Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
download.ps1
|
ASCII text, with very long lines (10288), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5f3bxllh.1rt.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d00ftmsa.nxu.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzzf2tbl.pmg.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_it2ozuyo.uhk.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7UI4DV8S5UN4QF4ZVXBN.temp
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://lalclenfjhkinbn.top/1cyr4hap8fhtr.php?id=user-PC&key=74335170832&s=527
|
45.61.136.138
|
|
|
|
https://www.google.com/intl/en/about/products?tab=wh
|
unknown
|
||
|
http://$p4hgq5au6tzn9kd/$dnyxe8imwl14q0z.php?id=$env:computername&key=$fpzblntrys&s=527
|
unknown
|
||
|
http://crl.microsoft
|
unknown
|
||
|
https://photos.google.com/?tab=wq&pageId=none
|
unknown
|
||
|
http://www.google.com/preferences?hl=enX
|
unknown
|
||
|
https://csp.withgoogle.com/csp/gws/other-hp
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://news.google.com/?tab=wn
|
unknown
|
||
|
https://docs.google.com/document/?usp=docs_alc
|
unknown
|
||
|
http://schema.org/WebPage
|
unknown
|
||
|
https://0.google.com/
|
unknown
|
||
|
https://www.google.com/webhp?tab=ww
|
unknown
|
||
|
http://lalclenfjhkinbn.top
|
unknown
|
||
|
http://schema.org/WebPageX
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://www.google.com/finance?tab=we
|
unknown
|
||
|
http://maps.google.com/maps?hl=en&tab=wl
|
unknown
|
||
|
http://www.google.com
|
unknown
|
||
|
https://apis.google.com
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
http://www.blogger.com/?tab=wj
|
unknown
|
||
|
http://www.google.com/mobile/?hl=en&tab=wD
|
unknown
|
||
|
https://play.google.com/?hl=en&tab=w8
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://www.google.com/imghp?hl=en&tab=wi
|
unknown
|
||
|
https://www.google.com/shopping?hl=en&source=og&tab=wf
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s96
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://drive.google.com/?tab=wo
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://0.google
|
unknown
|
||
|
https://mail.google.com/mail/?tab=wm
|
unknown
|
||
|
http://www.google.com/preferences?hl=en
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://www.youtube.com/?tab=w1
|
unknown
|
||
|
http://0.google.
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s96X
|
unknown
|
||
|
http://0.google.com/
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s24
|
unknown
|
||
|
http://www.google.com/history/optout?hl=en
|
unknown
|
||
|
https://books.google.com/?hl=en&tab=wp
|
unknown
|
||
|
https://translate.google.com/?hl=en&tab=wT
|
unknown
|
||
|
http://schemas.xmlsoap.org/wsdl/
|
unknown
|
||
|
https://www.google.com/intl/en/about/products?tab=whX
|
unknown
|
||
|
https://calendar.google.com/calendar?tab=wc
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://lh3.googleusercontent.com/ogw/default-user=s24X
|
unknown
|
||
|
http://www.microsoft.cod
|
unknown
|
||
|
http://www.google.com/
|
216.58.206.68
|
There are 43 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
lalclenfjhkinbn.top
|
45.61.136.138
|
|
|
|
www.google.com
|
216.58.206.68
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
45.61.136.138
|
lalclenfjhkinbn.top
|
United States
|
|
|
|
216.58.206.68
|
www.google.com
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2B97CB60000
|
heap
|
page read and write
|
||
|
7FFB4A2E1000
|
trusted library allocation
|
page read and write
|
||
|
2B97D7E8000
|
heap
|
page read and write
|
||
|
7FFB4A600000
|
trusted library allocation
|
page read and write
|
||
|
2B900088000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A2F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B97D0DA000
|
heap
|
page read and write
|
||
|
7FFB4A430000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A620000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A538000
|
trusted library allocation
|
page read and write
|
||
|
2B900001000
|
trusted library allocation
|
page read and write
|
||
|
2B901840000
|
trusted library allocation
|
page read and write
|
||
|
2B97D11C000
|
heap
|
page read and write
|
||
|
2B901834000
|
trusted library allocation
|
page read and write
|
||
|
DC47A4A000
|
stack
|
page read and write
|
||
|
7FFB4A3F0000
|
trusted library allocation
|
page read and write
|
||
|
2B97D3B0000
|
heap
|
page execute and read and write
|
||
|
DC4677E000
|
stack
|
page read and write
|
||
|
7FFB4A150000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A5C0000
|
trusted library allocation
|
page read and write
|
||
|
DC468FB000
|
stack
|
page read and write
|
||
|
7FFB4A5D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A2D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A250000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B97D7E0000
|
heap
|
page read and write
|
||
|
DC463CE000
|
stack
|
page read and write
|
||
|
2B902401000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A610000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B97CB6C000
|
heap
|
page read and write
|
||
|
DC4697F000
|
stack
|
page read and write
|
||
|
2B901810000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A390000
|
trusted library allocation
|
page read and write
|
||
|
2B902707000
|
trusted library allocation
|
page read and write
|
||
|
DC4667E000
|
stack
|
page read and write
|
||
|
DC469FE000
|
stack
|
page read and write
|
||
|
2B90271A000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A300000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B97D4E6000
|
heap
|
page read and write
|
||
|
DC47C8E000
|
stack
|
page read and write
|
||
|
DC47E0A000
|
stack
|
page read and write
|
||
|
DC4790A000
|
stack
|
page read and write
|
||
|
2B901809000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A132000
|
trusted library allocation
|
page read and write
|
||
|
2B97CC80000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A134000
|
trusted library allocation
|
page read and write
|
||
|
2B900228000
|
trusted library allocation
|
page read and write
|
||
|
2B97D576000
|
heap
|
page read and write
|
||
|
7FFB4A570000
|
trusted library allocation
|
page read and write
|
||
|
2B97B140000
|
heap
|
page read and write
|
||
|
2B902710000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A480000
|
trusted library allocation
|
page execute and read and write
|
||
|
DC47C4D000
|
stack
|
page read and write
|
||
|
7FFB4A340000
|
trusted library allocation
|
page read and write
|
||
|
DC467FA000
|
stack
|
page read and write
|
||
|
DC47D0E000
|
stack
|
page read and write
|
||
|
2B900C28000
|
trusted library allocation
|
page read and write
|
||
|
2B97B237000
|
heap
|
page read and write
|
||
|
2B910072000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A360000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A330000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A5E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A4A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A450000
|
trusted library allocation
|
page read and write
|
||
|
2B902419000
|
trusted library allocation
|
page read and write
|
||
|
2B97D5B3000
|
heap
|
page read and write
|
||
|
7FFB4A524000
|
trusted library allocation
|
page read and write
|
||
|
DC46EFB000
|
stack
|
page read and write
|
||
|
7FFB4A318000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A4E0000
|
trusted library allocation
|
page read and write
|
||
|
2B97D280000
|
heap
|
page execute and read and write
|
||
|
2B97D4AF000
|
heap
|
page read and write
|
||
|
2B97D599000
|
heap
|
page read and write
|
||
|
2B97D572000
|
heap
|
page read and write
|
||
|
DC479CA000
|
stack
|
page read and write
|
||
|
7FFB4A320000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B97CAD0000
|
trusted library allocation
|
page read and write
|
||
|
2B97B145000
|
heap
|
page read and write
|
||
|
7FFB4A370000
|
trusted library allocation
|
page read and write
|
||
|
DC47D8C000
|
stack
|
page read and write
|
||
|
2B97D4D5000
|
heap
|
page read and write
|
||
|
7FFB4A380000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A560000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A312000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A130000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A314000
|
trusted library allocation
|
page read and write
|
||
|
2B97D473000
|
heap
|
page read and write
|
||
|
DC466FE000
|
stack
|
page read and write
|
||
|
2B90273F000
|
trusted library allocation
|
page read and write
|
||
|
DC4794E000
|
stack
|
page read and write
|
||
|
2B97D0DE000
|
heap
|
page read and write
|
||
|
2B97D7EC000
|
heap
|
page read and write
|
||
|
2B97B1F0000
|
heap
|
page read and write
|
||
|
DC46CFE000
|
stack
|
page read and write
|
||
|
2B902406000
|
trusted library allocation
|
page read and write
|
||
|
2B902518000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A13D000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B900D35000
|
trusted library allocation
|
page read and write
|
||
|
2B97D2B0000
|
heap
|
page read and write
|
||
|
DC46385000
|
stack
|
page read and write
|
||
|
7FFB4A3B0000
|
trusted library allocation
|
page read and write
|
||
|
2B901941000
|
trusted library allocation
|
page read and write
|
||
|
2B97CAF0000
|
trusted library allocation
|
page read and write
|
||
|
2B902410000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A520000
|
trusted library allocation
|
page read and write
|
||
|
DC47BCE000
|
stack
|
page read and write
|
||
|
7FFB4A503000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A18C000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B97CD50000
|
heap
|
page read and write
|
||
|
7FFB4A216000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4A4C0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4A14B000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A3E0000
|
trusted library allocation
|
page read and write
|
||
|
2B97B1FC000
|
heap
|
page read and write
|
||
|
DC46D7E000
|
stack
|
page read and write
|
||
|
2B97D56C000
|
heap
|
page read and write
|
||
|
2B97D0A0000
|
heap
|
page read and write
|
||
|
2B97D538000
|
heap
|
page read and write
|
||
|
2B97D210000
|
heap
|
page execute and read and write
|
||
|
7FFB4A53C000
|
trusted library allocation
|
page read and write
|
||
|
2B90271F000
|
trusted library allocation
|
page read and write
|
||
|
2B902724000
|
trusted library allocation
|
page read and write
|
||
|
2B902728000
|
trusted library allocation
|
page read and write
|
||
|
2B97D260000
|
trusted library allocation
|
page read and write
|
||
|
2B97D4FE000
|
heap
|
page read and write
|
||
|
7FFB4A460000
|
trusted library allocation
|
page read and write
|
||
|
DC4687D000
|
stack
|
page read and write
|
||
|
2B97D11E000
|
heap
|
page read and write
|
||
|
7FFB4A1E0000
|
trusted library allocation
|
page read and write
|
||
|
DC46C77000
|
stack
|
page read and write
|
||
|
2B97D58A000
|
heap
|
page read and write
|
||
|
2B91022B000
|
trusted library allocation
|
page read and write
|
||
|
2B90272D000
|
trusted library allocation
|
page read and write
|
||
|
2B902414000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A1E6000
|
trusted library allocation
|
page read and write
|
||
|
2B91031B000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A4F0000
|
trusted library allocation
|
page read and write
|
||
|
2B901828000
|
trusted library allocation
|
page read and write
|
||
|
2B97CB65000
|
heap
|
page read and write
|
||
|
2B902731000
|
trusted library allocation
|
page read and write
|
||
|
2B97CAA0000
|
trusted library allocation
|
page read and write
|
||
|
2B97CB74000
|
heap
|
page read and write
|
||
|
7FFB4A350000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A530000
|
trusted library allocation
|
page read and write
|
||
|
2B9102EB000
|
trusted library allocation
|
page read and write
|
||
|
2B97D3E9000
|
heap
|
page read and write
|
||
|
2B97CD10000
|
heap
|
page read and write
|
||
|
DC46AF8000
|
stack
|
page read and write
|
||
|
2B97B1EE000
|
heap
|
page read and write
|
||
|
7FFB4A490000
|
trusted library allocation
|
page read and write
|
||
|
DC46B77000
|
stack
|
page read and write
|
||
|
2B97B150000
|
heap
|
page read and write
|
||
|
2B90182E000
|
trusted library allocation
|
page read and write
|
||
|
2B9023EE000
|
trusted library allocation
|
page read and write
|
||
|
2B97D290000
|
heap
|
page read and write
|
||
|
2B97D58E000
|
heap
|
page read and write
|
||
|
2B90240B000
|
trusted library allocation
|
page read and write
|
||
|
2B902715000
|
trusted library allocation
|
page read and write
|
||
|
2B97D3CB000
|
heap
|
page read and write
|
||
|
2B9023F3000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A529000
|
trusted library allocation
|
page read and write
|
||
|
2B910001000
|
trusted library allocation
|
page read and write
|
||
|
2B97B110000
|
heap
|
page read and write
|
||
|
7FFB4A3C0000
|
trusted library allocation
|
page read and write
|
||
|
2B97CAE0000
|
heap
|
page readonly
|
||
|
2B97B010000
|
heap
|
page read and write
|
||
|
2B901883000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A4B0000
|
trusted library allocation
|
page read and write
|
||
|
2B97B158000
|
heap
|
page read and write
|
||
|
7DF472170000
|
trusted library allocation
|
page execute and read and write
|
||
|
7DF472150000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B97B23C000
|
heap
|
page read and write
|
||
|
7FFB4A2EA000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A133000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B97D3C0000
|
heap
|
page read and write
|
||
|
2B97B1F6000
|
heap
|
page read and write
|
||
|
2B901806000
|
trusted library allocation
|
page read and write
|
||
|
2B9023F8000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A500000
|
trusted library allocation
|
page read and write
|
||
|
2B97CB20000
|
trusted library allocation
|
page read and write
|
||
|
2B97D476000
|
heap
|
page read and write
|
||
|
2B97D3B7000
|
heap
|
page execute and read and write
|
||
|
7FFB4A140000
|
trusted library allocation
|
page read and write
|
||
|
2B9014B4000
|
trusted library allocation
|
page read and write
|
||
|
2B97CA00000
|
heap
|
page read and write
|
||
|
7DF472160000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4A4D0000
|
trusted library allocation
|
page read and write
|
||
|
2B90270C000
|
trusted library allocation
|
page read and write
|
||
|
DC46BF8000
|
stack
|
page read and write
|
||
|
DC46DFC000
|
stack
|
page read and write
|
||
|
7FFB4A580000
|
trusted library allocation
|
page read and write
|
||
|
DC47B4E000
|
stack
|
page read and write
|
||
|
2B902575000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A470000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A540000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A3A0000
|
trusted library allocation
|
page read and write
|
||
|
2B97D484000
|
heap
|
page read and write
|
||
|
2B97B0F0000
|
heap
|
page read and write
|
||
|
7FFB4A550000
|
trusted library allocation
|
page read and write
|
||
|
2B97D195000
|
heap
|
page read and write
|
||
|
DC47ACB000
|
stack
|
page read and write
|
||
|
2B901A28000
|
trusted library allocation
|
page read and write
|
||
|
2B97D14F000
|
heap
|
page read and write
|
||
|
7FFB4A5F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4A400000
|
trusted library allocation
|
page read and write
|
||
|
2B9023FC000
|
trusted library allocation
|
page read and write
|
||
|
2B97CB2A000
|
trusted library allocation
|
page read and write
|
||
|
2B97B20E000
|
heap
|
page read and write
|
||
|
7FFB4A420000
|
trusted library allocation
|
page read and write
|
||
|
2B97D555000
|
heap
|
page read and write
|
||
|
7FFB4A3D0000
|
trusted library allocation
|
page read and write
|
||
|
2B901814000
|
trusted library allocation
|
page read and write
|
||
|
DC46A79000
|
stack
|
page read and write
|
||
|
7FFB4A1EC000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B901F58000
|
trusted library allocation
|
page read and write
|
||
|
DC46E7C000
|
stack
|
page read and write
|
||
|
7FFB4A440000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4A410000
|
trusted library allocation
|
page read and write
|
There are 207 hidden memdumps, click here to show them.