IOC Report
b.ps1

FilesProcessesURLsIPsRegistryMemdumps54321010010Label

Files

File Path
Type
Category
Malicious
Download
b.ps1
ASCII text, with very long lines (65481), with CRLF line terminators
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_89a31e8aa723437aced0b47a7472cbf33eaf4d_74bcc9ed_a2f43f27-1dfb-4ddb-871b-efa5075d3b45\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_9fb3e1ea3d8e60c2addb16c79917b7942ae091cf_00000000_f1982100-3f92-4b75-9bbf-6db0827e4280\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER50DB.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER513A.tmp.xml
XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE050.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Jan 25 09:28:55 2025, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE38D.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3BD.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abqxgwn3.1bt.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwle3uap.em1.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C92NZKGS4E7Z7IZLBJ3I.temp
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 5 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6752" "2588" "2508" "2592" "0" "0" "2596" "0" "0" "0" "0" "0"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1788

URLs

Name
IP
Malicious
http://nuget.org/NuGet.exe
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
https://go.micro
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
92.255.57.155
http://upx.sf.net
unknown
https://aka.ms/pscore68
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://github.com/Pester/Pester
unknown
There are 3 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
92.255.57.155
unknown
Russian Federation
malicious

Registry

Path
Value
Malicious
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProgramId
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
FileId
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LowerCaseLongPath
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LongPathHash
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Name
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
OriginalFileName
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Publisher
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Version
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinFileVersion
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinaryType
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProductName
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProductVersion
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LinkDate
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinProductVersion
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
AppxPackageFullName
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
AppxPackageRelativeId
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Size
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Language
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
IsOsComponent
\REGISTRY\A\{20745f55-7857-d931-254c-292dc6549df6}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Usn
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
ProgramId
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
FileId
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
LowerCaseLongPath
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
LongPathHash
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Name
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
OriginalFileName
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Publisher
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Version
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
BinFileVersion
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
BinaryType
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
ProductName
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
ProductVersion
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
LinkDate
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
BinProductVersion
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
AppxPackageFullName
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
AppxPackageRelativeId
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Size
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Language
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
IsOsComponent
\REGISTRY\A\{25083b36-02fb-38ad-fc41-c90edf232baf}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Usn
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
00188011070BC335
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
There are 35 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
18D00ED7000
trusted library allocation
page read and write
malicious
402000
remote allocation
page execute and read and write
malicious
18D00469000
trusted library allocation
page read and write
malicious
18D00227000
trusted library allocation
page read and write
malicious
32E1000
trusted library allocation
page read and write
malicious
11F5000
heap
page read and write
5CAA7FE000
stack
page read and write
18D6DAF0000
heap
page read and write
5CAAA7F000
stack
page read and write
364C000
trusted library allocation
page read and write
14C3000
trusted library allocation
page read and write
18D6FB00000
heap
page read and write
63AD000
stack
page read and write
18D6FD58000
heap
page read and write
18D6DB7F000
heap
page read and write
7FFD9B7D0000
trusted library allocation
page execute and read and write
124D000
heap
page read and write
7FFD9B8A0000
trusted library allocation
page read and write
7FFD9B690000
trusted library allocation
page read and write
18D6DDF0000
heap
page read and write
18D6F9B0000
heap
page read and write
18D6DBFB000
heap
page read and write
6754000
trusted library allocation
page read and write
7DF4F50F0000
trusted library allocation
page execute and read and write
18D6FB53000
heap
page read and write
58E9000
stack
page read and write
18D6FF60000
trusted library section
page read and write
7FFD9B69C000
trusted library allocation
page execute and read and write
18D02036000
trusted library allocation
page read and write
18D01632000
trusted library allocation
page read and write
1245000
heap
page read and write
616E000
stack
page read and write
6600000
trusted library allocation
page read and write
7FFD9B8D0000
trusted library allocation
page read and write
7FFD9B5E2000
trusted library allocation
page read and write
5CAA775000
stack
page read and write
18D012E9000
trusted library allocation
page read and write
606E000
stack
page read and write
7FFD9B700000
trusted library allocation
page execute and read and write
7FFD9B870000
trusted library allocation
page read and write
18D1006F000
trusted library allocation
page read and write
5BEE000
stack
page read and write
7FFD9B5E0000
trusted library allocation
page read and write
7FFD9B850000
trusted library allocation
page read and write
154E000
stack
page read and write
18D00453000
trusted library allocation
page read and write
5F10000
trusted library allocation
page read and write
5C2E000
stack
page read and write
6501000
heap
page read and write
18D6F4E0000
trusted library allocation
page read and write
1570000
heap
page read and write
62AC000
stack
page read and write
5CAAE79000
stack
page read and write
14E7000
trusted library allocation
page execute and read and write
18D100D1000
trusted library allocation
page read and write
1B7E000
stack
page read and write
18D6DDD5000
heap
page read and write
18D6DBB1000
heap
page read and write
18D00E7F000
trusted library allocation
page read and write
5CAADFD000
stack
page read and write
14E0000
trusted library allocation
page read and write
579E000
stack
page read and write
18D6DB86000
heap
page read and write
18D6DBF9000
heap
page read and write
18D6F8F0000
trusted library allocation
page read and write
18D1002A000
trusted library allocation
page read and write
7FFD9B5E3000
trusted library allocation
page execute and read and write
18D6DDF5000
heap
page read and write
18D0044F000
trusted library allocation
page read and write
7FFD9B910000
trusted library allocation
page read and write
18D6FD5C000
heap
page read and write
7FFD9B6A0000
trusted library allocation
page execute and read and write
6C10000
heap
page read and write
18D6FB1A000
heap
page read and write
5EC0000
trusted library allocation
page read and write
18D6FD30000
heap
page read and write
5CAAFBC000
stack
page read and write
18D6D9F0000
heap
page read and write
18D012C4000
trusted library allocation
page read and write
7FFD9B8C0000
trusted library allocation
page read and write
602E000
stack
page read and write
18D6FB0E000
heap
page read and write
14AD000
trusted library allocation
page execute and read and write
18D6F570000
heap
page read and write
18D6DC00000
heap
page read and write
18D6F8C0000
trusted library allocation
page read and write
7FFD9B780000
trusted library allocation
page read and write
5CAAD7E000
stack
page read and write
14A0000
trusted library allocation
page read and write
42E9000
trusted library allocation
page read and write
18D6FD4C000
heap
page read and write
7FFD9B696000
trusted library allocation
page read and write
1190000
heap
page read and write
18D6F490000
trusted library allocation
page read and write
67CC000
stack
page read and write
6760000
trusted library allocation
page read and write
194C000
stack
page read and write
18D6DBD2000
heap
page read and write
6609000
trusted library allocation
page read and write
18D6FD20000
heap
page execute and read and write
18D6FDAA000
heap
page read and write
11B0000
heap
page read and write
D5B000
stack
page read and write
1560000
trusted library allocation
page read and write
7FFD9B8B0000
trusted library allocation
page read and write
1577000
heap
page read and write
7FFD9B791000
trusted library allocation
page read and write
1A5C000
stack
page read and write
7FFD9B7B0000
trusted library allocation
page execute and read and write
6606000
trusted library allocation
page read and write
571B000
stack
page read and write
1950000
trusted library allocation
page read and write
1ECE000
stack
page read and write
67D0000
trusted library allocation
page execute and read and write
18D6F4D0000
heap
page readonly
7FB80000
trusted library allocation
page execute and read and write
65F1000
trusted library allocation
page read and write
11BD000
heap
page read and write
698E000
stack
page read and write
7FFD9B6C6000
trusted library allocation
page execute and read and write
145E000
stack
page read and write
7FFD9B952000
trusted library allocation
page read and write
18D0047F000
trusted library allocation
page read and write
18D6F540000
heap
page execute and read and write
1550000
trusted library allocation
page execute and read and write
18D6DBB6000
heap
page read and write
5CAB23E000
stack
page read and write
5CAACFE000
stack
page read and write
1CE0000
heap
page execute and read and write
1A70000
heap
page execute and read and write
400000
remote allocation
page execute and read and write
117E000
stack
page read and write
14D6000
trusted library allocation
page execute and read and write
5CAB1B5000
stack
page read and write
60EE000
stack
page read and write
7FFD9B8F0000
trusted library allocation
page read and write
7FFD9B7F0000
trusted library allocation
page read and write
6511000
heap
page read and write
18D0045E000
trusted library allocation
page read and write
7FFD9B840000
trusted library allocation
page read and write
18D6DBC0000
heap
page read and write
60AE000
stack
page read and write
1233000
heap
page read and write
122B000
heap
page read and write
18D01636000
trusted library allocation
page read and write
7FFD9B5F0000
trusted library allocation
page read and write
575E000
stack
page read and write
127E000
heap
page read and write
18D6F410000
heap
page read and write
18D012C0000
trusted library allocation
page read and write
18D6FD27000
heap
page execute and read and write
18D6FDBE000
heap
page read and write
1252000
heap
page read and write
10F7000
stack
page read and write
7FFD9B79A000
trusted library allocation
page read and write
5CABC8E000
stack
page read and write
18D10001000
trusted library allocation
page read and write
5CAAEBF000
stack
page read and write
18D100DE000
trusted library allocation
page read and write
6785000
trusted library allocation
page read and write
612E000
stack
page read and write
57E0000
heap
page read and write
42E1000
trusted library allocation
page read and write
7FFD9B810000
trusted library allocation
page read and write
7FFD9B5E4000
trusted library allocation
page read and write
7FFD9B5ED000
trusted library allocation
page execute and read and write
1460000
heap
page read and write
5CAAAFE000
stack
page read and write
18D00088000
trusted library allocation
page read and write
14A4000
trusted library allocation
page read and write
113C000
stack
page read and write
7FFD9B900000
trusted library allocation
page read and write
7FFD9B5FB000
trusted library allocation
page read and write
14B0000
heap
page read and write
64F0000
heap
page read and write
18D6DB10000
heap
page read and write
7FFD9B7E0000
trusted library allocation
page read and write
11C7000
heap
page read and write
64FF000
heap
page read and write
14D2000
trusted library allocation
page read and write
DE6000
heap
page read and write
DC0000
heap
page read and write
18D6FAD0000
heap
page read and write
3656000
trusted library allocation
page read and write
5CAB0BF000
stack
page read and write
7FFD9B92D000
trusted library allocation
page read and write
18D6FB55000
heap
page read and write
14EB000
trusted library allocation
page execute and read and write
18D10010000
trusted library allocation
page read and write
64EE000
stack
page read and write
1988000
trusted library allocation
page read and write
14C0000
trusted library allocation
page read and write
18D0156D000
trusted library allocation
page read and write
7FFD9B860000
trusted library allocation
page read and write
18D6FB96000
heap
page read and write
7FFD9B8E0000
trusted library allocation
page read and write
18D6F9C9000
heap
page read and write
14D0000
trusted library allocation
page read and write
1276000
heap
page read and write
18D6DAD0000
heap
page read and write
7FFD9B800000
trusted library allocation
page read and write
11C9000
heap
page read and write
626E000
stack
page read and write
1500000
trusted library allocation
page read and write
5CAB13E000
stack
page read and write
1198000
heap
page read and write
14B7000
heap
page read and write
6508000
heap
page read and write
57E3000
heap
page read and write
18D6FF80000
trusted library section
page read and write
18D6FDAE000
heap
page read and write
5CAB037000
stack
page read and write
1272000
heap
page read and write
18D6DBC2000
heap
page read and write
18D00001000
trusted library allocation
page read and write
18D6DB93000
heap
page read and write
DE0000
heap
page read and write
7FFD9B920000
trusted library allocation
page read and write
57DE000
stack
page read and write
63EC000
stack
page read and write
7FFD9B890000
trusted library allocation
page read and write
5D2E000
stack
page read and write
5F20000
heap
page read and write
7FFD9B940000
trusted library allocation
page read and write
1CBC000
stack
page read and write
7FFD9B7C2000
trusted library allocation
page read and write
7FFD9B880000
trusted library allocation
page read and write
1D10000
heap
page read and write
7FFD9B930000
trusted library allocation
page read and write
18D6FCF0000
heap
page execute and read and write
18D6FB10000
heap
page read and write
7FFD9B820000
trusted library allocation
page read and write
18D6FC10000
heap
page read and write
7FFD9B7A0000
trusted library allocation
page execute and read and write
5AEE000
stack
page read and write
1C7D000
stack
page read and write
67E0000
heap
page read and write
7FFD9B830000
trusted library allocation
page read and write
DD0000
heap
page read and write
1231000
heap
page read and write
1970000
heap
page read and write
5CAAC7B000
stack
page read and write
18D10263000
trusted library allocation
page read and write
59EE000
stack
page read and write
18D6F4C0000
trusted library allocation
page read and write
5CAB2BC000
stack
page read and write
5F0E000
stack
page read and write
18D6DDD0000
heap
page read and write
5CAAF37000
stack
page read and write
18D013DA000
trusted library allocation
page read and write
5CAABFE000
stack
page read and write
14A3000
trusted library allocation
page execute and read and write
5CAAB7D000
stack
page read and write
1490000
trusted library allocation
page read and write
14DA000
trusted library allocation
page execute and read and write
There are 245 hidden memdumps, click here to show them.