Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
xy.ps1
|
ASCII text, with very long lines (65346), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log
|
CSV text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4n4y52un.zpo.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbiyp2nt.djy.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulitwssz.itx.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxvpx2jb.b1a.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VK51PUCXPPA4IE6ZTCL0.temp
|
data
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\xy.ps1"
|
|
|
|
C:\Windows\System32\notepad.exe
|
C:\Windows\System32\notepad.exe
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
kdke.duckdns.org
|
|
||
|
https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1D8A4A10000
|
trusted library section
|
page read and write
|
|
|
|
1D8A4D11000
|
trusted library allocation
|
page read and write
|
|
|
|
97F3F7E000
|
stack
|
page read and write
|
||
|
7FFB4B230000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B63000
|
trusted library allocation
|
page read and write
|
||
|
1D8A2FAD000
|
heap
|
page read and write
|
||
|
1D8A4B70000
|
trusted library allocation
|
page read and write
|
||
|
1D8A2FB0000
|
heap
|
page read and write
|
||
|
1D8A2FC3000
|
heap
|
page read and write
|
||
|
1D8A4B70000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B60000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B63000
|
trusted library allocation
|
page read and write
|
||
|
1D8A49F0000
|
trusted library allocation
|
page read and write
|
||
|
1D8A2FB5000
|
heap
|
page read and write
|
||
|
97F3D7E000
|
stack
|
page read and write
|
||
|
1D8A2FC3000
|
heap
|
page read and write
|
||
|
7DF43D800000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A2FF4000
|
heap
|
page read and write
|
||
|
1D8A2F78000
|
heap
|
page read and write
|
||
|
7FFB4B3C5000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B3F0000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B50000
|
trusted library allocation
|
page read and write
|
||
|
1D8A2FBF000
|
heap
|
page read and write
|
||
|
82B0EFF000
|
stack
|
page read and write
|
||
|
1D8A4B60000
|
trusted library allocation
|
page read and write
|
||
|
97F39FE000
|
stack
|
page read and write
|
||
|
1B680001000
|
trusted library allocation
|
page read and write
|
||
|
97F393F000
|
stack
|
page read and write
|
||
|
97F3DFE000
|
stack
|
page read and write
|
||
|
1D8A4B60000
|
trusted library allocation
|
page read and write
|
||
|
82B0B8F000
|
stack
|
page read and write
|
||
|
7FFB4B3E0000
|
trusted library allocation
|
page read and write
|
||
|
1D8B4D1E000
|
trusted library allocation
|
page read and write
|
||
|
97F3875000
|
stack
|
page read and write
|
||
|
7FFB4B306000
|
trusted library allocation
|
page execute and read and write
|
||
|
97F407F000
|
stack
|
page read and write
|
||
|
82B107E000
|
stack
|
page read and write
|
||
|
1D8A2F70000
|
heap
|
page read and write
|
||
|
1D8A3043000
|
heap
|
page read and write
|
||
|
1D8A2FF4000
|
heap
|
page read and write
|
||
|
7DF43D7E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A3028000
|
heap
|
page read and write
|
||
|
1D8A4A20000
|
heap
|
page read and write
|
||
|
1B680A01000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B60000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4980000
|
heap
|
page read and write
|
||
|
7DF43D7F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A4B63000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4D00000
|
heap
|
page execute and read and write
|
||
|
1D8A2FED000
|
heap
|
page read and write
|
||
|
82B10FF000
|
stack
|
page read and write
|
||
|
1D8A3150000
|
heap
|
page read and write
|
||
|
7FFB4B2D0000
|
trusted library allocation
|
page read and write
|
||
|
1D8A2FBF000
|
heap
|
page read and write
|
||
|
1D8A4CE0000
|
heap
|
page execute and read and write
|
||
|
1B687801000
|
trusted library allocation
|
page read and write
|
||
|
97F403E000
|
stack
|
page read and write
|
||
|
1D8A2FB0000
|
heap
|
page read and write
|
||
|
1D8A3015000
|
heap
|
page read and write
|
||
|
97F3AFE000
|
stack
|
page read and write
|
||
|
1D8A3045000
|
heap
|
page read and write
|
||
|
7FFB4B3CD000
|
trusted library allocation
|
page execute and read and write
|
||
|
82B11FF000
|
stack
|
page read and write
|
||
|
1D8A49B0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B3D0000
|
trusted library allocation
|
page read and write
|
||
|
1B683201000
|
trusted library allocation
|
page read and write
|
||
|
97F413E000
|
stack
|
page read and write
|
||
|
97F3A7F000
|
stack
|
page read and write
|
||
|
1B681E01000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B63000
|
trusted library allocation
|
page read and write
|
||
|
1B681401000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4D3D000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B3C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B2E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A4B90000
|
heap
|
page read and write
|
||
|
1D8B4D19000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4930000
|
heap
|
page read and write
|
||
|
97F41BB000
|
stack
|
page read and write
|
||
|
7FFB4B22D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A2FAA000
|
heap
|
page read and write
|
||
|
7FFB4B3F2000
|
trusted library allocation
|
page read and write
|
||
|
1B685001000
|
trusted library allocation
|
page read and write
|
||
|
97F3CFA000
|
stack
|
page read and write
|
||
|
82B0FFD000
|
stack
|
page read and write
|
||
|
82B117E000
|
stack
|
page read and write
|
||
|
1B685A01000
|
trusted library allocation
|
page read and write
|
||
|
1D8A49E0000
|
heap
|
page readonly
|
||
|
1D8A4A00000
|
trusted library allocation
|
page read and write
|
||
|
1D8B4D11000
|
trusted library allocation
|
page read and write
|
||
|
1D8A49D0000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B70000
|
trusted library allocation
|
page read and write
|
||
|
97F38FD000
|
stack
|
page read and write
|
||
|
7FFB4B235000
|
trusted library allocation
|
page read and write
|
||
|
1D8A2FAD000
|
heap
|
page read and write
|
||
|
7FFB4B224000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B80000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B3C2000
|
trusted library allocation
|
page read and write
|
||
|
7FFB4B223000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A4A24000
|
heap
|
page read and write
|
||
|
97F3EFE000
|
stack
|
page read and write
|
||
|
82B0F7F000
|
stack
|
page read and write
|
||
|
1D8A4B53000
|
trusted library allocation
|
page read and write
|
||
|
1B686401000
|
trusted library allocation
|
page read and write
|
||
|
97F3E7C000
|
stack
|
page read and write
|
||
|
1D8A4BA0000
|
heap
|
page read and write
|
||
|
1D8A2FAA000
|
heap
|
page read and write
|
||
|
7FFB4B340000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A4B69000
|
trusted library allocation
|
page read and write
|
||
|
1B682801000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B70000
|
trusted library allocation
|
page read and write
|
||
|
1D8A301C000
|
heap
|
page read and write
|
||
|
1D8A4974000
|
heap
|
page read and write
|
||
|
1D8A2F96000
|
heap
|
page read and write
|
||
|
1D8A2F50000
|
unkown
|
page execute read
|
||
|
1D8A4970000
|
heap
|
page read and write
|
||
|
1D8A4B60000
|
trusted library allocation
|
page read and write
|
||
|
97F4BCD000
|
stack
|
page read and write
|
||
|
1D8A4BA4000
|
heap
|
page read and write
|
||
|
7FFB4B400000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A4BA6000
|
heap
|
page read and write
|
||
|
1D8A3043000
|
heap
|
page read and write
|
||
|
1D8A3045000
|
heap
|
page read and write
|
||
|
7FFB4B222000
|
trusted library allocation
|
page read and write
|
||
|
97F3BFE000
|
stack
|
page read and write
|
||
|
1B686E01000
|
trusted library allocation
|
page read and write
|
||
|
1D8A2FED000
|
heap
|
page read and write
|
||
|
1B683C01000
|
trusted library allocation
|
page read and write
|
||
|
1D8A2FB5000
|
heap
|
page read and write
|
||
|
1B684601000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4B60000
|
trusted library allocation
|
page read and write
|
||
|
1D8A4BA1000
|
heap
|
page read and write
|
||
|
82B0E7F000
|
stack
|
page read and write
|
||
|
97F3C7E000
|
stack
|
page read and write
|
||
|
1D8A3070000
|
heap
|
page read and write
|
||
|
97F3B7E000
|
stack
|
page read and write
|
||
|
7FFB4B3D8000
|
trusted library allocation
|
page execute and read and write
|
||
|
1D8A3035000
|
heap
|
page read and write
|
||
|
1D8A4B70000
|
trusted library allocation
|
page read and write
|
There are 128 hidden memdumps, click here to show them.