Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
payload.ps1
|
ASCII text, with very long lines (65346), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log
|
CSV text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afjfhcho.akh.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eilxymg2.ntc.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kf2a4w5p.fan.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0zkfibh.wn1.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WHJK2IDY10Z5AFGGHPLO.temp
|
data
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\payload.ps1"
|
|
|
|
C:\Windows\System32\notepad.exe
|
C:\Windows\System32\notepad.exe
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
vbdsg.duckdns.org
|
|
||
|
https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1DA96AF1000
|
trusted library allocation
|
page read and write
|
|
|
|
1DA969E0000
|
trusted library section
|
page read and write
|
|
|
|
12509939000
|
trusted library allocation
|
page read and write
|
||
|
1DA94EDD000
|
heap
|
page read and write
|
||
|
7C5EE5000
|
stack
|
page read and write
|
||
|
1DA96880000
|
heap
|
page readonly
|
||
|
12503030000
|
heap
|
page read and write
|
||
|
7C627E000
|
stack
|
page read and write
|
||
|
12504BC0000
|
heap
|
page read and write
|
||
|
7DF473260000
|
trusted library allocation
|
page execute and read and write
|
||
|
12503010000
|
heap
|
page read and write
|
||
|
1DA96A00000
|
trusted library allocation
|
page read and write
|
||
|
1DA94F0B000
|
heap
|
page read and write
|
||
|
12504B20000
|
heap
|
page read and write
|
||
|
1DA96850000
|
heap
|
page read and write
|
||
|
1DA969F0000
|
trusted library allocation
|
page read and write
|
||
|
1DA96A03000
|
trusted library allocation
|
page read and write
|
||
|
1DA96810000
|
heap
|
page read and write
|
||
|
12504AB0000
|
trusted library allocation
|
page read and write
|
||
|
1DA96A30000
|
trusted library allocation
|
page read and write
|
||
|
7DF473280000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DA94F42000
|
heap
|
page read and write
|
||
|
7FFD9B8A0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DA969B0000
|
heap
|
page read and write
|
||
|
1DA96A20000
|
heap
|
page execute and read and write
|
||
|
125032B0000
|
heap
|
page read and write
|
||
|
1DA94EA4000
|
heap
|
page read and write
|
||
|
1DA94EDD000
|
heap
|
page read and write
|
||
|
7DF473270000
|
trusted library allocation
|
page execute and read and write
|
||
|
125032A0000
|
heap
|
page read and write
|
||
|
12502FF0000
|
heap
|
page read and write
|
||
|
125032A5000
|
heap
|
page read and write
|
||
|
7FFD9B922000
|
trusted library allocation
|
page read and write
|
||
|
12504AD0000
|
trusted library allocation
|
page read and write
|
||
|
1250A339000
|
trusted library allocation
|
page read and write
|
||
|
7C647E000
|
stack
|
page read and write
|
||
|
1DA94EAF000
|
heap
|
page read and write
|
||
|
7C637E000
|
stack
|
page read and write
|
||
|
1DAAF1B1000
|
heap
|
page read and write
|
||
|
1DA94E10000
|
heap
|
page read and write
|
||
|
7FFD9B78D000
|
trusted library allocation
|
page execute and read and write
|
||
|
12503220000
|
heap
|
page read and write
|
||
|
7FFD9B782000
|
trusted library allocation
|
page read and write
|
||
|
1DA94EB3000
|
heap
|
page read and write
|
||
|
72F247E000
|
stack
|
page read and write
|
||
|
72F26FE000
|
stack
|
page read and write
|
||
|
1DA96A03000
|
trusted library allocation
|
page read and write
|
||
|
1250311E000
|
heap
|
page read and write
|
||
|
7C687F000
|
stack
|
page read and write
|
||
|
125030EF000
|
heap
|
page read and write
|
||
|
1DA969B4000
|
heap
|
page read and write
|
||
|
1250CB39000
|
trusted library allocation
|
page read and write
|
||
|
1DA94EA1000
|
heap
|
page read and write
|
||
|
125050E0000
|
heap
|
page execute and read and write
|
||
|
1DAA6AFE000
|
trusted library allocation
|
page read and write
|
||
|
12508F39000
|
trusted library allocation
|
page read and write
|
||
|
1DA94F42000
|
heap
|
page read and write
|
||
|
12505D39000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B938000
|
trusted library allocation
|
page execute and read and write
|
||
|
12503270000
|
trusted library allocation
|
page read and write
|
||
|
12503042000
|
heap
|
page read and write
|
||
|
1DA94E68000
|
heap
|
page read and write
|
||
|
7FFD9B784000
|
trusted library allocation
|
page read and write
|
||
|
1DA94EA4000
|
heap
|
page read and write
|
||
|
72F25FE000
|
stack
|
page read and write
|
||
|
72F207F000
|
stack
|
page read and write
|
||
|
7FFD9B783000
|
trusted library allocation
|
page execute and read and write
|
||
|
7C744E000
|
stack
|
page read and write
|
||
|
1DA96A00000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B795000
|
trusted library allocation
|
page read and write
|
||
|
7C657E000
|
stack
|
page read and write
|
||
|
1DA96A10000
|
trusted library allocation
|
page read and write
|
||
|
1DA94F09000
|
heap
|
page read and write
|
||
|
1DA96A03000
|
trusted library allocation
|
page read and write
|
||
|
12504F1C000
|
heap
|
page read and write
|
||
|
1DA96A09000
|
trusted library allocation
|
page read and write
|
||
|
12507B39000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B866000
|
trusted library allocation
|
page execute and read and write
|
||
|
7C667E000
|
stack
|
page read and write
|
||
|
7C693F000
|
stack
|
page read and write
|
||
|
12508539000
|
trusted library allocation
|
page read and write
|
||
|
72F24FD000
|
stack
|
page read and write
|
||
|
1DA94EA1000
|
heap
|
page read and write
|
||
|
1DA96870000
|
trusted library allocation
|
page read and write
|
||
|
12502FE0000
|
heap
|
page read and write
|
||
|
7C63FE000
|
stack
|
page read and write
|
||
|
1DAAF1B0000
|
heap
|
page read and write
|
||
|
1DA94F14000
|
heap
|
page read and write
|
||
|
1DA94E20000
|
heap
|
page read and write
|
||
|
1DA967D0000
|
heap
|
page read and write
|
||
|
1DA94EB3000
|
heap
|
page read and write
|
||
|
1DA94F40000
|
heap
|
page read and write
|
||
|
7FFD9B92D000
|
trusted library allocation
|
page execute and read and write
|
||
|
12504B30000
|
direct allocation
|
page execute and read and write
|
||
|
1DAA6AF9000
|
trusted library allocation
|
page read and write
|
||
|
1DA94F42000
|
heap
|
page read and write
|
||
|
1DA94E9A000
|
heap
|
page read and write
|
||
|
1DA96A03000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B925000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B930000
|
trusted library allocation
|
page read and write
|
||
|
125030B7000
|
heap
|
page read and write
|
||
|
72F218F000
|
stack
|
page read and write
|
||
|
1DA96A10000
|
trusted library allocation
|
page read and write
|
||
|
72F257E000
|
stack
|
page read and write
|
||
|
12507139000
|
trusted library allocation
|
page read and write
|
||
|
7C683E000
|
stack
|
page read and write
|
||
|
12506739000
|
trusted library allocation
|
page read and write
|
||
|
1DA94EAF000
|
heap
|
page read and write
|
||
|
1DA94E60000
|
heap
|
page read and write
|
||
|
1DA969C0000
|
trusted library allocation
|
page read and write
|
||
|
12505197000
|
trusted library allocation
|
page read and write
|
||
|
1DAA6AF1000
|
trusted library allocation
|
page read and write
|
||
|
1DA94F20000
|
heap
|
page read and write
|
||
|
125030D7000
|
heap
|
page read and write
|
||
|
1DA96A10000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B830000
|
trusted library allocation
|
page read and write
|
||
|
7C5F6D000
|
stack
|
page read and write
|
||
|
1DA96A00000
|
trusted library allocation
|
page read and write
|
||
|
7C69BB000
|
stack
|
page read and write
|
||
|
12504A80000
|
trusted library allocation
|
page read and write
|
||
|
7C66FC000
|
stack
|
page read and write
|
||
|
1250C139000
|
trusted library allocation
|
page read and write
|
||
|
1DA96A00000
|
trusted library allocation
|
page read and write
|
||
|
12504AC0000
|
heap
|
page readonly
|
||
|
1DA969F3000
|
trusted library allocation
|
page read and write
|
||
|
1DA94DF0000
|
unkown
|
page execute read
|
||
|
12505111000
|
trusted library allocation
|
page read and write
|
||
|
1DA96AE0000
|
heap
|
page execute and read and write
|
||
|
7FFD9B920000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B840000
|
trusted library allocation
|
page execute and read and write
|
||
|
12505339000
|
trusted library allocation
|
page read and write
|
||
|
1DA96A10000
|
trusted library allocation
|
page read and write
|
||
|
1DA969D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B950000
|
trusted library allocation
|
page read and write
|
||
|
125050E7000
|
heap
|
page execute and read and write
|
||
|
12503119000
|
heap
|
page read and write
|
||
|
125032B5000
|
heap
|
page read and write
|
||
|
1DA96A00000
|
trusted library allocation
|
page read and write
|
||
|
7C64FA000
|
stack
|
page read and write
|
||
|
7FFD9B790000
|
trusted library allocation
|
page read and write
|
||
|
1DA94F09000
|
heap
|
page read and write
|
||
|
1DA96840000
|
trusted library allocation
|
page read and write
|
||
|
7FFD9B940000
|
trusted library allocation
|
page read and write
|
||
|
1DA96A10000
|
trusted library allocation
|
page read and write
|
||
|
72F210F000
|
stack
|
page read and write
|
||
|
1DA96A00000
|
trusted library allocation
|
page read and write
|
||
|
7C65FE000
|
stack
|
page read and write
|
||
|
7FFD9B952000
|
trusted library allocation
|
page read and write
|
||
|
7C5FAE000
|
stack
|
page read and write
|
||
|
7C677E000
|
stack
|
page read and write
|
||
|
125030D3000
|
heap
|
page read and write
|
||
|
1250AD39000
|
trusted library allocation
|
page read and write
|
||
|
125030CF000
|
heap
|
page read and write
|
||
|
1DA94F40000
|
heap
|
page read and write
|
||
|
1250B739000
|
trusted library allocation
|
page read and write
|
||
|
1DA96854000
|
heap
|
page read and write
|
||
|
72F267E000
|
stack
|
page read and write
|
||
|
1DA96B1D000
|
trusted library allocation
|
page read and write
|
||
|
1DA94E86000
|
heap
|
page read and write
|
||
|
7FFD9B960000
|
trusted library allocation
|
page execute and read and write
|
||
|
1DA94E9A000
|
heap
|
page read and write
|
||
|
7C73CE000
|
stack
|
page read and write
|
||
|
7C62FE000
|
stack
|
page read and write
|
||
|
12505100000
|
heap
|
page execute and read and write
|
||
|
1DA969A0000
|
heap
|
page read and write
|
There are 155 hidden memdumps, click here to show them.