API tools faq
paste
Advertisement
Guest User

Malware

a guest
Jan 17th, 2019
74
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.32 KB | None | 0 0
raw download clone embed print report
  1. #silence any errors
  2. $ErrorActionPreference = 'SilentlyContinue'
  3. #file location of Baseline file.
  4. $file = New-Item -Path C:\Users\Anthony\Documents\ -Name "BeforeBase.txt" -ItemType "file" -Force
  5.  
  6. #gets the registry valuse for current user typed urls, run, and run once. Add to output file
  7. Get-Item -Path "Registry::\HKCU\Software\Microsoft\Internet Explorer\TypedURLs" | Out-File -Append $file
  8. Get-Item -Path "Registry::\HKCU\Software\Microsoft\Windows\CurrentVersion\Run" | Out-File -Append $file
  9. Get-Item -Path "Registry::\HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" | Out-File -Append $file
  10.  
  11. #gets the registry valuse for run and run once. Add to output file
  12. Get-Item -Path "Registry::\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" | Out-File -Append $file
  13. Get-Item -Path "Registry::\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" | Out-File -Append $file
  14.  
  15. #gets all locations under the following registry location and assign to a variable
  16. Get-ChildItem 'Registry::\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks' -Recurse | Out-File -Append $file
  17. Get-ChildItem 'Registry::\HKLM\SYSTEM\CurrentControlSet\SERVICES\' -Recurse | Out-File -Append $file
  18. Get-ChildItem 'Registry::\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\' -Recurse | Out-File -Append $file
  19. Get-ChildItem 'Registry::\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\' -Recurse | Out-File -Append $file
  20.  
  21.  
  22.  
  23. #Pause script and allow for malware to run
  24. Read-Host -Prompt "Press enter after running malware."
  25.  
  26.  
  27.  
  28. #file location of After Baseline file.
  29. $file2 = New-Item -Path C:\Users\Anthony\Documents\ -Name "AfterBase.txt" -ItemType "file" -Force
  30.  
  31.  
  32. #gets the registry valuse for current user typed urls, run, and run once. Add to output file
  33. Get-Item -Path "Registry::\HKCU\Software\Microsoft\Internet Explorer\TypedURLs" | Out-File -Append $file2
  34. Get-Item -Path "Registry::\HKCU\Software\Microsoft\Windows\CurrentVersion\Run" | Out-File -Append $file2
  35. Get-Item -Path "Registry::\HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" | Out-File -Append $file2
  36.  
  37. #gets the registry valuse for run and run once. Add to output file
  38. Get-Item -Path "Registry::\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" | Out-File -Append $file2
  39. Get-Item -Path "Registry::\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" | Out-File -Append $file2
  40.  
  41. #gets all locations under the following registry location and assign to a variable
  42. Get-ChildItem 'Registry::\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks' -Recurse | Out-File -Append $file2
  43. Get-ChildItem 'Registry::\HKLM\SYSTEM\CurrentControlSet\SERVICES\' -Recurse | Out-File -Append $file2
  44. Get-ChildItem 'Registry::\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\' -Recurse | Out-File -Append $file2
  45. Get-ChildItem 'Registry::\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\' -Recurse | Out-File -Append $file2
  46.  
  47. Compare-Object (Get-Content C:\Users\Anthony\Documents\BeforeBase.txt) (Get-Content C:\Users\Anthony\Documents\AfterBase.txt) | ?{$_.sideIndicator -eq "=>"} | Select -ExpandProperty InputObject
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!