Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
quark.ps1
|
ASCII text, with very long lines (65346), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log
|
CSV text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igiqhzjc.zdy.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_julg0pxn.imr.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofgf04im.lcz.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zphazezq.yoc.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DPXAHRKE5K5H2J21DYW2.temp
|
data
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\quark.ps1"
|
|
|
|
C:\Windows\System32\notepad.exe
|
C:\Windows\System32\notepad.exe
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
jdokds.duckdns.org
|
|
||
|
https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
28858F71000
|
trusted library allocation
|
page read and write
|
|
|
|
28858EF0000
|
trusted library section
|
page read and write
|
|
|
|
22405229000
|
trusted library allocation
|
page read and write
|
||
|
2885751E000
|
heap
|
page read and write
|
||
|
28858F00000
|
heap
|
page read and write
|
||
|
28858F60000
|
heap
|
page execute and read and write
|
||
|
28858E80000
|
trusted library allocation
|
page read and write
|
||
|
22404829000
|
trusted library allocation
|
page read and write
|
||
|
2885751E000
|
heap
|
page read and write
|
||
|
22400C29000
|
trusted library allocation
|
page read and write
|
||
|
28858EB0000
|
heap
|
page read and write
|
||
|
7FF848F40000
|
trusted library allocation
|
page execute and read and write
|
||
|
28858F30000
|
trusted library allocation
|
page read and write
|
||
|
28858E10000
|
heap
|
page read and write
|
||
|
2F834FE000
|
stack
|
page read and write
|
||
|
7FF848ED0000
|
trusted library allocation
|
page read and write
|
||
|
7FF848EE0000
|
trusted library allocation
|
page execute and read and write
|
||
|
D4A7AFE000
|
stack
|
page read and write
|
||
|
D4A78FD000
|
stack
|
page read and write
|
||
|
2885751E000
|
heap
|
page read and write
|
||
|
28858F30000
|
trusted library allocation
|
page read and write
|
||
|
2F8408D000
|
stack
|
page read and write
|
||
|
28857440000
|
heap
|
page read and write
|
||
|
28858F23000
|
trusted library allocation
|
page read and write
|
||
|
2885747B000
|
heap
|
page read and write
|
||
|
7FF848E22000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E35000
|
trusted library allocation
|
page read and write
|
||
|
7DF45D800000
|
trusted library allocation
|
page execute and read and write
|
||
|
28857448000
|
heap
|
page read and write
|
||
|
D4A797F000
|
stack
|
page read and write
|
||
|
28857519000
|
heap
|
page read and write
|
||
|
2F830FD000
|
stack
|
page read and write
|
||
|
28857511000
|
heap
|
page read and write
|
||
|
7FF848FE0000
|
trusted library allocation
|
page read and write
|
||
|
7FF849000000
|
trusted library allocation
|
page execute and read and write
|
||
|
28871741000
|
heap
|
page read and write
|
||
|
7FF848FF0000
|
trusted library allocation
|
page read and write
|
||
|
2F8317E000
|
stack
|
page read and write
|
||
|
28857494000
|
heap
|
page read and write
|
||
|
22402A29000
|
trusted library allocation
|
page read and write
|
||
|
2F82FFE000
|
stack
|
page read and write
|
||
|
2885751E000
|
heap
|
page read and write
|
||
|
28857490000
|
heap
|
page read and write
|
||
|
7FF848FD8000
|
trusted library allocation
|
page execute and read and write
|
||
|
288712F4000
|
heap
|
page read and write
|
||
|
28858F30000
|
trusted library allocation
|
page read and write
|
||
|
28858ED0000
|
trusted library allocation
|
page read and write
|
||
|
288574C0000
|
heap
|
page read and write
|
||
|
7FF848FC2000
|
trusted library allocation
|
page read and write
|
||
|
28857430000
|
unkown
|
page execute read
|
||
|
28858EA0000
|
trusted library allocation
|
page read and write
|
||
|
2F832FC000
|
stack
|
page read and write
|
||
|
28857490000
|
heap
|
page read and write
|
||
|
2F8367B000
|
stack
|
page read and write
|
||
|
22400229000
|
trusted library allocation
|
page read and write
|
||
|
2885751A000
|
heap
|
page read and write
|
||
|
2885751F000
|
heap
|
page read and write
|
||
|
288574E7000
|
heap
|
page read and write
|
||
|
288574BE000
|
heap
|
page read and write
|
||
|
7FF848F06000
|
trusted library allocation
|
page execute and read and write
|
||
|
2F82B9D000
|
stack
|
page read and write
|
||
|
288574E9000
|
heap
|
page read and write
|
||
|
28858F30000
|
trusted library allocation
|
page read and write
|
||
|
22407029000
|
trusted library allocation
|
page read and write
|
||
|
2F8337E000
|
stack
|
page read and write
|
||
|
28858F30000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FF2000
|
trusted library allocation
|
page read and write
|
||
|
28858F40000
|
trusted library allocation
|
page read and write
|
||
|
28857486000
|
heap
|
page read and write
|
||
|
D4A7A7E000
|
stack
|
page read and write
|
||
|
28857501000
|
heap
|
page read and write
|
||
|
28868F7E000
|
trusted library allocation
|
page read and write
|
||
|
28858F39000
|
trusted library allocation
|
page read and write
|
||
|
2F82B15000
|
stack
|
page read and write
|
||
|
28858EC0000
|
heap
|
page readonly
|
||
|
28858F40000
|
trusted library allocation
|
page read and write
|
||
|
7DF45D820000
|
trusted library allocation
|
page execute and read and write
|
||
|
2885747E000
|
heap
|
page read and write
|
||
|
7FF848E23000
|
trusted library allocation
|
page execute and read and write
|
||
|
2F8347D000
|
stack
|
page read and write
|
||
|
28858EB4000
|
heap
|
page read and write
|
||
|
28857467000
|
heap
|
page read and write
|
||
|
28871860000
|
heap
|
page execute and read and write
|
||
|
2F833FE000
|
stack
|
page read and write
|
||
|
28871740000
|
heap
|
page read and write
|
||
|
28868F71000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FC0000
|
trusted library allocation
|
page read and write
|
||
|
7DF45D810000
|
trusted library allocation
|
page execute and read and write
|
||
|
22403E29000
|
trusted library allocation
|
page read and write
|
||
|
22406629000
|
trusted library allocation
|
page read and write
|
||
|
288574C0000
|
heap
|
page read and write
|
||
|
28857486000
|
heap
|
page read and write
|
||
|
22400001000
|
trusted library allocation
|
page read and write
|
||
|
2F82E7D000
|
stack
|
page read and write
|
||
|
2F82BDE000
|
stack
|
page read and write
|
||
|
2885751A000
|
heap
|
page read and write
|
||
|
2885751A000
|
heap
|
page read and write
|
||
|
22407A29000
|
trusted library allocation
|
page read and write
|
||
|
28858F33000
|
trusted library allocation
|
page read and write
|
||
|
28857483000
|
heap
|
page read and write
|
||
|
28868F79000
|
trusted library allocation
|
page read and write
|
||
|
22402029000
|
trusted library allocation
|
page read and write
|
||
|
28857519000
|
heap
|
page read and write
|
||
|
28858F33000
|
trusted library allocation
|
page read and write
|
||
|
D4A79FE000
|
stack
|
page read and write
|
||
|
D4A74B0000
|
stack
|
page read and write
|
||
|
28858F50000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E2D000
|
trusted library allocation
|
page execute and read and write
|
||
|
2885751E000
|
heap
|
page read and write
|
||
|
2F835FE000
|
stack
|
page read and write
|
||
|
D4A75BF000
|
stack
|
page read and write
|
||
|
7FF848E30000
|
trusted library allocation
|
page read and write
|
||
|
28858F40000
|
trusted library allocation
|
page read and write
|
||
|
28858F33000
|
trusted library allocation
|
page read and write
|
||
|
2F82F7E000
|
stack
|
page read and write
|
||
|
22401629000
|
trusted library allocation
|
page read and write
|
||
|
2885747B000
|
heap
|
page read and write
|
||
|
2885751E000
|
heap
|
page read and write
|
||
|
28857494000
|
heap
|
page read and write
|
||
|
7FF848FCD000
|
trusted library allocation
|
page execute and read and write
|
||
|
28858EE0000
|
trusted library allocation
|
page read and write
|
||
|
22400088000
|
trusted library allocation
|
page read and write
|
||
|
2F831F9000
|
stack
|
page read and write
|
||
|
22403429000
|
trusted library allocation
|
page read and write
|
||
|
2F8307E000
|
stack
|
page read and write
|
||
|
28858F40000
|
trusted library allocation
|
page read and write
|
||
|
28858F10000
|
heap
|
page read and write
|
||
|
28858F14000
|
heap
|
page read and write
|
||
|
28858F33000
|
trusted library allocation
|
page read and write
|
||
|
28858F30000
|
trusted library allocation
|
page read and write
|
||
|
7FF848E24000
|
trusted library allocation
|
page read and write
|
||
|
2F82EFD000
|
stack
|
page read and write
|
||
|
28857511000
|
heap
|
page read and write
|
||
|
D4A753F000
|
stack
|
page read and write
|
||
|
28857630000
|
heap
|
page read and write
|
||
|
28857518000
|
heap
|
page read and write
|
||
|
2F8353E000
|
stack
|
page read and write
|
||
|
22405C29000
|
trusted library allocation
|
page read and write
|
||
|
28857483000
|
heap
|
page read and write
|
||
|
28857550000
|
heap
|
page read and write
|
||
|
2885747E000
|
heap
|
page read and write
|
||
|
288574BE000
|
heap
|
page read and write
|
||
|
7FF848FC5000
|
trusted library allocation
|
page read and write
|
||
|
28858E50000
|
heap
|
page read and write
|
||
|
28858F20000
|
trusted library allocation
|
page read and write
|
||
|
7FF848FD0000
|
trusted library allocation
|
page read and write
|
||
|
2885751E000
|
heap
|
page read and write
|
||
|
2F8327D000
|
stack
|
page read and write
|
||
|
D4A787F000
|
stack
|
page read and write
|
||
|
28858F40000
|
trusted library allocation
|
page read and write
|
There are 140 hidden memdumps, click here to show them.