IOC Report
176.113.115.225.ps1

loading gifFilesProcessesURLsDomainsIPsRegistryMemdumps8642010010Label

Files

File Path
Type
Category
Malicious
Download
176.113.115.225.ps1
ASCII text, with very long lines (65481), with CRLF line terminators
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_9fb3e1ea3d8e60c2addb16c79917b7942ae091cf_00000000_2441301a-a88e-4ffa-b493-33cdec7a9371\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER88DA.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8919.tmp.xml
XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vujytmm.nh1.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aerg0gmu.mbr.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RR9LEU2ZFQS7GO9F935M.temp
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\176.113.115.225.ps1"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7816" "2580" "2544" "1988" "0" "0" "2592" "0" "0" "0" "0" "0"

URLs

Name
IP
Malicious
suggestyuoz.biz
malicious
toppyneedus.biz
malicious
pleasedcfrown.biz
malicious
grapeprivatter.cyou
malicious
affordtempyo.biz
malicious
lightdeerysua.biz
malicious
impolitewearr.biz
malicious
mixedrecipew.biz
malicious
hoursuhouy.biz
malicious
http://nuget.org/NuGet.exe
unknown
http://www.apache.org/licenses/LICENSE-2.0
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
https://go.micro
unknown
https://contoso.com/License
unknown
https://contoso.com/Icon
unknown
http://upx.sf.net
unknown
https://toppyneedus.biz/it
unknown
http://www.microsoft.co-M1
unknown
https://toppyneedus.biz/N
unknown
https://github.com/Pester/Pester
unknown
https://toppyneedus.biz/api
104.21.29.142
https://toppyneedus.biz/apiz
unknown
https://toppyneedus.biz/pi
unknown
https://contoso.com/
unknown
https://nuget.org/nuget.exe
unknown
https://oneget.orgX
unknown
https://toppyneedus.biz/
unknown
https://aka.ms/pscore68
unknown
https://toppyneedus.biz/apieB
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://oneget.org
unknown
There are 22 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
grapeprivatter.cyou
unknown
malicious
twc.trafficmanager.net
104.40.149.189
toppyneedus.biz
104.21.29.142
s-part-0017.t-0009.fb-t-msedge.net
13.107.253.45
impolitewearr.biz
unknown
time.windows.com
unknown

IPs

IP
Domain
Country
Malicious
104.21.29.142
toppyneedus.biz
United States

Registry

Path
Value
Malicious
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProgramId
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
FileId
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LowerCaseLongPath
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LongPathHash
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Name
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
OriginalFileName
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Publisher
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Version
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinFileVersion
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinaryType
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProductName
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
ProductVersion
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
LinkDate
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
BinProductVersion
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
AppxPackageFullName
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
AppxPackageRelativeId
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Size
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Language
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
IsOsComponent
\REGISTRY\A\{6a031a70-e79c-6750-af1f-2f05a3a46472}\Root\InventoryApplicationFile\powershell.exe|bd2e1475245f53a2
Usn
There are 10 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
7FFAAC36D000
trusted library allocation
page execute and read and write
7FFAAC41C000
trusted library allocation
page execute and read and write
219C75E0000
heap
page read and write
219AF222000
trusted library allocation
page read and write
9B22AFE000
stack
page read and write
1203000
heap
page read and write
219BF3AA000
trusted library allocation
page read and write
11F8000
heap
page read and write
219AD58F000
heap
page read and write
DFB000
stack
page read and write
3810000
trusted library allocation
page read and write
9B23235000
stack
page read and write
3B10000
heap
page read and write
7FFB1A752000
unkown
page readonly
7FFAAC51A000
trusted library allocation
page read and write
1259000
heap
page read and write
219AD705000
heap
page read and write
11B0000
heap
page read and write
9B22DFE000
stack
page read and write
219AD6C0000
heap
page read and write
7FFAAC560000
trusted library allocation
page read and write
7FFAAC511000
trusted library allocation
page read and write
219AF220000
trusted library allocation
page read and write
3680000
heap
page read and write
7FFAAC6B0000
trusted library allocation
page read and write
14FE000
stack
page read and write
219AD700000
heap
page read and write
9B22D7E000
stack
page read and write
219AD410000
heap
page read and write
219AD585000
heap
page read and write
7FFAAC680000
trusted library allocation
page read and write
7FFAAC610000
trusted library allocation
page read and write
219C7490000
heap
page read and write
2F00000
heap
page read and write
7FFAAC5A0000
trusted library allocation
page read and write
219AF7C6000
trusted library allocation
page read and write
7DF421290000
trusted library allocation
page execute and read and write
7FFAAC6C0000
trusted library allocation
page read and write
9B22BFD000
stack
page read and write
7FFAAC416000
trusted library allocation
page read and write
219AF370000
heap
page execute and read and write
219C7713000
heap
page read and write
219AF7E1000
trusted library allocation
page read and write
7FFAAC6D2000
trusted library allocation
page read and write
7FFB1A755000
unkown
page readonly
219C7384000
heap
page read and write
1180000
heap
page read and write
219AD640000
trusted library allocation
page read and write
7FFAAC650000
trusted library allocation
page read and write
219C74C0000
heap
page read and write
7FFAAC410000
trusted library allocation
page read and write
219AD589000
heap
page read and write
7421F000
unkown
page readonly
219B11DE000
trusted library allocation
page read and write
219C7514000
heap
page read and write
7FFAAC550000
trusted library allocation
page execute and read and write
219C7747000
heap
page read and write
219AF7D1000
trusted library allocation
page read and write
1156000
heap
page read and write
219B0C0E000
trusted library allocation
page read and write
7FFAAC690000
trusted library allocation
page read and write
7FFAAC620000
trusted library allocation
page read and write
2DFD000
stack
page read and write
219C773A000
heap
page read and write
37DF000
stack
page read and write
219AF7C3000
trusted library allocation
page read and write
400000
remote allocation
page execute and read and write
7FFB1A750000
unkown
page read and write
219AD567000
heap
page read and write
7FFAAC520000
trusted library allocation
page execute and read and write
219AD58B000
heap
page read and write
9B22C7E000
stack
page read and write
1205000
heap
page read and write
219C7738000
heap
page read and write
7FFAAC420000
trusted library allocation
page execute and read and write
1150000
heap
page read and write
219C74D4000
heap
page read and write
219AFB22000
trusted library allocation
page read and write
219AD564000
heap
page read and write
7FFAAC6A0000
trusted library allocation
page read and write
13BE000
stack
page read and write
7FFAAC500000
trusted library allocation
page read and write
219AD57F000
heap
page read and write
219C76C0000
heap
page read and write
7FFAAC630000
trusted library allocation
page read and write
219C7569000
heap
page read and write
9B22B7E000
stack
page read and write
7FFAAC446000
trusted library allocation
page execute and read and write
219AD6F5000
heap
page read and write
1170000
heap
page read and write
219AF260000
heap
page execute and read and write
3813000
trusted library allocation
page read and write
74200000
unkown
page readonly
219AD430000
heap
page read and write
38AC000
trusted library allocation
page read and write
1270000
heap
page read and write
219BF5FA000
trusted library allocation
page read and write
9B227C5000
stack
page read and write
3910000
trusted library allocation
page read and write
366F000
stack
page read and write
219B0E08000
trusted library allocation
page read and write
219AD552000
heap
page read and write
219AF280000
heap
page read and write
7FFAAC5B0000
trusted library allocation
page read and write
219BF5EB000
trusted library allocation
page read and write
219AD4E0000
heap
page read and write
7FFB1A746000
unkown
page readonly
219BF381000
trusted library allocation
page read and write
219AD5A1000
heap
page read and write
219B0E34000
trusted library allocation
page read and write
9B23D0E000
stack
page read and write
7FFAAC542000
trusted library allocation
page read and write
7421D000
unkown
page read and write
74216000
unkown
page readonly
9B22CBF000
stack
page read and write
11E3000
heap
page read and write
9B2333B000
stack
page read and write
7FFAAC364000
trusted library allocation
page read and write
219AF360000
trusted library section
page read and write
219BF3F5000
trusted library allocation
page read and write
7FFAAC360000
trusted library allocation
page read and write
9B22A7E000
stack
page read and write
7FFAAC480000
trusted library allocation
page execute and read and write
7FFAAC530000
trusted library allocation
page execute and read and write
219AD660000
trusted library allocation
page read and write
328D000
stack
page read and write
127C000
heap
page read and write
7FFAAC670000
trusted library allocation
page read and write
219B0F7E000
trusted library allocation
page read and write
74201000
unkown
page execute read
14BE000
stack
page read and write
2DA0000
heap
page read and write
219AF1F0000
trusted library allocation
page read and write
7FFAAC580000
trusted library allocation
page read and write
219C76D5000
heap
page read and write
219B0558000
trusted library allocation
page read and write
219AD5CD000
heap
page read and write
219AD6B0000
heap
page execute and read and write
7FFAAC590000
trusted library allocation
page read and write
219AF381000
trusted library allocation
page read and write
9B22E7D000
stack
page read and write
125E000
heap
page read and write
7FFB1A731000
unkown
page execute read
219B11DA000
trusted library allocation
page read and write
2EFD000
stack
page read and write
11CD000
heap
page read and write
219AD6B7000
heap
page execute and read and write
9B231BE000
stack
page read and write
219BF390000
trusted library allocation
page read and write
7FFAAC660000
trusted library allocation
page read and write
38A8000
trusted library allocation
page read and write
219AD55C000
heap
page read and write
7FFAAC370000
trusted library allocation
page read and write
219AD610000
trusted library allocation
page read and write
15FF000
stack
page read and write
219B0F80000
trusted library allocation
page read and write
10FB000
stack
page read and write
9B232BE000
stack
page read and write
7FFAAC5E0000
trusted library allocation
page read and write
11B8000
heap
page read and write
219AD330000
heap
page read and write
7FFAAC640000
trusted library allocation
page read and write
219C78C0000
trusted library section
page read and write
459000
remote allocation
page execute and read and write
7FFAAC363000
trusted library allocation
page execute and read and write
219AF408000
trusted library allocation
page read and write
7FFAAC5F0000
trusted library allocation
page read and write
219AFB4E000
trusted library allocation
page read and write
126A000
heap
page read and write
219AD587000
heap
page read and write
7FFAAC5C0000
trusted library allocation
page read and write
34FD000
stack
page read and write
7FFB1A730000
unkown
page readonly
219B1114000
trusted library allocation
page read and write
7FFAAC600000
trusted library allocation
page read and write
7FFAAC570000
trusted library allocation
page read and write
36DE000
stack
page read and write
219C74BE000
heap
page read and write
219C75C0000
heap
page read and write
338D000
stack
page read and write
11DC000
heap
page read and write
219C74C8000
heap
page read and write
219AD650000
heap
page readonly
7FFAAC362000
trusted library allocation
page read and write
33FD000
stack
page read and write
219AF7CD000
trusted library allocation
page read and write
219AFB58000
trusted library allocation
page read and write
219AD5C8000
heap
page read and write
356E000
stack
page read and write
7FFAAC5D0000
trusted library allocation
page read and write
219B0E8E000
trusted library allocation
page read and write
219AF5A7000
trusted library allocation
page read and write
219AD470000
heap
page read and write
219AD6F0000
heap
page read and write
7FFAAC37B000
trusted library allocation
page read and write
219AFB46000
trusted library allocation
page read and write
There are 186 hidden memdumps, click here to show them.