IOC Report
b.ps1

loading gifFilesProcessesURLsIPsRegistryMemdumps54321010010Label

Files

File Path
Type
Category
Malicious
Download
b.ps1
ASCII text, with very long lines (65481), with CRLF line terminators
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_f858910d31dcedc1abe731c137c978bce53acb7_6eae4c83_44d68ab9-437d-401b-bbd0-44b94324c1b4\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_9fb3e1ea3d8e60c2addb16c79917b7942ae091cf_00000000_09a4ca8b-33e4-475b-8482-0e9676987086\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A5A.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A8A.tmp.xml
XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD60D.tmp.dmp
Mini DuMP crash report, 15 streams, Sun Jan 26 09:37:44 2025, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD785.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7A5.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kbn4yr3.ujp.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52lmgopr.pyp.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM4M8HA3LFIXLFNVP1W3.temp
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 5 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\b.ps1"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3716" "2640" "2540" "2656" "0" "0" "2660" "0" "0" "0" "0" "0"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 880

URLs

Name
IP
Malicious
176.113.115.228
malicious
http://nuget.org/NuGet.exe
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
https://go.micro
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
http://upx.sf.net
unknown
https://aka.ms/pscore68
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://github.com/Pester/Pester
unknown
There are 3 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
176.113.115.228
unknown
Russian Federation
malicious

Registry

Path
Value
Malicious
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProgramId
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
FileId
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LowerCaseLongPath
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LongPathHash
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Name
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
OriginalFileName
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Publisher
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Version
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinFileVersion
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinaryType
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProductName
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProductVersion
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LinkDate
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinProductVersion
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
AppxPackageFullName
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
AppxPackageRelativeId
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Size
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Language
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
IsOsComponent
\REGISTRY\A\{f859720b-b41c-284d-4c14-62c45701dc9f}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Usn
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
ProgramId
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
FileId
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
LowerCaseLongPath
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
LongPathHash
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Name
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
OriginalFileName
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Publisher
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Version
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
BinFileVersion
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
BinaryType
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
ProductName
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
ProductVersion
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
LinkDate
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
BinProductVersion
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
AppxPackageFullName
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
AppxPackageRelativeId
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Size
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Language
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
IsOsComponent
\REGISTRY\A\{061fe2cf-c707-d74a-9b02-b7b590087a9d}\Root\InventoryApplicationFile\regsvcs.exe|bc5951771b601cae
Usn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
001840115103DB73
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
There are 34 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
1DD8F377000
trusted library allocation
page read and write
malicious
402000
remote allocation
page execute and read and write
malicious
2ED1000
trusted library allocation
page read and write
malicious
1DD90339000
trusted library allocation
page read and write
malicious
1DD8F5B1000
trusted library allocation
page read and write
malicious
1310000
trusted library allocation
page read and write
6755000
trusted library allocation
page read and write
623D000
stack
page read and write
1DD8EC87000
heap
page execute and read and write
65D6000
trusted library allocation
page read and write
1DDA73F0000
heap
page read and write
7FF848E12000
trusted library allocation
page read and write
2F03000
trusted library allocation
page read and write
1DD8EB70000
trusted library allocation
page read and write
2ECF000
stack
page read and write
1DD9F3DC000
trusted library allocation
page read and write
1DD8D312000
heap
page read and write
1DD8F619000
trusted library allocation
page read and write
1DD8D4F5000
heap
page read and write
7FF848ED0000
trusted library allocation
page execute and read and write
7FF848ECC000
trusted library allocation
page execute and read and write
1DD8D1C0000
heap
page read and write
1DDA73EC000
heap
page read and write
10E63F9000
stack
page read and write
105C000
heap
page read and write
F50000
heap
page read and write
1DD8EC80000
heap
page execute and read and write
1DD8EC90000
heap
page read and write
5E7E000
stack
page read and write
5DBE000
stack
page read and write
1336000
trusted library allocation
page execute and read and write
1DD8F92F000
trusted library allocation
page read and write
599E000
stack
page read and write
1DD90437000
trusted library allocation
page read and write
7FF849140000
trusted library allocation
page read and write
10E6735000
stack
page read and write
FCC000
heap
page read and write
5AA0000
trusted library allocation
page read and write
10E5D45000
stack
page read and write
7FF848F30000
trusted library allocation
page execute and read and write
1DD8EFE0000
heap
page read and write
5E3E000
stack
page read and write
2F6B000
trusted library allocation
page read and write
1DD8D2F1000
heap
page read and write
538C000
stack
page read and write
1DDA7190000
heap
page read and write
1DD8D4F0000
heap
page read and write
1DDA75F0000
trusted library section
page read and write
7FF848E2B000
trusted library allocation
page read and write
7DF470A30000
trusted library allocation
page execute and read and write
10E663E000
stack
page read and write
10E65B9000
stack
page read and write
1300000
trusted library allocation
page read and write
7FF8490B0000
trusted library allocation
page read and write
1DD90784000
trusted library allocation
page read and write
7FF8490C0000
trusted library allocation
page read and write
1DD9F160000
trusted library allocation
page read and write
4FCE000
stack
page read and write
624E000
heap
page read and write
7FF849060000
trusted library allocation
page read and write
1DD91184000
trusted library allocation
page read and write
1DD90780000
trusted library allocation
page read and write
1313000
trusted library allocation
page execute and read and write
1314000
trusted library allocation
page read and write
F9F000
heap
page read and write
1DD90410000
trusted library allocation
page read and write
1DD8D340000
heap
page read and write
7FF849040000
trusted library allocation
page read and write
10E5DCE000
stack
page read and write
1056000
heap
page read and write
569B000
stack
page read and write
1DD8F939000
trusted library allocation
page read and write
400000
remote allocation
page execute and read and write
10E627F000
stack
page read and write
1024000
heap
page read and write
1DDA73F5000
heap
page read and write
1DD8D33C000
heap
page read and write
1DD9F3EB000
trusted library allocation
page read and write
1DD8D080000
heap
page read and write
1500000
trusted library allocation
page execute and read and write
1DD8D33A000
heap
page read and write
7FF849070000
trusted library allocation
page read and write
637C000
stack
page read and write
100C000
heap
page read and write
7FF848E14000
trusted library allocation
page read and write
7FF8490A0000
trusted library allocation
page read and write
1DDA722D000
heap
page read and write
2D60000
heap
page read and write
1DDA721F000
heap
page read and write
5590000
heap
page execute and read and write
1330000
trusted library allocation
page read and write
7FF848FD0000
trusted library allocation
page execute and read and write
1090000
heap
page read and write
1DD8D300000
heap
page read and write
589F000
stack
page read and write
7FF848E10000
trusted library allocation
page read and write
1510000
heap
page read and write
1323000
trusted library allocation
page read and write
1000000
heap
page read and write
1DD8D230000
heap
page read and write
534C000
stack
page read and write
1060000
heap
page read and write
65D0000
trusted library allocation
page read and write
7FF848E13000
trusted library allocation
page execute and read and write
BEB000
stack
page read and write
1DD8F5A0000
trusted library allocation
page read and write
10E607E000
stack
page read and write
1DDA7150000
heap
page read and write
1DD8D160000
heap
page read and write
6760000
heap
page read and write
7FF848EF6000
trusted library allocation
page execute and read and write
1DDA718B000
heap
page read and write
1DD8EBE0000
heap
page execute and read and write
5550000
heap
page read and write
1DD8EB60000
heap
page readonly
67A0000
trusted library allocation
page execute and read and write
6730000
trusted library allocation
page read and write
1DDA71D6000
heap
page read and write
1DD8EBF0000
trusted library allocation
page read and write
7F000000
trusted library allocation
page execute and read and write
1DDA73DC000
heap
page read and write
1DD9F17A000
trusted library allocation
page read and write
6240000
heap
page read and write
10E66BF000
stack
page read and write
14FC000
stack
page read and write
1347000
trusted library allocation
page execute and read and write
F68000
heap
page read and write
65D9000
trusted library allocation
page read and write
1DD8F110000
heap
page execute and read and write
7FF849000000
trusted library allocation
page execute and read and write
131D000
trusted library allocation
page execute and read and write
5DFE000
stack
page read and write
1DD8D2FC000
heap
page read and write
1DDA72C0000
heap
page read and write
1DD8D180000
heap
page read and write
7FF849160000
trusted library allocation
page read and write
7FF849050000
trusted library allocation
page read and write
145F000
stack
page read and write
1096000
heap
page read and write
1DD9F151000
trusted library allocation
page read and write
1DDA7469000
heap
page read and write
14BE000
stack
page read and write
1DD8F5A6000
trusted library allocation
page read and write
1DD8D250000
heap
page read and write
10E720E000
stack
page read and write
7FF848E20000
trusted library allocation
page read and write
101E000
heap
page read and write
10E60FD000
stack
page read and write
5AEE000
stack
page read and write
2D80000
trusted library allocation
page read and write
2DA0000
heap
page execute and read and write
F96000
heap
page read and write
1340000
trusted library allocation
page read and write
12AD000
stack
page read and write
10E643F000
stack
page read and write
10E64B7000
stack
page read and write
412000
remote allocation
page execute and read and write
F8B000
heap
page read and write
1DD90526000
trusted library allocation
page read and write
105A000
heap
page read and write
7FF849170000
trusted library allocation
page read and write
1DDA7443000
heap
page read and write
10E62FE000
stack
page read and write
5393000
heap
page read and write
65C1000
trusted library allocation
page read and write
5EBE000
stack
page read and write
1DD8D4E0000
trusted library allocation
page read and write
2D90000
trusted library allocation
page read and write
1DDA72E0000
heap
page read and write
EF7000
stack
page read and write
1DD8F5A2000
trusted library allocation
page read and write
3ED9000
trusted library allocation
page read and write
7FF848FB0000
trusted library allocation
page read and write
7FF849110000
trusted library allocation
page read and write
7FF849030000
trusted library allocation
page read and write
7FF848EC0000
trusted library allocation
page read and write
7FF849120000
trusted library allocation
page read and write
7FF849182000
trusted library allocation
page read and write
541E000
stack
page read and write
647E000
stack
page read and write
1DD8D262000
heap
page read and write
7FF848EC6000
trusted library allocation
page read and write
10E683B000
stack
page read and write
102C000
heap
page read and write
613C000
stack
page read and write
1DD8D258000
heap
page read and write
7FF848FE0000
trusted library allocation
page execute and read and write
10E617E000
stack
page read and write
1DDA71D8000
heap
page read and write
1DD8EB50000
trusted library allocation
page read and write
10E67BE000
stack
page read and write
1026000
heap
page read and write
5799000
stack
page read and write
1DDA744E000
heap
page read and write
7FF848FF2000
trusted library allocation
page read and write
10E637D000
stack
page read and write
7FF8490D0000
trusted library allocation
page read and write
1DD9F1C1000
trusted library allocation
page read and write
134B000
trusted library allocation
page execute and read and write
7FF849150000
trusted library allocation
page read and write
F60000
heap
page read and write
1DD8F151000
trusted library allocation
page read and write
1332000
trusted library allocation
page read and write
1DD8EC95000
heap
page read and write
5390000
heap
page read and write
1320000
trusted library allocation
page read and write
12EE000
stack
page read and write
5FBD000
stack
page read and write
1DD8F140000
heap
page read and write
7FF849010000
trusted library allocation
page read and write
10E6538000
stack
page read and write
133A000
trusted library allocation
page execute and read and write
7FF848FCA000
trusted library allocation
page read and write
1DD8F1D7000
trusted library allocation
page read and write
1DDA7610000
trusted library section
page read and write
5D7D000
stack
page read and write
1DDA7188000
heap
page read and write
10E61FB000
stack
page read and write
F98000
heap
page read and write
6770000
heap
page read and write
7FF849100000
trusted library allocation
page read and write
7FF848E1D000
trusted library allocation
page execute and read and write
1004000
heap
page read and write
2CC8000
trusted library allocation
page read and write
1DDA73E7000
heap
page read and write
6724000
trusted library allocation
page read and write
1350000
heap
page read and write
1517000
heap
page read and write
7FF848FC1000
trusted library allocation
page read and write
60FE000
stack
page read and write
53DE000
stack
page read and write
7FF849080000
trusted library allocation
page read and write
7FF849090000
trusted library allocation
page read and write
2DC0000
heap
page read and write
7FF849020000
trusted library allocation
page read and write
5B00000
heap
page read and write
1DD8EBA0000
trusted library allocation
page read and write
11AC000
stack
page read and write
7FF849130000
trusted library allocation
page read and write
3ED1000
trusted library allocation
page read and write
1470000
trusted library allocation
page read and write
7FF8490E0000
trusted library allocation
page read and write
5AF0000
trusted library allocation
page read and write
1DD906BB000
trusted library allocation
page read and write
1357000
heap
page read and write
7FF8490F0000
trusted library allocation
page read and write
5FFC000
stack
page read and write
There are 237 hidden memdumps, click here to show them.