Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
hy.ps1
|
ASCII text, with very long lines (65441), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log
|
CSV text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkawl2pe.cxf.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j30tmlh1.bex.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jk1cj3jc.qq5.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xo5uo42e.2ly.ps1
|
ASCII text, with no line terminators
|
modified
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3EC1V92W5H6258ESQE6M.temp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
|
data
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\hy.ps1"
|
|
|
|
C:\Windows\System32\notepad.exe
|
C:\Windows\System32\notepad.exe
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://aka.ms/pscore68
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1FEDD340000
|
trusted library section
|
page read and write
|
|
|
|
1FEDD370000
|
trusted library allocation
|
page read and write
|
||
|
1F0CF279000
|
trusted library allocation
|
page read and write
|
||
|
4D4EF7D000
|
stack
|
page read and write
|
||
|
7FFAAC432000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD244000
|
heap
|
page read and write
|
||
|
1FEDD230000
|
trusted library allocation
|
page read and write
|
||
|
1F0C81F2000
|
heap
|
page read and write
|
||
|
7B6427E000
|
stack
|
page read and write
|
||
|
1FEED421000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC605000
|
trusted library allocation
|
page read and write
|
||
|
1FEDB630000
|
unkown
|
page execute read
|
||
|
7B6417E000
|
stack
|
page read and write
|
||
|
1FEED42E000
|
trusted library allocation
|
page read and write
|
||
|
1F0C8150000
|
heap
|
page read and write
|
||
|
1FEDD353000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD380000
|
trusted library allocation
|
page read and write
|
||
|
7B644FE000
|
stack
|
page read and write
|
||
|
1F0C8287000
|
heap
|
page read and write
|
||
|
1FEDD6E1000
|
trusted library allocation
|
page read and write
|
||
|
7B643FE000
|
stack
|
page read and write
|
||
|
1FEDD390000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD390000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD370000
|
trusted library allocation
|
page read and write
|
||
|
1F0CAC79000
|
trusted library allocation
|
page read and write
|
||
|
1F0C9C70000
|
heap
|
page execute and read and write
|
||
|
7B646FE000
|
stack
|
page read and write
|
||
|
1FEDD373000
|
trusted library allocation
|
page read and write
|
||
|
1FEDB72B000
|
heap
|
page read and write
|
||
|
7B642FE000
|
stack
|
page read and write
|
||
|
7B6467E000
|
stack
|
page read and write
|
||
|
1FEDB6BC000
|
heap
|
page read and write
|
||
|
7B640FE000
|
stack
|
page read and write
|
||
|
1F0C8480000
|
heap
|
page read and write
|
||
|
7DF417120000
|
trusted library allocation
|
page execute and read and write
|
||
|
7B641FD000
|
stack
|
page read and write
|
||
|
7FFAAC5D0000
|
trusted library allocation
|
page read and write
|
||
|
1F0C9CF0000
|
heap
|
page read and write
|
||
|
1FEDD248000
|
heap
|
page read and write
|
||
|
1FEDB766000
|
heap
|
page read and write
|
||
|
1FEDB763000
|
heap
|
page read and write
|
||
|
1F0C8420000
|
heap
|
page read and write
|
||
|
7FFAAC5F0000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD360000
|
trusted library allocation
|
page read and write
|
||
|
1F0C9C30000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD380000
|
trusted library allocation
|
page read and write
|
||
|
1F0CD479000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC4EC000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FEF5B83000
|
heap
|
page read and write
|
||
|
1F0C8283000
|
heap
|
page read and write
|
||
|
7B6477E000
|
stack
|
page read and write
|
||
|
1FEDD0E0000
|
trusted library allocation
|
page read and write
|
||
|
1F0D1A79000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD390000
|
trusted library allocation
|
page read and write
|
||
|
7B6487E000
|
stack
|
page read and write
|
||
|
1FEDD030000
|
heap
|
page read and write
|
||
|
1F0CA0D8000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD360000
|
trusted library allocation
|
page read and write
|
||
|
1F0C9D00000
|
heap
|
page read and write
|
||
|
1FEDB770000
|
heap
|
page read and write
|
||
|
1F0CC079000
|
trusted library allocation
|
page read and write
|
||
|
1FEDB751000
|
heap
|
page read and write
|
||
|
7FFAAC5E6000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FEDB680000
|
heap
|
page read and write
|
||
|
7FFAAC5E2000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC516000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F0C8485000
|
heap
|
page read and write
|
||
|
1FEDB75F000
|
heap
|
page read and write
|
||
|
7DF417100000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFAAC5E8000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FEDD360000
|
trusted library allocation
|
page read and write
|
||
|
1F0C9D05000
|
heap
|
page read and write
|
||
|
1FEDD360000
|
trusted library allocation
|
page read and write
|
||
|
7B647FE000
|
stack
|
page read and write
|
||
|
7B6457E000
|
stack
|
page read and write
|
||
|
1FEDB688000
|
heap
|
page read and write
|
||
|
1FEDB6CF000
|
heap
|
page read and write
|
||
|
1F0C8258000
|
heap
|
page read and write
|
||
|
1FEDB6C0000
|
heap
|
page read and write
|
||
|
1FEDD020000
|
heap
|
page read and write
|
||
|
1F0C8170000
|
heap
|
page read and write
|
||
|
1FEDD210000
|
trusted library allocation
|
page read and write
|
||
|
1FEF5AE0000
|
heap
|
page read and write
|
||
|
1FEDD370000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC5E0000
|
trusted library allocation
|
page read and write
|
||
|
1F0CA051000
|
trusted library allocation
|
page read and write
|
||
|
4D4EFFE000
|
stack
|
page read and write
|
||
|
1FEDD370000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD380000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD380000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD363000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD410000
|
heap
|
page execute and read and write
|
||
|
1FEDB6D2000
|
heap
|
page read and write
|
||
|
7FFAAC610000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FEDD249000
|
heap
|
page read and write
|
||
|
1F0C82D3000
|
heap
|
page read and write
|
||
|
1F0C8470000
|
heap
|
page readonly
|
||
|
1FEDD380000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC445000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC4F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FEDD380000
|
trusted library allocation
|
page read and write
|
||
|
1FEDB6B9000
|
heap
|
page read and write
|
||
|
4D4F17E000
|
stack
|
page read and write
|
||
|
7B648FB000
|
stack
|
page read and write
|
||
|
7FFAAC434000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD350000
|
trusted library allocation
|
page read and write
|
||
|
1F0CDE79000
|
trusted library allocation
|
page read and write
|
||
|
7DF417110000
|
trusted library allocation
|
page execute and read and write
|
||
|
1FEDB770000
|
heap
|
page read and write
|
||
|
1F0C828B000
|
heap
|
page read and write
|
||
|
1F0C81B0000
|
heap
|
page read and write
|
||
|
1F0CFC79000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD370000
|
trusted library allocation
|
page read and write
|
||
|
7B63DCE000
|
stack
|
page read and write
|
||
|
7FFAAC4E6000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD247000
|
heap
|
page read and write
|
||
|
7FFAAC550000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F0C81E0000
|
heap
|
page read and write
|
||
|
1F0CCA79000
|
trusted library allocation
|
page read and write
|
||
|
1FEDB660000
|
heap
|
page read and write
|
||
|
1F0CA279000
|
trusted library allocation
|
page read and write
|
||
|
1FEDB75C000
|
heap
|
page read and write
|
||
|
7B6437E000
|
stack
|
page read and write
|
||
|
1F0D1079000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD109000
|
heap
|
page read and write
|
||
|
1FEDD363000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD383000
|
trusted library allocation
|
page read and write
|
||
|
1FEF5B84000
|
heap
|
page read and write
|
||
|
1FEDD240000
|
heap
|
page read and write
|
||
|
1FEDD3B0000
|
heap
|
page execute and read and write
|
||
|
1FEDD241000
|
heap
|
page read and write
|
||
|
7FFAAC600000
|
trusted library allocation
|
page read and write
|
||
|
1F0C827E000
|
heap
|
page read and write
|
||
|
1FEDD054000
|
heap
|
page read and write
|
||
|
4D4EB33000
|
stack
|
page read and write
|
||
|
4D4F0FE000
|
stack
|
page read and write
|
||
|
1FEDD024000
|
heap
|
page read and write
|
||
|
1F0C8281000
|
heap
|
page read and write
|
||
|
7B652CE000
|
stack
|
page read and write
|
||
|
1FEDD050000
|
heap
|
page read and write
|
||
|
1FEED429000
|
trusted library allocation
|
page read and write
|
||
|
4D4EBBE000
|
stack
|
page read and write
|
||
|
7B645FC000
|
stack
|
page read and write
|
||
|
1F0D0679000
|
trusted library allocation
|
page read and write
|
||
|
1F0C8140000
|
heap
|
page read and write
|
||
|
1FEDB690000
|
heap
|
page read and write
|
||
|
1FEDD360000
|
trusted library allocation
|
page read and write
|
||
|
1F0CE879000
|
trusted library allocation
|
page read and write
|
||
|
4D4F07E000
|
stack
|
page read and write
|
||
|
1FEDD0F0000
|
heap
|
page readonly
|
||
|
4D4EE7E000
|
stack
|
page read and write
|
||
|
1FEDB850000
|
heap
|
page read and write
|
||
|
1FEDD390000
|
trusted library allocation
|
page read and write
|
||
|
1F0C83D0000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD370000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD370000
|
trusted library allocation
|
page read and write
|
||
|
1F0C8460000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC4E0000
|
trusted library allocation
|
page read and write
|
||
|
4D4EEFE000
|
stack
|
page read and write
|
||
|
1FEDB772000
|
heap
|
page read and write
|
||
|
1FEDD3A0000
|
trusted library allocation
|
page read and write
|
||
|
1F0C82C7000
|
heap
|
page read and write
|
||
|
1FEDD390000
|
trusted library allocation
|
page read and write
|
||
|
1F0C9C80000
|
direct allocation
|
page execute and read and write
|
||
|
1FEDB75C000
|
heap
|
page read and write
|
||
|
1FEDB75F000
|
heap
|
page read and write
|
||
|
1FEDD090000
|
heap
|
page read and write
|
||
|
1FEDD220000
|
heap
|
page read and write
|
||
|
7FFAAC43D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F0C8430000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD421000
|
trusted library allocation
|
page read and write
|
||
|
1FEDD0C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFAAC433000
|
trusted library allocation
|
page execute and read and write
|
||
|
1F0CB679000
|
trusted library allocation
|
page read and write
|
||
|
1FEDB6FD000
|
heap
|
page read and write
|
||
|
7FFAAC5D4000
|
trusted library allocation
|
page read and write
|
||
|
7B64075000
|
stack
|
page read and write
|
||
|
7FFAAC5DD000
|
trusted library allocation
|
page execute and read and write
|
||
|
7B64479000
|
stack
|
page read and write
|
||
|
1FEDB744000
|
heap
|
page read and write
|
||
|
7FFAAC440000
|
trusted library allocation
|
page read and write
|
||
|
1F0C829F000
|
heap
|
page read and write
|
There are 172 hidden memdumps, click here to show them.