IOC Report
0vM02qWRT9.ps1

loading gif

Files

File Path
Type
Category
Malicious
0vM02qWRT9.ps1
ASCII text, with very long lines (65312), with CRLF, LF line terminators
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_1b85c466a5a1fbc8a9b58f6186869cb1dda1ce47_bf5a3e5b_391054a4-f221-468d-a41c-76d43c2108b4\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC320.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Dec 23 11:36:16 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC92C.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC94C.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w3anndb.3hz.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mwawgns.ovc.psm1
ASCII text, with no line terminators
modified
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gwwpj4v.3ed.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbucu1ec.i5s.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0ypomzy.gzt.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ropct0cy.um1.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JGA7KTWXD5MLG3W7DRVK.temp
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 5 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\0vM02qWRT9.ps1"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\0vM02qWRT9.ps1
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 2668

URLs

Name
IP
Malicious
http://nuget.org/NuGet.exe
unknown
http://www.apache.org/licenses/LICENSE-2.0
unknown
https://aka.ms/winsvr-2022-pshelp
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://schemas.xmlsoap.org/soap/encoding/
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
http://schemas.xmlsoap.org/wsdl/
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
https://oneget.orgX
unknown
https://aka.ms/pscore6lBlq
unknown
http://upx.sf.net
unknown
https://aka.ms/pscore68
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://github.com/Pester/Pester
unknown
https://oneget.org
unknown
There are 8 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
bg.microsoft.map.fastly.net
199.232.210.172
fp2e7a.wpc.phicdn.net
192.229.221.95

Registry

Path
Value
Malicious
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProgramId
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
FileId
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LowerCaseLongPath
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LongPathHash
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Name
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
OriginalFileName
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Publisher
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Version
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinFileVersion
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinaryType
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProductName
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProductVersion
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LinkDate
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinProductVersion
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
AppxPackageFullName
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
AppxPackageRelativeId
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Size
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Language
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
IsOsComponent
\REGISTRY\A\{1347fd96-d577-6bed-a260-0ec783f448ed}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Usn
There are 10 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
93B7000
heap
page read and write
malicious
5DDE000
trusted library allocation
page read and write
malicious
5FA0000
trusted library allocation
page read and write
malicious
5D9A000
trusted library allocation
page read and write
malicious
10016000
direct allocation
page execute read
malicious
13907A55000
heap
page read and write
7FFE7E24A000
trusted library allocation
page read and write
9260000
heap
page read and write
97C0000
trusted library allocation
page read and write
1390B733000
trusted library allocation
page read and write
7510000
trusted library allocation
page read and write
1390B6D6000
trusted library allocation
page read and write
72D9000
heap
page read and write
710E000
stack
page read and write
9780000
trusted library allocation
page execute and read and write
4C0D000
trusted library allocation
page read and write
916E000
stack
page read and write
5BD9000
trusted library allocation
page read and write
748E000
stack
page read and write
9496000
trusted library allocation
page read and write
7FFE7E2B0000
trusted library allocation
page read and write
13919A95000
trusted library allocation
page read and write
2CA0000
trusted library allocation
page read and write
6E5E000
stack
page read and write
926C000
heap
page read and write
1390B05E000
trusted library allocation
page read and write
12BBAFE000
stack
page read and write
95F1000
trusted library allocation
page read and write
718E000
stack
page read and write
2C9A000
trusted library allocation
page execute and read and write
9730000
trusted library allocation
page read and write
95F5000
trusted library allocation
page read and write
BA6000
heap
page read and write
1390BA7A000
trusted library allocation
page read and write
12BB8FD000
stack
page read and write
BF0000
trusted library allocation
page read and write
6E1A000
stack
page read and write
7FFE7E380000
trusted library allocation
page read and write
9470000
trusted library allocation
page read and write
7E0000
heap
page read and write
1390BA7E000
trusted library allocation
page read and write
1390A4F2000
trusted library allocation
page read and write
139078BA000
heap
page read and write
9600000
trusted library allocation
page read and write
91B0000
trusted library allocation
page read and write
9200000
trusted library allocation
page read and write
97B0000
trusted library allocation
page execute and read and write
13909AF2000
trusted library allocation
page read and write
73C0000
trusted library allocation
page read and write
BD0000
trusted library section
page read and write
4D06000
trusted library allocation
page read and write
2C7D000
trusted library allocation
page execute and read and write
9285000
heap
page read and write
7560000
trusted library allocation
page read and write
7FFE7E2F0000
trusted library allocation
page read and write
91BB000
trusted library allocation
page read and write
2D18000
heap
page read and write
46BD000
stack
page read and write
12BB515000
stack
page read and write
139092B0000
heap
page readonly
7FFE7E3C0000
trusted library allocation
page read and write
13907880000
heap
page read and write
12BBD77000
stack
page read and write
13907812000
heap
page read and write
6D55000
heap
page execute and read and write
139198D0000
trusted library allocation
page read and write
74CD000
stack
page read and write
9091000
trusted library allocation
page read and write
2CA2000
trusted library allocation
page read and write
97A1000
trusted library allocation
page read and write
4820000
heap
page read and write
1390B6AA000
trusted library allocation
page read and write
13921A0C000
heap
page read and write
7580000
trusted library allocation
page read and write
12BB5DE000
stack
page read and write
13919929000
trusted library allocation
page read and write
12BBCF9000
stack
page read and write
139092A0000
trusted library allocation
page read and write
74E0000
trusted library allocation
page read and write
7FFE7E3A0000
trusted library allocation
page read and write
7FFE7E272000
trusted library allocation
page read and write
7FFE7E150000
trusted library allocation
page execute and read and write
B8F000
stack
page read and write
71D000
stack
page read and write
475E000
stack
page read and write
6D50000
heap
page execute and read and write
7FFE7E176000
trusted library allocation
page execute and read and write
13921A5B000
heap
page read and write
5C11000
trusted library allocation
page read and write
13921AB2000
heap
page read and write
7FFE7E1B0000
trusted library allocation
page execute and read and write
7FFE7E320000
trusted library allocation
page read and write
7FFE7E240000
trusted library allocation
page read and write
7FFE7E390000
trusted library allocation
page read and write
12BBE7E000
stack
page read and write
7DF4F33A0000
trusted library allocation
page execute and read and write
9771000
trusted library allocation
page read and write
926A000
heap
page read and write
1390B9B4000
trusted library allocation
page read and write
13921CF9000
heap
page read and write
7FFE7E250000
trusted library allocation
page execute and read and write
9291000
heap
page read and write
13907800000
heap
page read and write
139198EA000
trusted library allocation
page read and write
139079F0000
heap
page read and write
7FFE7E290000
trusted library allocation
page read and write
13909270000
trusted library allocation
page read and write
10018000
direct allocation
page read and write
7FFE7E0A0000
trusted library allocation
page read and write
7378000
heap
page read and write
7FFE7E2A0000
trusted library allocation
page read and write
6D3E000
stack
page read and write
2D0E000
stack
page read and write
1390B29E000
trusted library allocation
page read and write
13921CE3000
heap
page read and write
2C80000
trusted library allocation
page read and write
7FFE7E2C0000
trusted library allocation
page read and write
139078A2000
heap
page read and write
8060000
trusted library allocation
page execute and read and write
6D40000
heap
page execute and read and write
7FFE7E300000
trusted library allocation
page read and write
9295000
heap
page read and write
7FFE7E14C000
trusted library allocation
page execute and read and write
71B0000
trusted library allocation
page execute and read and write
13921C90000
heap
page read and write
7530000
trusted library allocation
page read and write
70CE000
stack
page read and write
6F1D000
stack
page read and write
7FD0000
trusted library allocation
page read and write
BB0000
heap
page read and write
7FFE7E093000
trusted library allocation
page execute and read and write
139097F0000
heap
page execute and read and write
13921C77000
heap
page execute and read and write
97AD000
trusted library allocation
page read and write
86CD000
trusted library allocation
page read and write
97D0000
trusted library allocation
page read and write
91AE000
stack
page read and write
9490000
trusted library allocation
page read and write
9211000
trusted library allocation
page read and write
2CC0000
trusted library allocation
page read and write
1390789C000
heap
page read and write
6F90000
heap
page read and write
6C2E000
stack
page read and write
46C0000
trusted library allocation
page read and write
2D60000
heap
page readonly
480E000
stack
page read and write
7570000
trusted library allocation
page read and write
2DCC000
stack
page read and write
1001F000
direct allocation
page read and write
10000000
direct allocation
page read and write
6DC000
stack
page read and write
9384000
heap
page read and write
6CBD000
stack
page read and write
7DD000
unkown
page read and write
139219D7000
heap
page read and write
12BBB7D000
stack
page read and write
139098C1000
trusted library allocation
page read and write
7F65000
stack
page read and write
1390B6F8000
trusted library allocation
page read and write
929D000
heap
page read and write
7FFE7E310000
trusted library allocation
page read and write
13921A0F000
heap
page read and write
6DDD000
stack
page read and write
9740000
trusted library allocation
page read and write
2E18000
heap
page read and write
744E000
stack
page read and write
139097B0000
heap
page execute and read and write
91F0000
trusted library allocation
page read and write
139198C1000
trusted library allocation
page read and write
479E000
stack
page read and write
9760000
trusted library allocation
page read and write
7FFE7E3B0000
trusted library allocation
page read and write
13921AF0000
heap
page read and write
7540000
trusted library allocation
page read and write
9746000
trusted library allocation
page read and write
91B7000
trusted library allocation
page read and write
9630000
trusted library allocation
page read and write
2D80000
heap
page read and write
5D77000
trusted library allocation
page read and write
7FA0000
trusted library allocation
page read and write
4867000
heap
page read and write
9280000
heap
page read and write
7FFE7E280000
trusted library allocation
page execute and read and write
75DC000
stack
page read and write
139078EB000
heap
page read and write
12BB9BF000
stack
page read and write
740E000
stack
page read and write
74F0000
trusted library allocation
page read and write
6D9F000
stack
page read and write
139218CD000
heap
page read and write
B4E000
stack
page read and write
7322000
heap
page read and write
2D10000
heap
page read and write
12BBBF6000
stack
page read and write
12BBF7E000
stack
page read and write
9480000
trusted library allocation
page execute and read and write
7F260000
trusted library allocation
page execute and read and write
2C73000
trusted library allocation
page execute and read and write
12BB97E000
stack
page read and write
90ED000
stack
page read and write
13909340000
trusted library allocation
page read and write
1390AEF2000
trusted library allocation
page read and write
7FFE7E0AB000
trusted library allocation
page read and write
2E0B000
heap
page read and write
9289000
heap
page read and write
1390AFB2000
trusted library allocation
page read and write
6FA0000
heap
page read and write
4860000
heap
page read and write
7FFE7E330000
trusted library allocation
page read and write
9750000
trusted library allocation
page execute and read and write
8081000
trusted library allocation
page read and write
2C89000
trusted library allocation
page read and write
12BBFFB000
stack
page read and write
6CFB000
stack
page read and write
12BBC78000
stack
page read and write
471E000
stack
page read and write
7590000
trusted library allocation
page read and write
139093F5000
heap
page read and write
7550000
trusted library allocation
page read and write
2DE0000
heap
page read and write
13921ACA000
heap
page read and write
91C0000
trusted library allocation
page read and write
97A7000
trusted library allocation
page read and write
12BB87E000
stack
page read and write
7FFE7E340000
trusted library allocation
page read and write
849F000
trusted library allocation
page read and write
9082000
trusted library allocation
page read and write
731F000
heap
page read and write
139093F0000
heap
page read and write
10017000
direct allocation
page readonly
12BBEFE000
stack
page read and write
7FFE7E3D0000
trusted library allocation
page read and write
7FFE7E09D000
trusted library allocation
page execute and read and write
71D2000
heap
page read and write
7FFE7E370000
trusted library allocation
page read and write
13919ADC000
trusted library allocation
page read and write
7500000
trusted library allocation
page read and write
718000
stack
page read and write
949C000
trusted library allocation
page read and write
805E000
stack
page read and write
95F8000
trusted library allocation
page read and write
921D000
trusted library allocation
page read and write
909E000
trusted library allocation
page read and write
13907A20000
heap
page read and write
7FFE7E230000
trusted library allocation
page read and write
7FFE7E094000
trusted library allocation
page read and write
13921C80000
heap
page read and write
5D6C000
trusted library allocation
page read and write
13919B77000
trusted library allocation
page read and write
13909330000
heap
page read and write
7FFE7E146000
trusted library allocation
page read and write
139078A4000
heap
page read and write
7FFE7E140000
trusted library allocation
page read and write
13919A7C000
trusted library allocation
page read and write
94A0000
trusted library allocation
page execute and read and write
97E0000
trusted library allocation
page read and write
9462000
trusted library allocation
page read and write
139078E4000
heap
page read and write
12BCA0B000
stack
page read and write
974C000
trusted library allocation
page read and write
9299000
heap
page read and write
2D5F000
stack
page read and write
7FFE7E245000
trusted library allocation
page read and write
7385000
heap
page read and write
912C000
stack
page read and write
2D70000
trusted library allocation
page read and write
801D000
stack
page read and write
5D64000
trusted library allocation
page read and write
13907808000
heap
page read and write
97F0000
trusted library allocation
page execute and read and write
71A0000
trusted library allocation
page read and write
7F278000
trusted library allocation
page execute and read and write
6BEE000
stack
page read and write
7F70000
heap
page read and write
7FFE7E350000
trusted library allocation
page read and write
7520000
trusted library allocation
page read and write
9790000
trusted library allocation
page read and write
92F0000
heap
page read and write
10001000
direct allocation
page execute and read and write
139092F0000
trusted library allocation
page read and write
9800000
trusted library allocation
page execute and read and write
4BB1000
trusted library allocation
page read and write
1390994B000
trusted library allocation
page read and write
1390AFB0000
trusted library allocation
page read and write
6EDE000
stack
page read and write
9262000
heap
page read and write
13907899000
heap
page read and write
5D5F000
trusted library allocation
page read and write
139098B0000
heap
page read and write
2C70000
trusted library allocation
page read and write
13921CD8000
heap
page read and write
938D000
heap
page read and write
12BBA7E000
stack
page read and write
139077E0000
heap
page read and write
7FFE7E360000
trusted library allocation
page read and write
790000
heap
page read and write
7FFE7E3E0000
trusted library allocation
page read and write
714E000
stack
page read and write
47C0000
heap
page execute and read and write
9680000
trusted library allocation
page read and write
92C3000
heap
page read and write
13921AB8000
heap
page read and write
13919C7E000
trusted library allocation
page read and write
13919935000
trusted library allocation
page read and write
928D000
heap
page read and write
7FFE7E092000
trusted library allocation
page read and write
13921A59000
heap
page read and write
2C90000
trusted library allocation
page read and write
12BB59E000
stack
page read and write
13921C8E000
heap
page read and write
6E9B000
stack
page read and write
13921C70000
heap
page execute and read and write
74D0000
trusted library allocation
page read and write
4DA2000
trusted library allocation
page read and write
80A8000
trusted library allocation
page read and write
2C74000
trusted library allocation
page read and write
7F90000
trusted library allocation
page read and write
BA0000
heap
page read and write
2DD0000
trusted library allocation
page execute and read and write
80C3000
trusted library allocation
page read and write
5BB1000
trusted library allocation
page read and write
9217000
trusted library allocation
page read and write
B0D000
unkown
page read and write
7FFE7E260000
trusted library allocation
page execute and read and write
7F80000
trusted library allocation
page execute and read and write
139079D0000
heap
page read and write
13921AB6000
heap
page read and write
8070000
heap
page read and write
139219D0000
heap
page read and write
13919AFC000
trusted library allocation
page read and write
12BBDFF000
stack
page read and write
13907A50000
heap
page read and write
7FFE7E2D0000
trusted library allocation
page read and write
2CA5000
trusted library allocation
page execute and read and write
7FFE7E2E0000
trusted library allocation
page read and write
BE0000
trusted library section
page read and write
2DE8000
heap
page read and write
There are 327 hidden memdumps, click here to show them.