EEDE0BE000
|
stack
|
page read and write
|
||
|
238DFD16000
|
heap
|
page read and write
|
||
|
EEDDA7E000
|
stack
|
page read and write
|
||
|
238C72F0000
|
heap
|
page read and write
|
||
|
238C77E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA90000
|
trusted library allocation
|
page read and write
|
||
|
238C5A1F000
|
heap
|
page read and write
|
||
|
7FFD9B840000
|
trusted library allocation
|
page read and write
|
||
|
238D7890000
|
trusted library allocation
|
page read and write
|
||
|
238DFD62000
|
heap
|
page read and write
|
||
|
238C5900000
|
heap
|
page read and write
|
||
|
7FFD9BC30000
|
trusted library allocation
|
page read and write
|
||
|
238C9D5C000
|
trusted library allocation
|
page read and write
|
||
|
238C73F0000
|
trusted library allocation
|
page read and write
|
||
|
238C78E8000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAA0000
|
trusted library allocation
|
page read and write
|
||
|
238C7405000
|
heap
|
page read and write
|
||
|
238DFE40000
|
heap
|
page read and write
|
||
|
238DF9B1000
|
heap
|
page read and write
|
||
|
238C9D6F000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BC90000
|
trusted library allocation
|
page read and write
|
||
|
238C98C5000
|
trusted library allocation
|
page read and write
|
||
|
238CA0A3000
|
trusted library allocation
|
page read and write
|
||
|
238CA0C6000
|
trusted library allocation
|
page read and write
|
||
|
238C9D88000
|
trusted library allocation
|
page read and write
|
||
|
238CA086000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
238C5930000
|
heap
|
page read and write
|
||
|
EEDDDF9000
|
stack
|
page read and write
|
||
|
7DF417B00000
|
trusted library allocation
|
page execute and read and write
|
||
|
238C9169000
|
trusted library allocation
|
page read and write
|
||
|
EEDEF0E000
|
stack
|
page read and write
|
||
|
EEDF04E000
|
stack
|
page read and write
|
||
|
238C740E000
|
heap
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
238C7340000
|
heap
|
page read and write
|
||
|
7FFD9BB99000
|
trusted library allocation
|
page read and write
|
||
|
EEDEC8F000
|
stack
|
page read and write
|
||
|
7FFD9BBC0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BBA0000
|
trusted library allocation
|
page read and write
|
||
|
EEDE3BE000
|
stack
|
page read and write
|
||
|
238CA077000
|
trusted library allocation
|
page read and write
|
||
|
238DFD21000
|
heap
|
page read and write
|
||
|
7FFD9BB00000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B7A0000
|
trusted library allocation
|
page read and write
|
||
|
238C5B40000
|
heap
|
page read and write
|
||
|
7FFD9B7EC000
|
trusted library allocation
|
page execute and read and write
|
||
|
238C9EEE000
|
trusted library allocation
|
page read and write
|
||
|
EEDD7E5000
|
stack
|
page read and write
|
||
|
238C77E8000
|
trusted library allocation
|
page read and write
|
||
|
238DFD08000
|
heap
|
page read and write
|
||
|
238DFD8D000
|
heap
|
page read and write
|
||
|
238C92AE000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B94A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B790000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B793000
|
trusted library allocation
|
page execute and read and write
|
||
|
EEDDD7F000
|
stack
|
page read and write
|
||
|
238DFC40000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB20000
|
trusted library allocation
|
page execute and read and write
|
||
|
EEDDBFD000
|
stack
|
page read and write
|
||
|
238C59E0000
|
heap
|
page read and write
|
||
|
EEDF14B000
|
stack
|
page read and write
|
||
|
238C85DA000
|
trusted library allocation
|
page read and write
|
||
|
238C5910000
|
heap
|
page read and write
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
238CA094000
|
trusted library allocation
|
page read and write
|
||
|
238DF9F7000
|
heap
|
page read and write
|
||
|
238D78D0000
|
trusted library allocation
|
page read and write
|
||
|
238DFD3F000
|
heap
|
page read and write
|
||
|
238C5942000
|
heap
|
page read and write
|
||
|
7FFD9BB60000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BBB0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B846000
|
trusted library allocation
|
page read and write
|
||
|
238C73D0000
|
trusted library allocation
|
page read and write
|
||
|
238C77B0000
|
trusted library allocation
|
page read and write
|
||
|
238D7B49000
|
trusted library allocation
|
page read and write
|
||
|
238DFA65000
|
heap
|
page read and write
|
||
|
7FFD9B8B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
238DF861000
|
heap
|
page read and write
|
||
|
238C9D83000
|
trusted library allocation
|
page read and write
|
||
|
238C59D6000
|
heap
|
page read and write
|
||
|
7FFD9BB30000
|
trusted library allocation
|
page read and write
|
||
|
238DFB00000
|
heap
|
page read and write
|
||
|
238DFE48000
|
heap
|
page read and write
|
||
|
238C9D60000
|
trusted library allocation
|
page read and write
|
||
|
238DFDC2000
|
heap
|
page read and write
|
||
|
238CA08A000
|
trusted library allocation
|
page read and write
|
There are 201 hidden memdumps, click here to show them.