IOC Report
Ye2vQ3fYBy.ps1

loading gif

Files

File Path
Type
Category
Malicious
Ye2vQ3fYBy.ps1
ASCII text, with very long lines (65312), with CRLF, LF line terminators
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_1b85c466a5a1fbc8a9b58f6186869cb1dda1ce47_bf5a3e5b_dc77e7f8-4a41-4312-a986-7fce059f7180\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
modified
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D17.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Dec 23 11:35:15 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9754.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D8F.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
modified
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4runs3g1.fbe.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0n4uer0.k51.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oum21t3a.0qh.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rje2kntb.nik.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwppr1nt.13q.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt0lmtxq.tud.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\U6MJBOKBLC0T5NAE2RAO.temp
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Ye2vQ3fYBy.ps1"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\Ye2vQ3fYBy.ps1
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 2548

URLs

Name
IP
Malicious
http://nuget.org/NuGet.exe
unknown
http://www.apache.org/licenses/LICENSE-2.0
unknown
https://aka.ms/winsvr-2022-pshelp
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://schemas.xmlsoap.org/soap/encoding/
unknown
https://aka.ms/pscore6lB
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
http://crl.microh
unknown
http://schemas.xmlsoap.org/wsdl/
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
https://oneget.orgX
unknown
http://upx.sf.net
unknown
https://aka.ms/pscore68
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://github.com/Pester/Pester
unknown
https://oneget.org
unknown
There are 9 hidden URLs, click here to show them.

Registry

Path
Value
Malicious
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProgramId
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
FileId
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LowerCaseLongPath
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LongPathHash
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Name
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
OriginalFileName
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Publisher
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Version
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinFileVersion
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinaryType
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProductName
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProductVersion
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LinkDate
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinProductVersion
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
AppxPackageFullName
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
AppxPackageRelativeId
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Size
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Language
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
IsOsComponent
\REGISTRY\A\{c8971799-670b-8562-a00f-4697b95106b1}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Usn
There are 10 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
10016000
direct allocation
page execute read
malicious
6055000
trusted library allocation
page read and write
malicious
6011000
trusted library allocation
page read and write
malicious
6217000
trusted library allocation
page read and write
malicious
309D000
trusted library allocation
page execute and read and write
219825B0000
heap
page read and write
7910000
trusted library allocation
page read and write
25F537E000
stack
page read and write
25F507E000
stack
page read and write
97FC000
heap
page read and write
725B000
stack
page read and write
70DB000
stack
page read and write
2FFE000
stack
page read and write
6E9E000
stack
page read and write
9872000
trusted library allocation
page read and write
9B50000
trusted library allocation
page read and write
25F4DFE000
stack
page read and write
79A0000
trusted library allocation
page read and write
25F52FF000
stack
page read and write
9BBD000
trusted library allocation
page read and write
219804D0000
heap
page read and write
219831F2000
trusted library allocation
page read and write
7FF887C40000
trusted library allocation
page read and write
21980621000
heap
page read and write
78C0000
trusted library allocation
page read and write
4DF0000
trusted library allocation
page read and write
7FF887DA0000
trusted library allocation
page read and write
219805DB000
heap
page read and write
3090000
trusted library allocation
page read and write
7990000
trusted library allocation
page read and write
219925C1000
trusted library allocation
page read and write
7FF887B93000
trusted library allocation
page execute and read and write
21980538000
heap
page read and write
4DD0000
heap
page execute and read and write
219805B3000
heap
page read and write
9621000
trusted library allocation
page read and write
95C0000
trusted library allocation
page read and write
219925EA000
trusted library allocation
page read and write
6F05000
heap
page execute and read and write
9A40000
trusted library allocation
page read and write
25F62CE000
stack
page read and write
7FCA0000
trusted library allocation
page execute and read and write
30BA000
trusted library allocation
page execute and read and write
21981F40000
trusted library allocation
page read and write
7FF887E80000
trusted library allocation
page read and write
7FF887D41000
trusted library allocation
page read and write
2199A6A1000
heap
page read and write
700E000
stack
page read and write
721E000
stack
page read and write
4E10000
heap
page read and write
219808F5000
heap
page read and write
21992803000
trusted library allocation
page read and write
219804B0000
heap
page read and write
30F0000
trusted library allocation
page read and write
31BC000
heap
page read and write
9B40000
trusted library allocation
page read and write
25F5637000
stack
page read and write
729E000
stack
page read and write
10017000
direct allocation
page readonly
7960000
trusted library allocation
page read and write
10018000
direct allocation
page read and write
2198477A000
trusted library allocation
page read and write
7FF887D60000
trusted library allocation
page execute and read and write
30C0000
heap
page read and write
7FF887E70000
trusted library allocation
page read and write
9B70000
trusted library allocation
page read and write
9A10000
trusted library allocation
page read and write
7FF887D72000
trusted library allocation
page read and write
219808F0000
heap
page read and write
9C40000
trusted library allocation
page execute and read and write
5E21000
trusted library allocation
page read and write
8390000
trusted library allocation
page read and write
94A3000
trusted library allocation
page read and write
3094000
trusted library allocation
page read and write
5E49000
trusted library allocation
page read and write
6FCE000
stack
page read and write
25F517E000
stack
page read and write
2B98000
stack
page read and write
9799000
heap
page read and write
98B0000
trusted library allocation
page execute and read and write
7FF887B9D000
trusted library allocation
page execute and read and write
95CB000
trusted library allocation
page read and write
7FF887ED0000
trusted library allocation
page read and write
2199A642000
heap
page read and write
94A1000
trusted library allocation
page read and write
7920000
trusted library allocation
page read and write
21980623000
heap
page read and write
756E000
stack
page read and write
9C30000
trusted library allocation
page execute and read and write
5FDB000
trusted library allocation
page read and write
21982020000
trusted library allocation
page read and write
4E82000
trusted library allocation
page read and write
219805DD000
heap
page read and write
21981F80000
heap
page readonly
25F56BE000
stack
page read and write
219843D4000
trusted library allocation
page read and write
2199A767000
heap
page execute and read and write
7900000
trusted library allocation
page read and write
2F36000
heap
page read and write
96A5000
heap
page read and write
95D0000
trusted library allocation
page read and write
74EE000
stack
page read and write
94AF000
trusted library allocation
page read and write
219805F9000
heap
page read and write
3047000
heap
page read and write
7FF887DD0000
trusted library allocation
page read and write
78F0000
trusted library allocation
page read and write
4D80000
heap
page read and write
7DF4313D0000
trusted library allocation
page execute and read and write
31F1000
heap
page read and write
10001000
direct allocation
page execute and read and write
97CB000
heap
page read and write
77FE000
stack
page read and write
2199A890000
heap
page read and write
5FD6000
trusted library allocation
page read and write
7980000
trusted library allocation
page read and write
4D5F000
stack
page read and write
21980510000
heap
page read and write
2199A8DC000
heap
page read and write
957E000
stack
page read and write
7FF887D30000
trusted library allocation
page read and write
9699000
heap
page read and write
787E000
stack
page read and write
219825C1000
trusted library allocation
page read and write
6F8F000
stack
page read and write
25F547A000
stack
page read and write
21983BF2000
trusted library allocation
page read and write
25F51FB000
stack
page read and write
7FF887BAB000
trusted library allocation
page read and write
72E0000
heap
page read and write
4D60000
heap
page readonly
3040000
heap
page read and write
9BD0000
trusted library allocation
page read and write
715E000
stack
page read and write
2199287E000
trusted library allocation
page read and write
21983FCF000
trusted library allocation
page read and write
25F5537000
stack
page read and write
9600000
trusted library allocation
page read and write
7593000
heap
page read and write
8374000
stack
page read and write
219820C0000
heap
page execute and read and write
30A9000
trusted library allocation
page read and write
2199A6AB000
heap
page read and write
2199A644000
heap
page read and write
3070000
trusted library section
page read and write
30D0000
trusted library allocation
page read and write
98A0000
trusted library allocation
page read and write
79EC000
stack
page read and write
9BE0000
trusted library allocation
page read and write
2199A870000
heap
page read and write
4D70000
trusted library allocation
page read and write
8480000
heap
page read and write
3093000
trusted library allocation
page execute and read and write
25F53FD000
stack
page read and write
76C1000
heap
page read and write
9BB1000
trusted library allocation
page read and write
953C000
stack
page read and write
7FF887DB0000
trusted library allocation
page read and write
709D000
stack
page read and write
7FF887C46000
trusted library allocation
page read and write
9890000
trusted library allocation
page execute and read and write
2F2E000
unkown
page read and write
9B60000
trusted library allocation
page execute and read and write
25F50FD000
stack
page read and write
2199A66C000
heap
page read and write
7FF887E20000
trusted library allocation
page read and write
219820E5000
heap
page read and write
2199A760000
heap
page execute and read and write
96AD000
heap
page read and write
25F577E000
stack
page read and write
4E21000
trusted library allocation
page read and write
98AC000
trusted library allocation
page read and write
21983CE3000
trusted library allocation
page read and write
3030000
trusted library section
page read and write
4D1E000
stack
page read and write
21992783000
trusted library allocation
page read and write
72F0000
heap
page read and write
7680000
trusted library allocation
page read and write
2F7F000
unkown
page read and write
7FF887D90000
trusted library allocation
page read and write
25F573E000
stack
page read and write
9627000
trusted library allocation
page read and write
7FF887E10000
trusted library allocation
page read and write
9C11000
trusted library allocation
page read and write
7950000
trusted library allocation
page read and write
9A01000
trusted library allocation
page read and write
21982438000
heap
page read and write
9690000
heap
page read and write
3000000
heap
page read and write
2199A770000
heap
page read and write
7FF887E40000
trusted library allocation
page read and write
7570000
heap
page read and write
841D000
stack
page read and write
21981F70000
trusted library allocation
page read and write
6EDF000
stack
page read and write
21980626000
heap
page read and write
7FF887E30000
trusted library allocation
page read and write
7FF887E00000
trusted library allocation
page read and write
8491000
trusted library allocation
page read and write
2199A8BA000
heap
page read and write
21981F90000
trusted library allocation
page read and write
312B000
heap
page read and write
7FF887B94000
trusted library allocation
page read and write
9701000
heap
page read and write
783E000
stack
page read and write
21984775000
trusted library allocation
page read and write
30B0000
trusted library allocation
page read and write
3108000
heap
page read and write
21983D9B000
trusted library allocation
page read and write
30A0000
trusted library allocation
page read and write
219846B0000
trusted library allocation
page read and write
2E10000
heap
page read and write
219927E3000
trusted library allocation
page read and write
7FCB8000
trusted library allocation
page execute and read and write
7940000
trusted library allocation
page read and write
219820E0000
heap
page read and write
4F75000
trusted library allocation
page read and write
752E000
stack
page read and write
2199A6BA000
heap
page read and write
7930000
trusted library allocation
page read and write
83A0000
trusted library allocation
page read and write
9492000
trusted library allocation
page read and write
5013000
trusted library allocation
page read and write
9BB7000
trusted library allocation
page read and write
2199A605000
heap
page read and write
2199A5C0000
heap
page read and write
94FD000
stack
page read and write
9A05000
trusted library allocation
page read and write
219827F2000
trusted library allocation
page read and write
96D3000
heap
page read and write
9BC0000
trusted library allocation
page execute and read and write
9676000
heap
page read and write
317F000
heap
page read and write
7FF887E90000
trusted library allocation
page read and write
95BE000
stack
page read and write
7FF887C50000
trusted library allocation
page execute and read and write
7FF887E60000
trusted library allocation
page read and write
6F4E000
stack
page read and write
9B56000
trusted library allocation
page read and write
21981FE0000
heap
page execute and read and write
25F54BF000
stack
page read and write
711E000
stack
page read and write
7FF887EB0000
trusted library allocation
page read and write
7FF887C76000
trusted library allocation
page execute and read and write
72DD000
stack
page read and write
2198264A000
trusted library allocation
page read and write
962D000
trusted library allocation
page read and write
7FF887D50000
trusted library allocation
page execute and read and write
5E88000
trusted library allocation
page read and write
2199A790000
heap
page read and write
9610000
trusted library allocation
page read and write
9BA0000
trusted library allocation
page read and write
4DE0000
trusted library allocation
page execute and read and write
9743000
heap
page read and write
8672000
trusted library allocation
page read and write
8460000
trusted library allocation
page execute and read and write
9670000
heap
page read and write
21992944000
trusted library allocation
page read and write
2FBD000
stack
page read and write
969D000
heap
page read and write
3080000
trusted library allocation
page read and write
719E000
stack
page read and write
25F527F000
stack
page read and write
9B80000
trusted library allocation
page execute and read and write
6E5D000
stack
page read and write
96A9000
heap
page read and write
9745000
heap
page read and write
2198442F000
trusted library allocation
page read and write
7FF887B92000
trusted library allocation
page read and write
77B0000
heap
page execute and read and write
219805C0000
heap
page read and write
3100000
heap
page read and write
3137000
heap
page read and write
7FF887DE0000
trusted library allocation
page read and write
7970000
trusted library allocation
page read and write
98A6000
trusted library allocation
page read and write
78D0000
trusted library allocation
page execute and read and write
7FF887EC0000
trusted library allocation
page read and write
2B5C000
stack
page read and write
7FF887CB0000
trusted library allocation
page execute and read and write
25F58BB000
stack
page read and write
7FF887D80000
trusted library allocation
page execute and read and write
219805E1000
heap
page read and write
7FF887EA0000
trusted library allocation
page read and write
219843A8000
trusted library allocation
page read and write
5FEF000
trusted library allocation
page read and write
5FE3000
trusted library allocation
page read and write
78BD000
stack
page read and write
1001F000
direct allocation
page read and write
9B90000
trusted library allocation
page read and write
21983CE1000
trusted library allocation
page read and write
30C7000
heap
page read and write
8470000
heap
page read and write
845E000
stack
page read and write
8380000
trusted library allocation
page execute and read and write
95C7000
trusted library allocation
page read and write
219804A0000
heap
page read and write
10000000
direct allocation
page read and write
30D2000
trusted library allocation
page read and write
2199A875000
heap
page read and write
9A90000
trusted library allocation
page read and write
83D0000
trusted library allocation
page read and write
7FF887C4C000
trusted library allocation
page execute and read and write
9695000
heap
page read and write
4DCC000
stack
page read and write
219925D0000
trusted library allocation
page read and write
6F00000
heap
page execute and read and write
7FF887EE0000
trusted library allocation
page read and write
2199262F000
trusted library allocation
page read and write
7FF887DC0000
trusted library allocation
page read and write
9880000
trusted library allocation
page read and write
7FF887E50000
trusted library allocation
page read and write
75BF000
heap
page read and write
219805E5000
heap
page read and write
7FF887DF0000
trusted library allocation
page read and write
71DA000
stack
page read and write
7FF887D4A000
trusted library allocation
page read and write
78E0000
trusted library allocation
page read and write
25F4D75000
stack
page read and write
25F55B9000
stack
page read and write
2199279C000
trusted library allocation
page read and write
25F583E000
stack
page read and write
7FF887EF0000
trusted library allocation
page read and write
96A1000
heap
page read and write
9B5C000
trusted library allocation
page read and write
74AE000
stack
page read and write
2F30000
heap
page read and write
9A08000
trusted library allocation
page read and write
2199A8CA000
heap
page read and write
219805AE000
heap
page read and write
7FF887BA0000
trusted library allocation
page read and write
30D5000
trusted library allocation
page execute and read and write
21980530000
heap
page read and write
219805D9000
heap
page read and write
3050000
heap
page read and write
219808A0000
heap
page read and write
There are 326 hidden memdumps, click here to show them.