Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
download.ps1
|
ASCII text, with very long lines (10691), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0puetep3.t4n.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sexvryeo.0di.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xonzhs1n.zy5.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcr5w3oc.jbu.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\81NN4CKRNRQPPCXUKCRO.temp
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://crl.microsoft
|
unknown
|
||
|
https://photos.google.com/?tab=wq&pageId=none
|
unknown
|
||
|
http://www.google.com/preferences?hl=enX
|
unknown
|
||
|
https://csp.withgoogle.com/csp/gws/other-hp
|
unknown
|
||
|
http://bkkeiekjfcdaaen.top
|
unknown
|
||
|
http://www.microsoft.co
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://news.google.com/?tab=wn
|
unknown
|
||
|
https://docs.google.com/document/?usp=docs_alc
|
unknown
|
||
|
http://schema.org/WebPage
|
unknown
|
||
|
https://0.google.com/
|
unknown
|
||
|
https://www.google.com/webhp?tab=ww
|
unknown
|
||
|
http://schema.org/WebPageX
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://www.google.com/finance?tab=we
|
unknown
|
||
|
http://maps.google.com/maps?hl=en&tab=wl
|
unknown
|
||
|
http://www.google.com
|
unknown
|
||
|
https://apis.google.com
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
http://www.blogger.com/?tab=wj
|
unknown
|
||
|
http://www.google.com/mobile/?hl=en&tab=wD
|
unknown
|
||
|
https://play.google.com/?hl=en&tab=w8
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://www.google.com/imghp?hl=en&tab=wi
|
unknown
|
||
|
https://www.google.com/shopping?hl=en&source=og&tab=wf
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s96
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://drive.google.com/?tab=wo
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://0.google
|
unknown
|
||
|
https://mail.google.com/mail/?tab=wm
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://www.youtube.com/?tab=w1
|
unknown
|
||
|
http://0.google.
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s96X
|
unknown
|
||
|
http://bkkeiekjfcdaaen.top/7umlt3rvkyhtr.php?id=user-PC&key=107945053478&s=527
|
168.100.10.140
|
||
|
http://0.google.com/
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s24
|
unknown
|
||
|
http://www.google.com/history/optout?hl=en
|
unknown
|
||
|
https://books.google.com/?hl=en&tab=wp
|
unknown
|
||
|
https://translate.google.com/?hl=en&tab=wT
|
unknown
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
https://www.google.com/intl/en/about/products?tab=whX
|
unknown
|
||
|
https://calendar.google.com/calendar?tab=wc
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://$0zlj8fwiqx1ant6/$evdwf3lj9btnqu8.php?id=$env:computername&key=$lcwpdjugbir&s=527
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s24X
|
unknown
|
||
|
http://www.google.com/
|
142.250.181.68
|
There are 41 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
bkkeiekjfcdaaen.top
|
168.100.10.140
|
||
|
www.google.com
|
142.250.181.68
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
142.250.181.68
|
www.google.com
|
United States
|
||
|
168.100.10.140
|
bkkeiekjfcdaaen.top
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
17172997000
|
heap
|
page execute and read and write
|
||
|
7FFD9B8E0000
|
trusted library allocation
|
page read and write
|
||
|
23197E000
|
stack
|
page read and write
|
||
|
17102381000
|
trusted library allocation
|
page read and write
|
||
|
171018AF000
|
trusted library allocation
|
page read and write
|
||
|
17170EF7000
|
heap
|
page read and write
|
||
|
7FFD9BAD8000
|
trusted library allocation
|
page read and write
|
||
|
17170F3E000
|
heap
|
page read and write
|
||
|
17171115000
|
heap
|
page read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
||
|
17102367000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B940000
|
trusted library allocation
|
page read and write
|
||
|
171732A8000
|
heap
|
page read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B6DB000
|
trusted library allocation
|
page read and write
|
||
|
17170F48000
|
heap
|
page read and write
|
||
|
7FFD9BAA0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B6CD000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BB70000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB63000
|
trusted library allocation
|
page read and write
|
||
|
17172EC3000
|
heap
|
page read and write
|
||
|
17172A30000
|
heap
|
page execute and read and write
|
||
|
7FFD9B7E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
171026A9000
|
trusted library allocation
|
page read and write
|
||
|
171731D4000
|
heap
|
page read and write
|
||
|
17170F61000
|
heap
|
page read and write
|
||
|
17170FB0000
|
heap
|
page read and write
|
||
|
17172E9B000
|
heap
|
page read and write
|
||
|
17170F69000
|
heap
|
page read and write
|
||
|
17171120000
|
heap
|
page read and write
|
||
|
17173254000
|
heap
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
1710177E000
|
trusted library allocation
|
page read and write
|
||
|
1711022C000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B776000
|
trusted library allocation
|
page read and write
|
||
|
1710267B000
|
trusted library allocation
|
page read and write
|
||
|
171731A1000
|
heap
|
page read and write
|
||
|
232C8D000
|
stack
|
page read and write
|
||
|
1710269A000
|
trusted library allocation
|
page read and write
|
||
|
17172DB0000
|
heap
|
page read and write
|
||
|
171729B0000
|
heap
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB00000
|
trusted library allocation
|
page read and write
|
||
|
1711031B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC0000
|
trusted library allocation
|
page read and write
|
||
|
1710115A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B77C000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B770000
|
trusted library allocation
|
page read and write
|
||
|
17102680000
|
trusted library allocation
|
page read and write
|
||
|
17100001000
|
trusted library allocation
|
page read and write
|
||
|
17102695000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B910000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B87A000
|
trusted library allocation
|
page read and write
|
||
|
232CCE000
|
stack
|
page read and write
|
||
|
23298E000
|
stack
|
page read and write
|
||
|
7FFD9B6C0000
|
trusted library allocation
|
page read and write
|
||
|
17101780000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page read and write
|
||
|
17101996000
|
trusted library allocation
|
page read and write
|
||
|
171710A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B860000
|
trusted library allocation
|
page read and write
|
||
|
231CB8000
|
stack
|
page read and write
|
||
|
7FFD9BB60000
|
trusted library allocation
|
page read and write
|
||
|
231A79000
|
stack
|
page read and write
|
||
|
171728D0000
|
trusted library allocation
|
page read and write
|
||
|
232C0E000
|
stack
|
page read and write
|
||
|
17102386000
|
trusted library allocation
|
page read and write
|
||
|
17110001000
|
trusted library allocation
|
page read and write
|
||
|
231B3E000
|
stack
|
page read and write
|
||
|
17102371000
|
trusted library allocation
|
page read and write
|
||
|
17170EB8000
|
heap
|
page read and write
|
||
|
23203E000
|
stack
|
page read and write
|
||
|
232B0B000
|
stack
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page read and write
|
||
|
171026A4000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B6C4000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA90000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B900000
|
trusted library allocation
|
page read and write
|
||
|
1710268A000
|
trusted library allocation
|
page read and write
|
||
|
171732AE000
|
heap
|
page read and write
|
||
|
171026CD000
|
trusted library allocation
|
page read and write
|
||
|
171026B7000
|
trusted library allocation
|
page read and write
|
||
|
231F3B000
|
stack
|
page read and write
|
||
|
17172A60000
|
heap
|
page read and write
|
||
|
171730E8000
|
heap
|
page read and write
|
||
|
7FFD9B8B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
171024F1000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC4000
|
trusted library allocation
|
page read and write
|
||
|
17172FF0000
|
heap
|
page read and write
|
||
|
232B8C000
|
stack
|
page read and write
|
||
|
7DF4C2F20000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BAE0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B880000
|
trusted library allocation
|
page execute and read and write
|
||
|
231BB7000
|
stack
|
page read and write
|
||
|
17100C28000
|
trusted library allocation
|
page read and write
|
||
|
171014E6000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB90000
|
trusted library allocation
|
page read and write
|
||
|
1717325F000
|
heap
|
page read and write
|
||
|
7DF4C2F10000
|
trusted library allocation
|
page execute and read and write
|
||
|
2319FE000
|
stack
|
page read and write
|
||
|
17170F63000
|
heap
|
page read and write
|
||
|
7FFD9B8A4000
|
trusted library allocation
|
page read and write
|
||
|
231675000
|
stack
|
page read and write
|
||
|
171731CD000
|
heap
|
page read and write
|
||
|
17171090000
|
heap
|
page readonly
|
||
|
231E3C000
|
stack
|
page read and write
|
||
|
2318FB000
|
stack
|
page read and write
|
||
|
232D4E000
|
stack
|
page read and write
|
||
|
171017F1000
|
trusted library allocation
|
page read and write
|
||
|
17170FAE000
|
heap
|
page read and write
|
||
|
171710D0000
|
trusted library allocation
|
page read and write
|
||
|
231D3E000
|
stack
|
page read and write
|
||
|
1717329D000
|
heap
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
17102362000
|
trusted library allocation
|
page read and write
|
||
|
17100088000
|
trusted library allocation
|
page read and write
|
||
|
17170F6D000
|
heap
|
page read and write
|
||
|
231DBE000
|
stack
|
page read and write
|
||
|
232A0C000
|
stack
|
page read and write
|
||
|
17170F81000
|
heap
|
page read and write
|
||
|
17170E50000
|
heap
|
page read and write
|
||
|
1717317E000
|
heap
|
page read and write
|
||
|
17170EF5000
|
heap
|
page read and write
|
||
|
171731F8000
|
heap
|
page read and write
|
||
|
17170D70000
|
heap
|
page read and write
|
||
|
1717111C000
|
heap
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page read and write
|
||
|
17172A50000
|
trusted library allocation
|
page read and write
|
||
|
17102685000
|
trusted library allocation
|
page read and write
|
||
|
171017A8000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
17170F27000
|
heap
|
page read and write
|
||
|
2317FD000
|
stack
|
page read and write
|
||
|
1710178A000
|
trusted library allocation
|
page read and write
|
||
|
231C38000
|
stack
|
page read and write
|
||
|
7FFD9BBA0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page read and write
|
||
|
17110072000
|
trusted library allocation
|
page read and write
|
||
|
1710236C000
|
trusted library allocation
|
page read and write
|
||
|
1710235D000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B6C2000
|
trusted library allocation
|
page read and write
|
||
|
17172EB0000
|
heap
|
page execute and read and write
|
||
|
17170EB0000
|
heap
|
page read and write
|
||
|
17102489000
|
trusted library allocation
|
page read and write
|
||
|
17170FA9000
|
heap
|
page read and write
|
||
|
23177E000
|
stack
|
page read and write
|
||
|
17102376000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAA3000
|
trusted library allocation
|
page read and write
|
||
|
232A8A000
|
stack
|
page read and write
|
||
|
7FFD9B6D0000
|
trusted library allocation
|
page read and write
|
||
|
17172E3C000
|
heap
|
page read and write
|
||
|
7FFD9B8F0000
|
trusted library allocation
|
page read and write
|
||
|
171730D0000
|
heap
|
page read and write
|
||
|
7FFD9BAC9000
|
trusted library allocation
|
page read and write
|
||
|
17171050000
|
trusted library allocation
|
page read and write
|
||
|
17171080000
|
trusted library allocation
|
page read and write
|
||
|
7DF4C2F30000
|
trusted library allocation
|
page execute and read and write
|
||
|
231EBC000
|
stack
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
1710269F000
|
trusted library allocation
|
page read and write
|
||
|
17173274000
|
heap
|
page read and write
|
||
|
1710237B000
|
trusted library allocation
|
page read and write
|
||
|
232948000
|
stack
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8A8000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAF0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B6E0000
|
trusted library allocation
|
page read and write
|
||
|
1710179E000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B8A2000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B890000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BAD0000
|
trusted library allocation
|
page read and write
|
||
|
1717326B000
|
heap
|
page read and write
|
||
|
171102ED000
|
trusted library allocation
|
page read and write
|
||
|
171731E0000
|
heap
|
page read and write
|
||
|
17170F40000
|
heap
|
page read and write
|
||
|
1710238B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
17170E70000
|
heap
|
page read and write
|
||
|
7FFD9B71C000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8D0000
|
trusted library allocation
|
page read and write
|
||
|
2316FE000
|
stack
|
page read and write
|
||
|
17172990000
|
heap
|
page execute and read and write
|
||
|
17101EC5000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7A6000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BBB0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
232E4A000
|
stack
|
page read and write
|
||
|
1710268F000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB80000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B871000
|
trusted library allocation
|
page read and write
|
||
|
17170EC2000
|
heap
|
page read and write
|
||
|
1717323F000
|
heap
|
page read and write
|
||
|
17171125000
|
heap
|
page read and write
|
||
|
17171110000
|
heap
|
page read and write
|
||
|
231AF9000
|
stack
|
page read and write
|
||
|
7FFD9BADC000
|
trusted library allocation
|
page read and write
|
||
|
232DCC000
|
stack
|
page read and write
|
||
|
23187A000
|
stack
|
page read and write
|
||
|
17170F3A000
|
heap
|
page read and write
|
||
|
17100228000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B6C3000
|
trusted library allocation
|
page execute and read and write
|
There are 201 hidden memdumps, click here to show them.