IOC Report
eszstwQPwq.ps1

loading gif

Files

File Path
Type
Category
Malicious
eszstwQPwq.ps1
ASCII text, with very long lines (65312), with CRLF, LF line terminators
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_5f3f215c54fd6621b18c8b4e1cd39209bc45a82_bf5a3e5b_3307fc83-cd0e-4f7d-b246-1c97fc22b6b5\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER460.tmp.dmp
Mini DuMP crash report, 14 streams, Mon Dec 23 11:36:17 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D5.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER915.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hj01ibwg.2ce.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kv01mdww.x4a.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzhgnmei.hn5.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv2awu23.3uh.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_peipsmjg.lhd.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yopdqtol.ki3.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0OWQKSSARKYG34DP7HEA.temp
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
\Device\ConDrv
ASCII text, with very long lines (352), with CRLF, LF line terminators
dropped
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\eszstwQPwq.ps1"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -nonI C:\Users\user\Desktop\eszstwQPwq.ps1
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2896

URLs

Name
IP
Malicious
http://nuget.org/NuGet.exe
unknown
http://www.apache.org/licenses/LICENSE-2.0
unknown
https://aka.ms/winsvr-2022-pshelp
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://schemas.xmlsoap.org/soap/encoding/
unknown
http://crl.microsoft
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
http://schemas.xmlsoap.org/wsdl/
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
http://upx.sf.net
unknown
https://aka.ms/pscore6
unknown
https://aka.ms/pscore68
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://github.com/Pester/Pester
unknown
https://oneget.org
unknown
There are 8 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
bg.microsoft.map.fastly.net
199.232.210.172
fp2e7a.wpc.phicdn.net
192.229.221.95

Registry

Path
Value
Malicious
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProgramId
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
FileId
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LowerCaseLongPath
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LongPathHash
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Name
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
OriginalFileName
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Publisher
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Version
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinFileVersion
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinaryType
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProductName
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
ProductVersion
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
LinkDate
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
BinProductVersion
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
AppxPackageFullName
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
AppxPackageRelativeId
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Size
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Language
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
IsOsComponent
\REGISTRY\A\{6c04c149-c6ee-735a-ccee-613e5dd14930}\Root\InventoryApplicationFile\powershell.exe|bdbb2c1d41b249e7
Usn
There are 10 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
9387000
heap
page read and write
malicious
10016000
direct allocation
page execute read
malicious
5DEF000
trusted library allocation
page read and write
malicious
5DAA000
trusted library allocation
page read and write
malicious
6111000
trusted library allocation
page read and write
malicious
2C29000
unkown
page read and write
2C2F000
unkown
page read and write
7540000
trusted library allocation
page read and write
9369000
heap
page read and write
96C0000
trusted library allocation
page execute and read and write
92B0000
heap
page read and write
7FFE18610000
trusted library allocation
page read and write
9630000
trusted library allocation
page read and write
5BC1000
trusted library allocation
page read and write
19FFF7F000
stack
page read and write
1ADDA895000
heap
page read and write
7FFE18680000
trusted library allocation
page read and write
7FFE18580000
trusted library allocation
page read and write
2A90000
trusted library allocation
page read and write
7590000
trusted library allocation
page read and write
2C0B000
unkown
page read and write
94E0000
trusted library allocation
page read and write
7FFE18400000
trusted library allocation
page execute and read and write
19800FD000
stack
page read and write
1ADC0900000
heap
page read and write
96B0000
trusted library allocation
page read and write
4870000
heap
page read and write
6D75000
heap
page execute and read and write
7FFE183F0000
trusted library allocation
page read and write
2BAC000
trusted library allocation
page read and write
5FB1000
trusted library allocation
page read and write
92A8000
heap
page read and write
706E000
stack
page read and write
19802B9000
stack
page read and write
2C20000
unkown
page read and write
1ADC456B000
trusted library allocation
page read and write
2AB9000
trusted library allocation
page read and write
90C1000
trusted library allocation
page read and write
1ADC26B0000
trusted library allocation
page read and write
2FB9000
heap
page read and write
73D0000
trusted library allocation
page execute and read and write
2AA0000
trusted library allocation
page read and write
19FFE7E000
stack
page read and write
1ADDABD6000
heap
page read and write
94DC000
trusted library allocation
page read and write
7FFE18343000
trusted library allocation
page execute and read and write
7FFE184FA000
trusted library allocation
page read and write
75D0000
trusted library allocation
page read and write
1ADC0B95000
heap
page read and write
7B6000
heap
page read and write
94D6000
trusted library allocation
page read and write
1ADC26D0000
trusted library allocation
page read and write
7560000
trusted library allocation
page read and write
10001000
direct allocation
page execute and read and write
1ADC0920000
heap
page read and write
2AAD000
trusted library allocation
page execute and read and write
72B0000
heap
page read and write
761B000
stack
page read and write
7FFE18650000
trusted library allocation
page read and write
75A0000
trusted library allocation
page read and write
7FFE18350000
trusted library allocation
page read and write
1ADDABCF000
heap
page read and write
2C26000
unkown
page read and write
716E000
stack
page read and write
9323000
heap
page read and write
19FFEFB000
stack
page read and write
91F7000
trusted library allocation
page read and write
6FBB000
stack
page read and write
1ADD293D000
trusted library allocation
page read and write
2AB0000
trusted library allocation
page read and write
7FFE184E0000
trusted library allocation
page read and write
1ADC0A09000
heap
page read and write
1ADC2680000
trusted library allocation
page read and write
1ADDABA0000
heap
page execute and read and write
4DB2000
trusted library allocation
page read and write
2B4E000
stack
page read and write
8090000
trusted library allocation
page execute and read and write
94D0000
trusted library allocation
page read and write
7FFE186A0000
trusted library allocation
page read and write
5BE9000
trusted library allocation
page read and write
6D4E000
stack
page read and write
4C1A000
trusted library allocation
page read and write
91AE000
stack
page read and write
7FD0000
trusted library allocation
page read and write
482E000
stack
page read and write
80B1000
trusted library allocation
page read and write
2C2C000
unkown
page read and write
7DF40C1F0000
trusted library allocation
page execute and read and write
7FFE18570000
trusted library allocation
page read and write
2B90000
heap
page readonly
2BFC000
stack
page read and write
7FFE185D0000
trusted library allocation
page read and write
1ADDA890000
heap
page read and write
1ADC0932000
heap
page read and write
1ADC280B000
trusted library allocation
page read and write
7FFE185B0000
trusted library allocation
page read and write
2C1A000
unkown
page read and write
7FFE183F6000
trusted library allocation
page read and write
1ADC4596000
trusted library allocation
page read and write
474E000
stack
page read and write
7FFE18590000
trusted library allocation
page read and write
1980F8F000
stack
page read and write
5BC9000
trusted library allocation
page read and write
7FC0000
heap
page read and write
1ADC0B90000
heap
page read and write
7B0000
heap
page read and write
1ADC2781000
trusted library allocation
page read and write
1ADC4939000
trusted library allocation
page read and write
2ADA000
trusted library allocation
page execute and read and write
5D75000
trusted library allocation
page read and write
7FFE18426000
trusted library allocation
page execute and read and write
92E2000
heap
page read and write
1ADC09BE000
heap
page read and write
47EE000
stack
page read and write
1ADD29BD000
trusted library allocation
page read and write
9200000
trusted library allocation
page read and write
4BC1000
trusted library allocation
page read and write
94A2000
trusted library allocation
page read and write
7FFE1835B000
trusted library allocation
page read and write
92A4000
heap
page read and write
91F0000
trusted library allocation
page read and write
7510000
trusted library allocation
page read and write
979C000
trusted library allocation
page read and write
911E000
stack
page read and write
6CCD000
stack
page read and write
96E000
stack
page read and write
1ADDA90B000
heap
page read and write
7FFE186B0000
trusted library allocation
page read and write
942B000
heap
page read and write
2FC5000
heap
page read and write
730E000
heap
page read and write
198043F000
stack
page read and write
1ADC415A000
trusted library allocation
page read and write
1ADD27E9000
trusted library allocation
page read and write
46F0000
trusted library allocation
page read and write
737A000
heap
page read and write
7FFE18600000
trusted library allocation
page read and write
1ADDA90D000
heap
page read and write
7550000
trusted library allocation
page read and write
1ADD2956000
trusted library allocation
page read and write
198007E000
stack
page read and write
1ADD27AA000
trusted library allocation
page read and write
2C17000
unkown
page read and write
1ADDA8E1000
heap
page read and write
6D0B000
stack
page read and write
7FFE183FC000
trusted library allocation
page execute and read and write
7570000
trusted library allocation
page read and write
1ADDA97A000
heap
page read and write
1ADD2B3E000
trusted library allocation
page read and write
932A000
heap
page read and write
74AE000
stack
page read and write
1ADC099C000
heap
page read and write
1ADC0890000
heap
page read and write
7FFE18690000
trusted library allocation
page read and write
9880000
heap
page read and write
1ADDA788000
heap
page read and write
92E000
unkown
page read and write
7FFE185F0000
trusted library allocation
page read and write
1ADC33B2000
trusted library allocation
page read and write
97F0000
trusted library allocation
page read and write
9870000
trusted library allocation
page execute and read and write
8000000
trusted library allocation
page read and write
9796000
trusted library allocation
page read and write
7FFE18640000
trusted library allocation
page read and write
97B1000
trusted library allocation
page read and write
1ADC26C0000
heap
page readonly
2BA0000
trusted library allocation
page read and write
7FFE18500000
trusted library allocation
page execute and read and write
9B0000
heap
page read and write
9810000
trusted library allocation
page read and write
2A50000
heap
page read and write
90CE000
trusted library allocation
page read and write
9820000
trusted library allocation
page read and write
6DFE000
stack
page read and write
80A0000
heap
page read and write
2A80000
trusted library section
page read and write
1ADC45F2000
trusted library allocation
page read and write
9257000
trusted library allocation
page read and write
1ADC26F0000
heap
page execute and read and write
7FFE18510000
trusted library allocation
page execute and read and write
2AE5000
trusted library allocation
page execute and read and write
1ADC09B5000
heap
page read and write
10018000
direct allocation
page read and write
73E0000
heap
page execute and read and write
2C38000
unkown
page read and write
1ADC2730000
trusted library allocation
page read and write
2AD0000
trusted library allocation
page read and write
742E000
stack
page read and write
9770000
trusted library allocation
page read and write
9230000
trusted library allocation
page read and write
7326000
heap
page read and write
10017000
direct allocation
page readonly
7FA4000
stack
page read and write
74ED000
stack
page read and write
925D000
trusted library allocation
page read and write
2AC0000
heap
page read and write
2C32000
unkown
page read and write
92B8000
heap
page read and write
7FFE18530000
trusted library allocation
page execute and read and write
6C3E000
stack
page read and write
7FFE18540000
trusted library allocation
page read and write
1ADC0928000
heap
page read and write
46DE000
stack
page read and write
97AD000
trusted library allocation
page read and write
5D70000
trusted library allocation
page read and write
75C0000
trusted library allocation
page read and write
2AA4000
trusted library allocation
page read and write
1ADDABC0000
heap
page read and write
915D000
stack
page read and write
746E000
stack
page read and write
6BFE000
stack
page read and write
2C3B000
unkown
page read and write
92BC000
heap
page read and write
7FFE184F0000
trusted library allocation
page read and write
7FFE18630000
trusted library allocation
page read and write
19FFDFD000
stack
page read and write
91EE000
stack
page read and write
1980178000
stack
page read and write
92A0000
heap
page read and write
1ADC3DB2000
trusted library allocation
page read and write
1ADC0B65000
heap
page read and write
7FFE18660000
trusted library allocation
page read and write
19FFD7E000
stack
page read and write
7FFE18342000
trusted library allocation
page read and write
804D000
stack
page read and write
2AA3000
trusted library allocation
page execute and read and write
2C23000
unkown
page read and write
1ADC09C0000
heap
page read and write
9790000
trusted library allocation
page read and write
2C14000
unkown
page read and write
97D0000
trusted library allocation
page read and write
19801BF000
stack
page read and write
4D16000
trusted library allocation
page read and write
1ADDA9C7000
heap
page execute and read and write
9251000
trusted library allocation
page read and write
92AC000
heap
page read and write
7FFE18344000
trusted library allocation
page read and write
3082000
heap
page read and write
1ADC08A0000
heap
page read and write
2C11000
unkown
page read and write
2A70000
trusted library section
page read and write
7520000
trusted library allocation
page read and write
1ADC29B2000
trusted library allocation
page read and write
2AC8000
heap
page read and write
7FFE185E0000
trusted library allocation
page read and write
2C35000
unkown
page read and write
2B00000
trusted library allocation
page read and write
1ADC0B60000
heap
page read and write
1ADD2790000
trusted library allocation
page read and write
2BB0000
trusted library allocation
page read and write
1ADD299D000
trusted library allocation
page read and write
7D0000
heap
page read and write
7FFE1834D000
trusted library allocation
page execute and read and write
46E0000
trusted library allocation
page execute and read and write
1ADC09D6000
heap
page read and write
8EE000
unkown
page read and write
10000000
direct allocation
page read and write
4859000
heap
page read and write
2AE2000
trusted library allocation
page read and write
1ADC493D000
trusted library allocation
page read and write
6DBF000
stack
page read and write
5C21000
trusted library allocation
page read and write
2C1D000
unkown
page read and write
47A0000
heap
page execute and read and write
2C08000
unkown
page read and write
91FB000
trusted library allocation
page read and write
7530000
trusted library allocation
page read and write
70EE000
stack
page read and write
1ADC2770000
heap
page read and write
1980338000
stack
page read and write
19803BE000
stack
page read and write
4877000
heap
page read and write
6F7E000
stack
page read and write
1ADC0955000
heap
page read and write
7FFE18560000
trusted library allocation
page read and write
9240000
trusted library allocation
page read and write
7FFE18620000
trusted library allocation
page read and write
75B0000
trusted library allocation
page read and write
94B0000
trusted library allocation
page read and write
2B8F000
stack
page read and write
808E000
stack
page read and write
9840000
trusted library allocation
page execute and read and write
1001F000
direct allocation
page read and write
7FFE184F5000
trusted library allocation
page read and write
2F90000
heap
page read and write
478E000
stack
page read and write
2F98000
heap
page read and write
71C2000
heap
page read and write
97E0000
trusted library allocation
page read and write
1ADC0B50000
heap
page read and write
1ADC09B8000
heap
page read and write
70C000
stack
page read and write
7FB0000
trusted library allocation
page execute and read and write
1ADDAAC0000
heap
page read and write
7F6A0000
trusted library allocation
page execute and read and write
1ADDA9C0000
heap
page execute and read and write
1ADDAC2A000
heap
page read and write
1ADC4874000
trusted library allocation
page read and write
712F000
stack
page read and write
71AE000
stack
page read and write
2AE0000
trusted library allocation
page read and write
4850000
heap
page read and write
94C0000
trusted library allocation
page execute and read and write
19FFCFE000
stack
page read and write
97A7000
trusted library allocation
page read and write
5D7D000
trusted library allocation
page read and write
7FFE18460000
trusted library allocation
page execute and read and write
9800000
trusted library allocation
page execute and read and write
74F0000
trusted library allocation
page read and write
19805BB000
stack
page read and write
6E3D000
stack
page read and write
6D70000
heap
page execute and read and write
9780000
trusted library allocation
page execute and read and write
2BAF000
trusted library allocation
page read and write
2C0E000
unkown
page read and write
1ADD2781000
trusted library allocation
page read and write
7FFE184E9000
trusted library allocation
page read and write
7FFE18670000
trusted library allocation
page read and write
1ADDA974000
heap
page read and write
73C0000
trusted library allocation
page read and write
7FFE185A0000
trusted library allocation
page read and write
8302000
trusted library allocation
page read and write
7FFE18522000
trusted library allocation
page read and write
9160000
heap
page read and write
1ADDA956000
heap
page read and write
9830000
heap
page read and write
1ADC08C0000
heap
page read and write
19FFFFF000
stack
page read and write
5D88000
trusted library allocation
page read and write
7F6B8000
trusted library allocation
page execute and read and write
747000
stack
page read and write
7580000
trusted library allocation
page read and write
9375000
heap
page read and write
198053E000
stack
page read and write
1980236000
stack
page read and write
6E40000
heap
page read and write
7500000
trusted library allocation
page read and write
7FFE18550000
trusted library allocation
page read and write
97C0000
trusted library allocation
page execute and read and write
9640000
trusted library allocation
page read and write
7FFE185C0000
trusted library allocation
page read and write
1ADC0A00000
heap
page read and write
9AF000
stack
page read and write
97A1000
trusted library allocation
page read and write
72E9000
heap
page read and write
90B2000
trusted library allocation
page read and write
198033E000
stack
page read and write
70AB000
stack
page read and write
92B4000
heap
page read and write
19FFC75000
stack
page read and write
There are 340 hidden memdumps, click here to show them.