IOC Report
176.113.115_2.225.ps1

loading gifFilesProcessesURLsIPsRegistryMemdumps54321010010Label

Files

File Path
Type
Category
Malicious
Download
176.113.115_2.225.ps1
ASCII text, with very long lines (65481), with CRLF line terminators
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_9fb3e1ea3d8e60c2addb16c79917b7942ae091cf_00000000_725e189b-b703-4d79-8afc-27dd7540e57a\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EB0.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F2E.tmp.xml
XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_215jboiw.1ok.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3zq3uxi.cn2.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YGAHP0IF9259HJJHGZY4.temp
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115_2.225.ps1"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5404" "2568" "2512" "2548" "0" "0" "2556" "0" "0" "0" "0" "0"

URLs

Name
IP
Malicious
176.113.115.225
malicious
http://nuget.org/NuGet.exe
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
https://go.micro
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
http://crl.microsoftnB
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
http://upx.sf.net
unknown
https://aka.ms/pscore68
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://github.com/Pester/Pester
unknown
There are 4 hidden URLs, click here to show them.

IPs

IP
Domain
Country
Malicious
176.113.115.225
unknown
Russian Federation
malicious

Registry

Path
Value
Malicious
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProgramId
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
FileId
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LowerCaseLongPath
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LongPathHash
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Name
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
OriginalFileName
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Publisher
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Version
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinFileVersion
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinaryType
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProductName
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProductVersion
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LinkDate
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinProductVersion
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
AppxPackageFullName
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
AppxPackageRelativeId
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Size
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Language
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
IsOsComponent
\REGISTRY\A\{b4187008-8d0c-8db3-39ff-be376a1bfd11}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Usn
There are 10 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
402000
remote allocation
page execute and read and write
malicious
32B1000
trusted library allocation
page read and write
malicious
1E1C8B39000
trusted library allocation
page read and write
malicious
1E1C80BF000
trusted library allocation
page read and write
malicious
1E1C7E87000
trusted library allocation
page read and write
malicious
165E000
stack
page read and write
1E1DFDFE000
heap
page read and write
1377000
stack
page read and write
1E1E0140000
heap
page read and write
7FF848FD0000
trusted library allocation
page read and write
5A7E000
stack
page read and write
14E8000
heap
page read and write
7FF848F90000
trusted library allocation
page read and write
1E1C8F23000
trusted library allocation
page read and write
1E1C80B0000
trusted library allocation
page read and write
7FF848E36000
trusted library allocation
page execute and read and write
13F0000
heap
page read and write
13E0000
heap
page read and write
7FF848D54000
trusted library allocation
page read and write
694C000
stack
page read and write
42B1000
trusted library allocation
page read and write
657D000
stack
page read and write
7FF849000000
trusted library allocation
page read and write
16CA000
trusted library allocation
page execute and read and write
7FF848F01000
trusted library allocation
page read and write
7FF849050000
trusted library allocation
page read and write
580C000
stack
page read and write
5EFE000
stack
page read and write
1E1C9296000
trusted library allocation
page read and write
1E1DFD70000
heap
page read and write
CD1AB0F000
stack
page read and write
6A54000
trusted library allocation
page read and write
62BE000
stack
page read and write
57CE000
stack
page read and write
18EE000
stack
page read and write
1E1C843C000
trusted library allocation
page read and write
7FF848F20000
trusted library allocation
page execute and read and write
7FF8490C2000
trusted library allocation
page read and write
CD19C7D000
stack
page read and write
6800000
heap
page read and write
7FF848D5D000
trusted library allocation
page execute and read and write
1E1C5F40000
heap
page read and write
CD19875000
stack
page read and write
16C2000
trusted library allocation
page read and write
16A0000
trusted library allocation
page read and write
CD19CF9000
stack
page read and write
7FF848EF0000
trusted library allocation
page read and write
7EF70000
trusted library allocation
page execute and read and write
CD19FBE000
stack
page read and write
6906000
trusted library allocation
page read and write
1E1C5DDB000
heap
page read and write
3280000
trusted library allocation
page read and write
1690000
trusted library allocation
page read and write
1E1D7CD2000
trusted library allocation
page read and write
330D000
trusted library allocation
page read and write
1E1E00A0000
heap
page read and write
1E1C7CE8000
trusted library allocation
page read and write
6A85000
trusted library allocation
page read and write
1E1C5DD6000
heap
page read and write
1950000
trusted library allocation
page execute and read and write
1E1E00BC000
heap
page read and write
16D7000
trusted library allocation
page execute and read and write
680E000
heap
page read and write
7FF848D60000
trusted library allocation
page read and write
15DC000
heap
page read and write
CD19B7E000
stack
page read and write
1E1DFDEA000
heap
page read and write
1E1C9292000
trusted library allocation
page read and write
1E1C80BB000
trusted library allocation
page read and write
150B000
heap
page read and write
32E7000
trusted library allocation
page read and write
7FF8490A0000
trusted library allocation
page read and write
16B3000
trusted library allocation
page read and write
633C000
stack
page read and write
1559000
heap
page read and write
1E1C7BA0000
trusted library allocation
page read and write
6CB0000
heap
page read and write
1E1C6050000
trusted library allocation
page read and write
16A3000
trusted library allocation
page execute and read and write
1E1DFDFC000
heap
page read and write
7FF848F70000
trusted library allocation
page read and write
1E1C7B80000
trusted library allocation
page read and write
7FF848D52000
trusted library allocation
page read and write
CD19BFE000
stack
page read and write
17EE000
stack
page read and write
16C0000
trusted library allocation
page read and write
66BE000
stack
page read and write
7FF848F80000
trusted library allocation
page read and write
1E1C8446000
trusted library allocation
page read and write
1E1C9C96000
trusted library allocation
page read and write
CD19EB9000
stack
page read and write
6CA0000
heap
page read and write
6B90000
trusted library allocation
page execute and read and write
16E0000
heap
page read and write
1E1C5E01000
heap
page read and write
544E000
stack
page read and write
7FF848D50000
trusted library allocation
page read and write
1E1C5E45000
heap
page read and write
643D000
stack
page read and write
7DF4C7080000
trusted library allocation
page execute and read and write
61FE000
stack
page read and write
7FF848F40000
trusted library allocation
page execute and read and write
1E1C7B90000
heap
page readonly
1967000
heap
page read and write
400000
remote allocation
page execute and read and write
1E1C5D58000
heap
page read and write
1E1C5E49000
heap
page read and write
5CFF000
stack
page read and write
1E1C8952000
trusted library allocation
page read and write
7FF848FC0000
trusted library allocation
page read and write
1E1C5D50000
heap
page read and write
5A3E000
stack
page read and write
1E1E0124000
heap
page read and write
1E1C7C20000
trusted library allocation
page read and write
1E1C7BD0000
trusted library allocation
page read and write
65BC000
stack
page read and write
52B8000
trusted library allocation
page read and write
42B9000
trusted library allocation
page read and write
194E000
stack
page read and write
1E1C7C61000
trusted library allocation
page read and write
60FE000
stack
page read and write
1E1DFF27000
heap
page execute and read and write
15B0000
heap
page read and write
647C000
stack
page read and write
7FF848F0A000
trusted library allocation
page read and write
7FF8490B0000
trusted library allocation
page read and write
1E1D7C70000
trusted library allocation
page read and write
127B000
stack
page read and write
1E1DFF20000
heap
page execute and read and write
7FF848E0C000
trusted library allocation
page execute and read and write
7FF848FA0000
trusted library allocation
page read and write
1594000
heap
page read and write
67FE000
stack
page read and write
1E1DFEF0000
heap
page execute and read and write
1E1C91CC000
trusted library allocation
page read and write
5ABE000
stack
page read and write
1E1D7CDE000
trusted library allocation
page read and write
1E1C5DFB000
heap
page read and write
58F0000
heap
page read and write
7FF849080000
trusted library allocation
page read and write
7FF848F50000
trusted library allocation
page read and write
CD1A13B000
stack
page read and write
5BF9000
stack
page read and write
1E1C5E43000
heap
page read and write
324C000
stack
page read and write
1900000
trusted library allocation
page read and write
6030000
heap
page read and write
627E000
stack
page read and write
1E1C5DE2000
heap
page read and write
16DB000
trusted library allocation
page execute and read and write
62FF000
stack
page read and write
CD19D3F000
stack
page read and write
59FD000
stack
page read and write
1E1E010D000
heap
page read and write
1E1DFE69000
heap
page read and write
7FF849090000
trusted library allocation
page read and write
5DFE000
stack
page read and write
1E1DFE5A000
heap
page read and write
16E7000
heap
page read and write
1599000
heap
page read and write
161E000
stack
page read and write
14E0000
heap
page read and write
16A4000
trusted library allocation
page read and write
7FF848FB0000
trusted library allocation
page read and write
6AA1000
trusted library allocation
page read and write
6020000
trusted library allocation
page read and write
7FF848E70000
trusted library allocation
page execute and read and write
1E1E02F0000
trusted library section
page read and write
1E1C6070000
heap
page read and write
7FF848D6B000
trusted library allocation
page read and write
CD198FE000
stack
page read and write
58F3000
heap
page read and write
5AE0000
heap
page read and write
1E1E02D0000
trusted library section
page read and write
623D000
stack
page read and write
7FF848E00000
trusted library allocation
page read and write
7FF849020000
trusted library allocation
page read and write
1E1DFDAE000
heap
page read and write
6900000
trusted library allocation
page read and write
6909000
trusted library allocation
page read and write
7FF849070000
trusted library allocation
page read and write
1518000
heap
page read and write
7FF848F10000
trusted library allocation
page execute and read and write
1E1C5FA0000
heap
page read and write
7FF848F32000
trusted library allocation
page read and write
1E1C903A000
trusted library allocation
page read and write
3250000
heap
page execute and read and write
1E1D7C61000
trusted library allocation
page read and write
16AD000
trusted library allocation
page execute and read and write
7FF848D53000
trusted library allocation
page execute and read and write
1E1C8411000
trusted library allocation
page read and write
7FF848E06000
trusted library allocation
page read and write
7FF849060000
trusted library allocation
page read and write
1E1D7D44000
trusted library allocation
page read and write
CD1A035000
stack
page read and write
15BA000
heap
page read and write
7FF849010000
trusted library allocation
page read and write
3260000
heap
page read and write
6A90000
trusted library allocation
page read and write
3290000
trusted library allocation
page read and write
1E1DFC65000
heap
page read and write
7FF849040000
trusted library allocation
page read and write
16C6000
trusted library allocation
page execute and read and write
CD19A7E000
stack
page read and write
1E1C8F49000
trusted library allocation
page read and write
1E1C7C10000
heap
page execute and read and write
CD1997E000
stack
page read and write
1E1C5D62000
heap
page read and write
1E1E00CB000
heap
page read and write
CD199FD000
stack
page read and write
7FF848FF0000
trusted library allocation
page read and write
6809000
heap
page read and write
66FE000
stack
page read and write
1578000
heap
page read and write
1E1DFFC0000
heap
page read and write
16B0000
trusted library allocation
page read and write
1E1C5FE0000
heap
page read and write
CD1A0BE000
stack
page read and write
1E1DFDF7000
heap
page read and write
6A4E000
stack
page read and write
1E1D7C8A000
trusted library allocation
page read and write
1557000
heap
page read and write
CD19E3B000
stack
page read and write
7FF848F60000
trusted library allocation
page read and write
CD19F3E000
stack
page read and write
5AF0000
heap
page execute and read and write
7FF848E10000
trusted library allocation
page execute and read and write
1E1C5F60000
heap
page read and write
1E1C5E09000
heap
page read and write
32A0000
heap
page read and write
13F6000
heap
page read and write
1E1C7C50000
heap
page read and write
1E1C5E60000
heap
page read and write
1E1C6075000
heap
page read and write
14D0000
heap
page read and write
7FF848FE0000
trusted library allocation
page read and write
1E1D7ED8000
trusted library allocation
page read and write
7FF849030000
trusted library allocation
page read and write
159B000
heap
page read and write
1960000
heap
page read and write
1E1C6095000
heap
page read and write
1E1C6090000
heap
page read and write
16D0000
trusted library allocation
page read and write
1552000
heap
page read and write
1516000
heap
page read and write
1E1C5E1B000
heap
page read and write
CD19DB7000
stack
page read and write
CD19AFB000
stack
page read and write
320E000
stack
page read and write
There are 239 hidden memdumps, click here to show them.