Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
FreeCs2Skins.ps1
|
ASCII text, with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tledjns.kss.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxz4i341.os2.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\file.exe
|
HTML document, Unicode text, UTF-8 text
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3POJUI906RL1T6UDZTGF.temp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exe
|
172.67.129.178
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
http://cia.tf
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://coquettte.com
|
unknown
|
||
|
https://bad.is-having.fun
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://cia.tf
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exeP
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://cia.tf/
|
172.67.129.178
|
There are 9 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
cia.tf
|
172.67.129.178
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
172.67.129.178
|
cia.tf
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FFD34AA0000
|
trusted library allocation
|
page read and write
|
||
|
1AD2AD50000
|
heap
|
page read and write
|
||
|
7FFD349A0000
|
trusted library allocation
|
page read and write
|
||
|
1AD43221000
|
heap
|
page read and write
|
||
|
1AD29139000
|
heap
|
page read and write
|
||
|
1AD29178000
|
heap
|
page read and write
|
||
|
7FFD34830000
|
trusted library allocation
|
page execute and read and write
|
||
|
737407B000
|
stack
|
page read and write
|
||
|
7FFD3482C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1AD29135000
|
heap
|
page read and write
|
||
|
1AD29310000
|
heap
|
page readonly
|
||
|
1AD2C71D000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34820000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34A50000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34A40000
|
trusted library allocation
|
page read and write
|
||
|
1AD3B0A1000
|
trusted library allocation
|
page read and write
|
||
|
7373DFD000
|
stack
|
page read and write
|
||
|
7FFD34921000
|
trusted library allocation
|
page read and write
|
||
|
1AD2C6C1000
|
trusted library allocation
|
page read and write
|
||
|
7373A7E000
|
stack
|
page read and write
|
||
|
1AD2C6A7000
|
trusted library allocation
|
page read and write
|
||
|
1AD2CABC000
|
trusted library allocation
|
page read and write
|
||
|
7FFD349E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34A20000
|
trusted library allocation
|
page read and write
|
||
|
1AD2C6AF000
|
trusted library allocation
|
page read and write
|
||
|
1AD29350000
|
trusted library allocation
|
page read and write
|
||
|
7FFD349B0000
|
trusted library allocation
|
page read and write
|
||
|
1AD29010000
|
heap
|
page read and write
|
||
|
1AD4352D000
|
heap
|
page read and write
|
||
|
1AD2CDEB000
|
trusted library allocation
|
page read and write
|
||
|
1AD2CC0F000
|
trusted library allocation
|
page read and write
|
||
|
1AD2C729000
|
trusted library allocation
|
page read and write
|
||
|
7FFD349F0000
|
trusted library allocation
|
page read and write
|
||
|
1AD3B251000
|
trusted library allocation
|
page read and write
|
||
|
7374C0E000
|
stack
|
page read and write
|
||
|
1AD3B10E000
|
trusted library allocation
|
page read and write
|
||
|
7373FFE000
|
stack
|
page read and write
|
||
|
7FFD347CC000
|
trusted library allocation
|
page execute and read and write
|
||
|
1AD2C6BD000
|
trusted library allocation
|
page read and write
|
||
|
1AD2CC18000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34780000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34940000
|
trusted library allocation
|
page execute and read and write
|
||
|
1AD2B2D3000
|
trusted library allocation
|
page read and write
|
||
|
1AD43567000
|
heap
|
page read and write
|
||
|
7373EFE000
|
stack
|
page read and write
|
||
|
7FFD3478B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34980000
|
trusted library allocation
|
page read and write
|
||
|
1AD2C719000
|
trusted library allocation
|
page read and write
|
||
|
1AD29090000
|
heap
|
page read and write
|
||
|
1AD434E3000
|
heap
|
page read and write
|
||
|
7FFD34930000
|
trusted library allocation
|
page execute and read and write
|
||
|
1AD43487000
|
heap
|
page execute and read and write
|
||
|
1AD2CDE5000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34AE0000
|
trusted library allocation
|
page read and write
|
||
|
73735CE000
|
stack
|
page read and write
|
||
|
1AD43288000
|
heap
|
page read and write
|
||
|
1AD2C6B9000
|
trusted library allocation
|
page read and write
|
||
|
1AD431DB000
|
heap
|
page read and write
|
||
|
1AD29390000
|
trusted library allocation
|
page read and write
|
||
|
1AD292C0000
|
trusted library allocation
|
page read and write
|
||
|
7373E79000
|
stack
|
page read and write
|
||
|
73738FE000
|
stack
|
page read and write
|
||
|
1AD2B0A1000
|
trusted library allocation
|
page read and write
|
||
|
1AD2B12B000
|
trusted library allocation
|
page read and write
|
||
|
7DF474B20000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD34960000
|
trusted library allocation
|
page execute and read and write
|
||
|
1AD2AC80000
|
heap
|
page execute and read and write
|
||
|
7FFD34790000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34A30000
|
trusted library allocation
|
page read and write
|
||
|
1AD292E0000
|
heap
|
page read and write
|
||
|
7374B4D000
|
stack
|
page read and write
|
||
|
1AD2C694000
|
trusted library allocation
|
page read and write
|
||
|
1AD2917E000
|
heap
|
page read and write
|
||
|
1AD29131000
|
heap
|
page read and write
|
||
|
7FFD349C0000
|
trusted library allocation
|
page read and write
|
||
|
1AD430AD000
|
heap
|
page read and write
|
||
|
1AD293E5000
|
heap
|
page read and write
|
||
|
737397E000
|
stack
|
page read and write
|
||
|
7FFD34AB0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34A00000
|
trusted library allocation
|
page read and write
|
||
|
1AD29098000
|
heap
|
page read and write
|
||
|
1AD2AC70000
|
heap
|
page execute and read and write
|
||
|
7FFD34A90000
|
trusted library allocation
|
page read and write
|
||
|
1AD43480000
|
heap
|
page execute and read and write
|
||
|
7FFD34AC0000
|
trusted library allocation
|
page read and write
|
||
|
1AD292E5000
|
heap
|
page read and write
|
||
|
1AD43490000
|
heap
|
page read and write
|
||
|
7374D8C000
|
stack
|
page read and write
|
||
|
1AD432D0000
|
heap
|
page read and write
|
||
|
7FFD34952000
|
trusted library allocation
|
page read and write
|
||
|
1AD29353000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34A10000
|
trusted library allocation
|
page read and write
|
||
|
7373CF9000
|
stack
|
page read and write
|
||
|
7FFD34772000
|
trusted library allocation
|
page read and write
|
||
|
7373C7D000
|
stack
|
page read and write
|
||
|
1AD4358C000
|
heap
|
page read and write
|
||
|
1AD29300000
|
trusted library allocation
|
page read and write
|
||
|
7374ACE000
|
stack
|
page read and write
|
||
|
7FFD34A80000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34826000
|
trusted library allocation
|
page read and write
|
||
|
1AD4357F000
|
heap
|
page read and write
|
||
|
73739FD000
|
stack
|
page read and write
|
||
|
7FFD3477D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1AD2C6D5000
|
trusted library allocation
|
page read and write
|
||
|
1AD43499000
|
heap
|
page read and write
|
||
|
7FFD34773000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD34774000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34970000
|
trusted library allocation
|
page read and write
|
||
|
73740FB000
|
stack
|
page read and write
|
||
|
1AD3B389000
|
trusted library allocation
|
page read and write
|
||
|
1AD290A2000
|
heap
|
page read and write
|
||
|
1AD28FF0000
|
heap
|
page read and write
|
||
|
1AD4358E000
|
heap
|
page read and write
|
||
|
1AD434A9000
|
heap
|
page read and write
|
||
|
1AD29113000
|
heap
|
page read and write
|
||
|
7FFD34A70000
|
trusted library allocation
|
page read and write
|
||
|
7373AFB000
|
stack
|
page read and write
|
||
|
1AD2ACD0000
|
heap
|
page read and write
|
||
|
7FFD34856000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD34990000
|
trusted library allocation
|
page read and write
|
||
|
1AD293E0000
|
heap
|
page read and write
|
||
|
7373D76000
|
stack
|
page read and write
|
||
|
7374D0E000
|
stack
|
page read and write
|
||
|
1AD2BCD3000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34A60000
|
trusted library allocation
|
page read and write
|
||
|
1AD43295000
|
heap
|
page read and write
|
||
|
7FFD34AD0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD349D0000
|
trusted library allocation
|
page read and write
|
||
|
7373B7F000
|
stack
|
page read and write
|
||
|
1AD3B0B0000
|
trusted library allocation
|
page read and write
|
||
|
7373F7E000
|
stack
|
page read and write
|
||
|
1AD434F0000
|
heap
|
page read and write
|
||
|
7373BFE000
|
stack
|
page read and write
|
||
|
1AD43573000
|
heap
|
page read and write
|
||
|
1AD29050000
|
heap
|
page read and write
|
||
|
1AD4321F000
|
heap
|
page read and write
|
||
|
7FFD34890000
|
trusted library allocation
|
page execute and read and write
|
||
|
7374B8E000
|
stack
|
page read and write
|
||
|
1AD431B0000
|
heap
|
page read and write
|
||
|
7FFD3492A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34910000
|
trusted library allocation
|
page read and write
|
||
|
1AD2913F000
|
heap
|
page read and write
|
||
|
7374C8A000
|
stack
|
page read and write
|
||
|
7373875000
|
stack
|
page read and write
|
||
|
1AD29151000
|
heap
|
page read and write
|
||
|
1AD2C691000
|
trusted library allocation
|
page read and write
|
||
|
1AD28FE0000
|
heap
|
page read and write
|
There are 137 hidden memdumps, click here to show them.