Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
download.ps1
|
ASCII text, with very long lines (11455), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3pqnhy0.bcu.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mow32suy.pl5.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4ou5lqk.a5e.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1iesxrq.zkm.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\82Q4PFWOKMYG9L6IJHQX.temp
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://$rb9w1lvtg27jsno/$uys5qoe7i4wbpnv.php?id=$env:computername&key=$siumfg&s=527
|
unknown
|
||
|
https://photos.google.com/?tab=wq&pageId=none
|
unknown
|
||
|
http://www.google.com/preferences?hl=enX
|
unknown
|
||
|
https://csp.withgoogle.com/csp/gws/other-hp
|
unknown
|
||
|
http://bkkeiekjfcdaaen.top
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://news.google.com/?tab=wn
|
unknown
|
||
|
https://docs.google.com/document/?usp=docs_alc
|
unknown
|
||
|
http://schema.org/WebPage
|
unknown
|
||
|
https://0.google.com/
|
unknown
|
||
|
https://www.google.com/webhp?tab=ww
|
unknown
|
||
|
http://bkkeiekjfcdaaen.top/sb5xvzt83whtr.php?id=user-PC&key=125435732625&s=527
|
168.100.10.140
|
||
|
http://schema.org/WebPageX
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://www.google.com/finance?tab=we
|
unknown
|
||
|
http://maps.google.com/maps?hl=en&tab=wl
|
unknown
|
||
|
http://www.google.com
|
unknown
|
||
|
https://apis.google.com
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
http://www.blogger.com/?tab=wj
|
unknown
|
||
|
http://www.google.com/mobile/?hl=en&tab=wD
|
unknown
|
||
|
https://play.google.com/?hl=en&tab=w8
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://www.google.com/imghp?hl=en&tab=wi
|
unknown
|
||
|
https://www.google.com/shopping?hl=en&source=og&tab=wf
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s96
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://drive.google.com/?tab=wo
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
http://crl.microsHG
|
unknown
|
||
|
https://0.google
|
unknown
|
||
|
https://mail.google.com/mail/?tab=wm
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://www.youtube.com/?tab=w1
|
unknown
|
||
|
http://0.google.
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s96X
|
unknown
|
||
|
http://0.google.com/
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s24
|
unknown
|
||
|
http://www.google.com/history/optout?hl=en
|
unknown
|
||
|
https://books.google.com/?hl=en&tab=wp
|
unknown
|
||
|
https://translate.google.com/?hl=en&tab=wT
|
unknown
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
https://www.google.com/intl/en/about/products?tab=whX
|
unknown
|
||
|
https://calendar.google.com/calendar?tab=wc
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s24X
|
unknown
|
||
|
http://www.google.com/
|
142.250.181.68
|
There are 40 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
bkkeiekjfcdaaen.top
|
168.100.10.140
|
||
|
www.google.com
|
142.250.181.68
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
142.250.181.68
|
www.google.com
|
United States
|
||
|
168.100.10.140
|
bkkeiekjfcdaaen.top
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
202EB7D7000
|
trusted library allocation
|
page read and write
|
||
|
202DCFCE000
|
trusted library allocation
|
page read and write
|
||
|
202DAEE0000
|
trusted library section
|
page read and write
|
||
|
202EB7DE000
|
trusted library allocation
|
page read and write
|
||
|
202D9682000
|
heap
|
page read and write
|
||
|
7DF4CFBB0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF849130000
|
trusted library allocation
|
page read and write
|
||
|
7FF849040000
|
trusted library allocation
|
page read and write
|
||
|
7FF849214000
|
trusted library allocation
|
page read and write
|
||
|
202EB7C9000
|
trusted library allocation
|
page read and write
|
||
|
7FF849070000
|
trusted library allocation
|
page read and write
|
||
|
7FF8491C7000
|
trusted library allocation
|
page read and write
|
||
|
7FF8491B0000
|
trusted library allocation
|
page read and write
|
||
|
202DB480000
|
heap
|
page read and write
|
||
|
202DDA86000
|
trusted library allocation
|
page read and write
|
||
|
202DCEAD000
|
trusted library allocation
|
page read and write
|
||
|
202DDDA6000
|
trusted library allocation
|
page read and write
|
||
|
7FF848ECC000
|
trusted library allocation
|
page execute and read and write
|
||
|
202DDDBF000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E6C000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF849300000
|
trusted library allocation
|
page read and write
|
||
|
202DDDB0000
|
trusted library allocation
|
page read and write
|
||
|
202F37DC000
|
heap
|
page read and write
|
||
|
7FF848FB0000
|
trusted library allocation
|
page read and write
|
||
|
202DAEC5000
|
heap
|
page read and write
|
||
|
202EB978000
|
trusted library allocation
|
page read and write
|
||
|
202DCF13000
|
trusted library allocation
|
page read and write
|
||
|
202F37E8000
|
heap
|
page read and write
|
||
|
202DB698000
|
trusted library allocation
|
page read and write
|
||
|
7CD28FE000
|
stack
|
page read and write
|
||
|
7FF849140000
|
trusted library allocation
|
page read and write
|
||
|
7FF848EF6000
|
trusted library allocation
|
page execute and read and write
|
||
|
202DB4B6000
|
heap
|
page read and write
|
||
|
7CD3ACF000
|
stack
|
page read and write
|
||
|
202DD0B5000
|
trusted library allocation
|
page read and write
|
||
|
202EB7E1000
|
trusted library allocation
|
page read and write
|
||
|
7CD287E000
|
stack
|
page read and write
|
||
|
7FF848E13000
|
trusted library allocation
|
page execute and read and write
|
||
|
202EB6AA000
|
trusted library allocation
|
page read and write
|
||
|
202F37EC000
|
heap
|
page read and write
|
||
|
7FF8492B0000
|
trusted library allocation
|
page read and write
|
||
|
7FF8492E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
202F36B7000
|
heap
|
page execute and read and write
|
||
|
202DAF00000
|
trusted library allocation
|
page read and write
|
||
|
202DDAA5000
|
trusted library allocation
|
page read and write
|
||
|
202F38F8000
|
heap
|
page read and write
|
||
|
7FF8490A0000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FD0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7CD3E8B000
|
stack
|
page read and write
|
||
|
202F3976000
|
heap
|
page read and write
|
||
|
7CD2AFE000
|
stack
|
page read and write
|
||
|
7FF8491F0000
|
trusted library allocation
|
page read and write
|
||
|
7FF8492F0000
|
trusted library allocation
|
page read and write
|
||
|
202DB470000
|
heap
|
page read and write
|
||
|
7FF849250000
|
trusted library allocation
|
page read and write
|
||
|
7CD3F0C000
|
stack
|
page read and write
|
||
|
7CD3D8E000
|
stack
|
page read and write
|
||
|
202F37F4000
|
heap
|
page read and write
|
||
|
7FF849030000
|
trusted library allocation
|
page read and write
|
||
|
7FF849230000
|
trusted library allocation
|
page read and write
|
||
|
202F3987000
|
heap
|
page read and write
|
||
|
202D967D000
|
heap
|
page read and write
|
||
|
202F37F0000
|
heap
|
page read and write
|
||
|
202DAF21000
|
trusted library allocation
|
page read and write
|
||
|
7FF849120000
|
trusted library allocation
|
page read and write
|
||
|
202DCA9F000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E12000
|
trusted library allocation
|
page read and write
|
||
|
7FF849100000
|
trusted library allocation
|
page read and write
|
||
|
7FF8491C0000
|
trusted library allocation
|
page read and write
|
||
|
7FF8490C0000
|
trusted library allocation
|
page read and write
|
||
|
7FF849080000
|
trusted library allocation
|
page read and write
|
||
|
202EB93E000
|
trusted library allocation
|
page read and write
|
||
|
202DDA81000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E10000
|
trusted library allocation
|
page read and write
|
||
|
7CD2E7E000
|
stack
|
page read and write
|
||
|
7CD3B4C000
|
stack
|
page read and write
|
||
|
7FF849060000
|
trusted library allocation
|
page read and write
|
||
|
202EB611000
|
trusted library allocation
|
page read and write
|
||
|
202DD5E5000
|
trusted library allocation
|
page read and write
|
||
|
7FF849180000
|
trusted library allocation
|
page read and write
|
||
|
202DB506000
|
heap
|
page read and write
|
||
|
202DB838000
|
trusted library allocation
|
page read and write
|
||
|
7FF849160000
|
trusted library allocation
|
page execute and read and write
|
||
|
202F395F000
|
heap
|
page read and write
|
||
|
202DB550000
|
heap
|
page read and write
|
||
|
7FF8492D0000
|
trusted library allocation
|
page read and write
|
||
|
7FF848EC0000
|
trusted library allocation
|
page read and write
|
||
|
202DC238000
|
trusted library allocation
|
page read and write
|
||
|
202DDD9B000
|
trusted library allocation
|
page read and write
|
||
|
202DAED0000
|
trusted library allocation
|
page read and write
|
||
|
202DCBFD000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FF2000
|
trusted library allocation
|
page read and write
|
||
|
7CD29FA000
|
stack
|
page read and write
|
||
|
7FF84922C000
|
trusted library allocation
|
page read and write
|
||
|
202DAFB0000
|
heap
|
page read and write
|
||
|
7FF849010000
|
trusted library allocation
|
page read and write
|
||
|
202DCE9B000
|
trusted library allocation
|
page read and write
|
||
|
7CD25EE000
|
stack
|
page read and write
|
||
|
202EB7DC000
|
trusted library allocation
|
page read and write
|
||
|
7CD2525000
|
stack
|
page read and write
|
||
|
7FF8490F0000
|
trusted library allocation
|
page read and write
|
||
|
7DF4CFBC0000
|
trusted library allocation
|
page execute and read and write
|
||
|
202D963B000
|
heap
|
page read and write
|
||
|
202F398B000
|
heap
|
page read and write
|
||
|
202F3C00000
|
heap
|
page read and write
|
||
|
7FF849220000
|
trusted library allocation
|
page read and write
|
||
|
7FF849219000
|
trusted library allocation
|
page read and write
|
||
|
7FF849240000
|
trusted library allocation
|
page read and write
|
||
|
202DAEC0000
|
heap
|
page read and write
|
||
|
7FF849020000
|
trusted library allocation
|
page read and write
|
||
|
7CD2A7B000
|
stack
|
page read and write
|
||
|
7CD297D000
|
stack
|
page read and write
|
||
|
202DDDC4000
|
trusted library allocation
|
page read and write
|
||
|
7DF4CFBD0000
|
trusted library allocation
|
page execute and read and write
|
||
|
202DAF90000
|
trusted library allocation
|
page read and write
|
||
|
202DB4C4000
|
heap
|
page read and write
|
||
|
202DB535000
|
heap
|
page read and write
|
||
|
7CD3E0E000
|
stack
|
page read and write
|
||
|
202F37F8000
|
heap
|
page read and write
|
||
|
7CD2FFD000
|
stack
|
page read and write
|
||
|
7CD3D4D000
|
stack
|
page read and write
|
||
|
7CD2DF9000
|
stack
|
page read and write
|
||
|
202DAE30000
|
heap
|
page read and write
|
||
|
202F37E4000
|
heap
|
page read and write
|
||
|
202F38EA000
|
heap
|
page read and write
|
||
|
7FF8490D0000
|
trusted library allocation
|
page read and write
|
||
|
202F3838000
|
heap
|
page read and write
|
||
|
202DDA7C000
|
trusted library allocation
|
page read and write
|
||
|
7FF849260000
|
trusted library allocation
|
page read and write
|
||
|
7FF8492C0000
|
trusted library allocation
|
page read and write
|
||
|
7CD25AE000
|
stack
|
page read and write
|
||
|
202DAEF0000
|
trusted library section
|
page read and write
|
||
|
202D9632000
|
heap
|
page read and write
|
||
|
7FF848E20000
|
trusted library allocation
|
page read and write
|
||
|
202DB55D000
|
heap
|
page read and write
|
||
|
7FF849110000
|
trusted library allocation
|
page read and write
|
||
|
202F3C19000
|
heap
|
page read and write
|
||
|
7FF849050000
|
trusted library allocation
|
page read and write
|
||
|
202DB30E000
|
heap
|
page read and write
|
||
|
7FF848FCA000
|
trusted library allocation
|
page read and write
|
||
|
7CD2BF9000
|
stack
|
page read and write
|
||
|
202DDC12000
|
trusted library allocation
|
page read and write
|
||
|
202DB547000
|
heap
|
page read and write
|
||
|
202DDDBA000
|
trusted library allocation
|
page read and write
|
||
|
7FF849000000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF8490E0000
|
trusted library allocation
|
page read and write
|
||
|
7FF848F30000
|
trusted library allocation
|
page execute and read and write
|
||
|
7CD3A89000
|
stack
|
page read and write
|
||
|
202D9535000
|
heap
|
page read and write
|
||
|
202DDA9A000
|
trusted library allocation
|
page read and write
|
||
|
202F36B0000
|
heap
|
page execute and read and write
|
||
|
202D9510000
|
heap
|
page read and write
|
||
|
202D9540000
|
heap
|
page read and write
|
||
|
7FF848EC6000
|
trusted library allocation
|
page read and write
|
||
|
202DCE90000
|
trusted library allocation
|
page read and write
|
||
|
202EB67E000
|
trusted library allocation
|
page read and write
|
||
|
202D95A2000
|
heap
|
page read and write
|
||
|
7FF848FF8000
|
trusted library allocation
|
page read and write
|
||
|
202D9530000
|
heap
|
page read and write
|
||
|
7FF849090000
|
trusted library allocation
|
page read and write
|
||
|
202DDA95000
|
trusted library allocation
|
page read and write
|
||
|
7CD30FE000
|
stack
|
page read and write
|
||
|
7FF848E14000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FF4000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E30000
|
trusted library allocation
|
page read and write
|
||
|
202D963D000
|
heap
|
page read and write
|
||
|
202F36EC000
|
heap
|
page read and write
|
||
|
202EB9EA000
|
trusted library allocation
|
page read and write
|
||
|
7FF8491D0000
|
trusted library allocation
|
page read and write
|
||
|
7CD3C4B000
|
stack
|
page read and write
|
||
|
7CD2CF6000
|
stack
|
page read and write
|
||
|
202DDDC9000
|
trusted library allocation
|
page read and write
|
||
|
7CD3CCE000
|
stack
|
page read and write
|
||
|
7FF848FE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF849170000
|
trusted library allocation
|
page read and write
|
||
|
7CD307C000
|
stack
|
page read and write
|
||
|
202DDAD6000
|
trusted library allocation
|
page read and write
|
||
|
7FF8490B0000
|
trusted library allocation
|
page read and write
|
||
|
202DDA90000
|
trusted library allocation
|
page read and write
|
||
|
202DDDB5000
|
trusted library allocation
|
page read and write
|
||
|
202D9590000
|
heap
|
page read and write
|
||
|
202F3630000
|
heap
|
page execute and read and write
|
||
|
202D9430000
|
heap
|
page read and write
|
||
|
7FF849210000
|
trusted library allocation
|
page read and write
|
||
|
7CD3BCA000
|
stack
|
page read and write
|
||
|
7CD2C79000
|
stack
|
page read and write
|
||
|
202DDDD7000
|
trusted library allocation
|
page read and write
|
||
|
7FF849150000
|
trusted library allocation
|
page read and write
|
||
|
202DDAAA000
|
trusted library allocation
|
page read and write
|
||
|
7FF8491A0000
|
trusted library allocation
|
page execute and read and write
|
||
|
202DDAA0000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FC1000
|
trusted library allocation
|
page read and write
|
||
|
202DB4B3000
|
heap
|
page read and write
|
||
|
202DB4BE000
|
heap
|
page read and write
|
||
|
202DDDAB000
|
trusted library allocation
|
page read and write
|
||
|
202F36E0000
|
heap
|
page read and write
|
||
|
7FF8491F3000
|
trusted library allocation
|
page read and write
|
||
|
7CD2D79000
|
stack
|
page read and write
|
||
|
7FF849310000
|
trusted library allocation
|
page read and write
|
||
|
202D967B000
|
heap
|
page read and write
|
||
|
202DB600000
|
heap
|
page execute and read and write
|
||
|
7CD2F7D000
|
stack
|
page read and write
|
||
|
202F381E000
|
heap
|
page read and write
|
||
|
7FF849228000
|
trusted library allocation
|
page read and write
|
||
|
202D9653000
|
heap
|
page read and write
|
||
|
202DDA8B000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E2B000
|
trusted library allocation
|
page read and write
|
||
|
202DDDA0000
|
trusted library allocation
|
page read and write
|
||
|
202DB611000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E1D000
|
trusted library allocation
|
page execute and read and write
|
||
|
202DAF50000
|
trusted library allocation
|
page read and write
|
||
|
202DAECC000
|
heap
|
page read and write
|
||
|
202F3690000
|
trusted library allocation
|
page read and write
|
||
|
7CD2B7E000
|
stack
|
page read and write
|
||
|
7FF8491E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF849190000
|
trusted library allocation
|
page read and write
|
||
|
202EB968000
|
trusted library allocation
|
page read and write
|
||
|
202DAF10000
|
heap
|
page readonly
|
||
|
7CD2EFF000
|
stack
|
page read and write
|
There are 209 hidden memdumps, click here to show them.