Source: |
Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: WINLOA~1.PDB source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000F.00000000.1792926798.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2949912235.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 0000000F.00000000.1792989372.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2951597581.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000F.00000000.1793027945.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2952676852.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0? |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744351768.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2972627586.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.1887369836.00000202C024A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0 |
Source: svchost.exe, 00000025.00000002.2953015111.0000026EF4C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.1899628825.0000026EF4C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000002.2951243071.0000026EF4C21000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/ |
Source: lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: lsass.exe, 00000007.00000000.1744351768.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2972627586.00000202C0200000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 |
Source: lsass.exe, 00000007.00000000.1744095896.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2962697239.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: x433.exe, 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000000.1707631721.0000000000FB2000.00000002.00000001.01000000.00000007.sdmp, x4host.exe, 00000002.00000002.2967434276.0000000003181000.00000004.00000800.00020000.00000000.sdmp, x4host.exe.0.dr, x4usb.exe.2.dr |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3F15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: svchost.exe, 00000025.00000000.1899628825.0000026EF4C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.1899835829.0000026EF4C6A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com/ |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744179091.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2966297830.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744351768.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2972627586.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.1887369836.00000202C024A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0H |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0I |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.msocsp. |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744351768.00000202C024C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2972627586.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.1887369836.00000202C024A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE3F2D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: svchost.exe, 00000011.00000000.1809587946.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://schemas.micro |
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy |
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust |
Source: x433.exe, 00000000.00000002.1709422465.0000000002991000.00000004.00000800.00020000.00000000.sdmp, x4host.exe, 00000002.00000002.2967434276.0000000003181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1743582596.0000021FE3D01000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: lsass.exe, 00000007.00000000.1744095896.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2962697239.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy |
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties |
Source: lsass.exe, 00000007.00000002.2961484034.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744064595.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/ |
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE3F2D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: lsass.exe, 00000007.00000000.1744669291.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2983021045.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000002.2984029679.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744519528.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000000.1744669291.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2273612789.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000007.00000003.2270451721.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0~ |
Source: svchost.exe, 0000001A.00000000.1837012178.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3027964125.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.msftconnecttest.com |
Source: svchost.exe, 0000001A.00000000.1837012178.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3027964125.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.msftconnecttest.com/ |
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE3D01000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: svchost.exe, 00000023.00000002.3004729739.0000020D26029000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1889283300.0000020D25FD3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1890717083.0000020D260D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893764769.0000020D26643000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3000838222.0000020D25FD3000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://excel.office.comSRD1% |
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE3F2D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000003.00000002.1743582596.0000021FE4E45000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000003.00000002.1782623387.0000021FFC1A1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://go.microsoft.co |
Source: powershell.exe, 00000003.00000002.1776860992.0000021FF3D70000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: svchost.exe, 00000023.00000000.1891920360.0000020D262D3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893764769.0000020D26643000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://outlook.comSRD1- |
Source: svchost.exe, 00000023.00000002.3021733036.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893472173.0000020D26583000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://powerpoint.office.com |
Source: svchost.exe, 00000023.00000002.3021733036.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893472173.0000020D26583000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://powerpoint.office.com3J |
Source: svchost.exe, 00000023.00000000.1891920360.0000020D262D3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3022802035.0000020D265BD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893559438.0000020D265BD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893472173.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893764769.0000020D26643000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://powerpoint.office.comSRD13 |
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.16.dr |
String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq |
Source: svchost.exe, 00000023.00000000.1892174406.0000020D262F8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3013226921.0000020D262F8000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://word.office.com |
Source: svchost.exe, 00000023.00000000.1891920360.0000020D262D3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3021733036.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893472173.0000020D26583000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3020897864.0000020D2655D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3011954167.0000020D262D3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893764769.0000020D26643000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1893396897.0000020D2655D000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://word.office.comSRD1# |
Source: C:\Users\user\Desktop\x433.exe |
Code function: 0_2_00007FFD9B890B95 |
0_2_00007FFD9B890B95 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_0042BDF6 |
1_2_0042BDF6 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_007A00D9 |
1_2_007A00D9 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_007A515C |
1_2_007A515C |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_007651EE |
1_2_007651EE |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_007A39A3 |
1_2_007A39A3 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_00766EAF |
1_2_00766EAF |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_00795980 |
1_2_00795980 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_00767B71 |
1_2_00767B71 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_0079D580 |
1_2_0079D580 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_0079C7F0 |
1_2_0079C7F0 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_00767F80 |
1_2_00767F80 |
Source: C:\Users\user\AppData\Local\Temp\x4Shellcode.exe |
Code function: 1_2_00793780 |
1_2_00793780 |
Source: C:\Users\user\AppData\Local\Temp\x4host.exe |
Code function: 2_2_00007FFD9B886BF2 |
2_2_00007FFD9B886BF2 |
Source: C:\Users\user\AppData\Local\Temp\x4host.exe |
Code function: 2_2_00007FFD9B8816D9 |
2_2_00007FFD9B8816D9 |
Source: C:\Users\user\AppData\Local\Temp\x4host.exe |
Code function: 2_2_00007FFD9B885E46 |
2_2_00007FFD9B885E46 |
Source: C:\Users\user\AppData\Local\Temp\x4host.exe |
Code function: 2_2_00007FFD9B882111 |
2_2_00007FFD9B882111 |
Source: C:\Users\user\AppData\Local\Temp\x4host.exe |
Code function: 2_2_00007FFD9B88D88A |
2_2_00007FFD9B88D88A |
Source: C:\Users\user\AppData\Local\Temp\x4host.exe |
Code function: 2_2_00007FFD9B889A20 |
2_2_00007FFD9B889A20 |
Source: C:\Users\user\AppData\Local\Temp\x4host.exe |
Code function: 2_2_00007FFD9B88BE28 |
2_2_00007FFD9B88BE28 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 3_2_00007FFD9B87DD68 |
3_2_00007FFD9B87DD68 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 3_2_00007FFD9B87E339 |
3_2_00007FFD9B87E339 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 3_2_00007FFD9BB13449 |
3_2_00007FFD9BB13449 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_3_000002D8B0A441F8 |
5_3_000002D8B0A441F8 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_3_000002D8B0A3DA30 |
5_3_000002D8B0A3DA30 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_3_000002D8B0A31FC8 |
5_3_000002D8B0A31FC8 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_2_0000000140001CF0 |
5_2_0000000140001CF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_2_0000000140002D4C |
5_2_0000000140002D4C |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_2_0000000140002434 |
5_2_0000000140002434 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_2_00000001400031D0 |
5_2_00000001400031D0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_2_0000000140001274 |
5_2_0000000140001274 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_2_000002D8B0A74DF8 |
5_2_000002D8B0A74DF8 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_2_000002D8B0A6E630 |
5_2_000002D8B0A6E630 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 5_2_000002D8B0A62BC8 |
5_2_000002D8B0A62BC8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 6_3_00000225DC6241F8 |
6_3_00000225DC6241F8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 6_3_00000225DC61DA30 |
6_3_00000225DC61DA30 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 6_3_00000225DC611FC8 |
6_3_00000225DC611FC8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 6_2_00000225DC654DF8 |
6_2_00000225DC654DF8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 6_2_00000225DC64E630 |
6_2_00000225DC64E630 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 6_2_00000225DC642BC8 |
6_2_00000225DC642BC8 |
Source: C:\Windows\System32\lsass.exe |
Code function: 7_3_00000202C0AC41F8 |
7_3_00000202C0AC41F8 |
Source: C:\Windows\System32\lsass.exe |
Code function: 7_3_00000202C0ABDA30 |
7_3_00000202C0ABDA30 |
Source: C:\Windows\System32\lsass.exe |
Code function: 7_3_00000202C0AB1FC8 |
7_3_00000202C0AB1FC8 |
Source: C:\Windows\System32\lsass.exe |
Code function: 7_2_00000202C0AF4DF8 |
7_2_00000202C0AF4DF8 |
Source: C:\Windows\System32\lsass.exe |
Code function: 7_2_00000202C0AEE630 |
7_2_00000202C0AEE630 |
Source: C:\Windows\System32\lsass.exe |
Code function: 7_2_00000202C0AE2BC8 |
7_2_00000202C0AE2BC8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 8_3_000002A6612D1FC8 |
8_3_000002A6612D1FC8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 8_3_000002A6612E41F8 |
8_3_000002A6612E41F8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 8_3_000002A6612DDA30 |
8_3_000002A6612DDA30 |
Source: C:\Windows\System32\svchost.exe |
Code function: 8_2_000002A661302BC8 |
8_2_000002A661302BC8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 8_2_000002A661314DF8 |
8_2_000002A661314DF8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 8_2_000002A66130E630 |
8_2_000002A66130E630 |
Source: C:\Windows\System32\dwm.exe |
Code function: 9_3_000002BAAE2441F8 |
9_3_000002BAAE2441F8 |
Source: C:\Windows\System32\dwm.exe |
Code function: 9_3_000002BAAE23DA30 |
9_3_000002BAAE23DA30 |
Source: C:\Windows\System32\dwm.exe |
Code function: 9_3_000002BAAE231FC8 |
9_3_000002BAAE231FC8 |
Source: C:\Windows\System32\dwm.exe |
Code function: 9_2_000002BAAE274DF8 |
9_2_000002BAAE274DF8 |
Source: C:\Windows\System32\dwm.exe |
Code function: 9_2_000002BAAE26E630 |
9_2_000002BAAE26E630 |
Source: C:\Windows\System32\dwm.exe |
Code function: 9_2_000002BAAE262BC8 |
9_2_000002BAAE262BC8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 10_3_0000026A8799DA30 |
10_3_0000026A8799DA30 |
Source: C:\Windows\System32\svchost.exe |
Code function: 10_3_0000026A879A41F8 |
10_3_0000026A879A41F8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 10_3_0000026A87991FC8 |
10_3_0000026A87991FC8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 10_2_0000026A879C2BC8 |
10_2_0000026A879C2BC8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 10_2_0000026A879CE630 |
10_2_0000026A879CE630 |
Source: C:\Windows\System32\svchost.exe |
Code function: 10_2_0000026A879D4DF8 |
10_2_0000026A879D4DF8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 11_3_000001795377DA30 |
11_3_000001795377DA30 |
Source: C:\Windows\System32\svchost.exe |
Code function: 11_3_00000179537841F8 |
11_3_00000179537841F8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 11_3_0000017953771FC8 |
11_3_0000017953771FC8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 11_2_00000179537AE630 |
11_2_00000179537AE630 |
Source: C:\Windows\System32\svchost.exe |
Code function: 11_2_00000179537B4DF8 |
11_2_00000179537B4DF8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 11_2_00000179537A2BC8 |
11_2_00000179537A2BC8 |
Source: Security.evtx.16.dr |
Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys\Ke |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.16.dr |
Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeZX** |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exez |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr |
Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe |
Source: Security.evtx.16.dr |
Binary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exep |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr |
Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.16.dr |
Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.16.dr |
Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: System.evtx.16.dr |
Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.16.dr |
Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys |
Source: System.evtx.16.dr |
Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exed |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.16.dr |
Binary string: \Device\NetbiosSmb |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exec |
Source: System.evtx.16.dr |
Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4 |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr |
Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Source: System.evtx.16.dr |
Binary string: C:\Device\HarddiskVolume3` |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeW |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr |
Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeV |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeU |
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.16.dr |
Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.16.dr |
Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.16.dr |
Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.16.dr |
Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.16.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeN |