Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA, |
5_2_0040A8C3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree, |
5_2_0040C261 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, |
5_2_0040C3B9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, |
5_2_0040C419 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, |
5_2_00409D97 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree, |
5_2_0040C6BD |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CD28C58 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, |
5_2_6CD28C58 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CD0E460 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PR_Lock,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSlot, |
5_2_6CD0E460 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CCF8411 PK11_ExportEncryptedPrivKeyInfo,PORT_NewArena_Util,PORT_ArenaZAlloc_Util,PK11_AlgtagToMechanism,PK11_DoesMechanism,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_FreeSymKey,PORT_ArenaAlloc_Util,SECOID_CopyAlgorithmID_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,SECKEY_DestroyPrivateKey,SECOID_DestroyAlgorithmID_Util,PORT_FreeArena_Util,PORT_SetError_Util, |
5_2_6CCF8411 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CD266EA SEC_PKCS7ContentIsEncrypted, |
5_2_6CD266EA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CCF8693 PK11_FindKeyByAnyCert,PK11_ExportEncryptedPrivKeyInfo,SECKEY_DestroyPrivateKey, |
5_2_6CCF8693 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CD2427F SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaZAlloc_Util,PORT_ArenaRelease_Util,PORT_SetError_Util,PORT_SetError_Util,SEC_PKCS7DestroyContentInfo,PORT_ArenaRelease_Util,PT_FPrintStats, |
5_2_6CD2427F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CD0E262 PK11SDR_Decrypt,PORT_NewArena_Util,memset,SEC_QuickDERDecodeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_GetNextSymKey,PK11_GetNextSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_FreeSlot,SECITEM_ZfreeItem_Util, |
5_2_6CD0E262 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CD23DCD PORT_ArenaMark_Util,PORT_ArenaRelease_Util,PORT_SetError_Util,PORT_ArenaZAlloc_Util,PORT_SetError_Util,PORT_ArenaRelease_Util,PK11_IsInternal,PK11_GetInternalKeySlot,PK11_ReferenceSlot,PK11_FreeSlot,PORT_ArenaZAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,PT_FPrintStats, |
5_2_6CD23DCD |
Source: |
Binary string: vcruntime140.i386.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2645142075.0000000073BD1000.00000020.00000001.01000000.00000007.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.5.dr |
Source: |
Binary string: vcruntime140.i386.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.2645142075.0000000073BD1000.00000020.00000001.01000000.00000007.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.5.dr |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2642667288.000000007024F000.00000002.00000001.01000000.0000000B.sdmp, freebl3.dll.5.dr |
Source: |
Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000005.00000002.2628713134.0000000003613000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msvcp140.i386.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.2644081524.00000000702D1000.00000020.00000001.01000000.00000006.sdmp, AddInProcess32.exe, 00000005.00000002.2627316202.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.5.dr |
Source: |
Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: powershell.exe, 00000004.00000002.1399989665.000001B2A315C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B2DE3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: powershell.exe, 00000004.00000002.1399989665.000001B2A315C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B2DE3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Source: |
Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msvcp140.i386.pdb source: AddInProcess32.exe, 00000005.00000002.2644081524.00000000702D1000.00000020.00000001.01000000.00000006.sdmp, AddInProcess32.exe, 00000005.00000002.2627316202.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.5.dr |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss3.pdb source: AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Source: |
Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000005.00000002.2628713134.0000000003613000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2643512971.00000000702B9000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.5.dr |
Source: |
Binary string: System.Data.Linq.pdb source: powershell.exe, 00000004.00000002.1443666553.000001B2BB240000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B3B23000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2643512971.00000000702B9000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.5.dr |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2642667288.000000007024F000.00000002.00000001.01000000.0000000B.sdmp, freebl3.dll.5.dr |
Source: |
Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.248.151.156 |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0 |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0? |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A4249000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ia600100.us.archive.org |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A447C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B2B99000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.rootca1.amazontrust.com0: |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A2D42000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A3135000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pub-26ee9be236b54d0cb1b570a203543b93.r2.dev |
Source: powershell.exe, 00000002.00000002.1453682043.0000018D5A059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1399989665.000001B2A2B21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A4290000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A2D42000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: mozglue.dll.5.dr |
String found in binary or memory: http://www.mozilla.com/en-US/blocklist/ |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: http://www.mozilla.com0 |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://x1.c.lencr.org/0 |
Source: AddInProcess32.exe, 00000005.00000002.2639138695.0000000005397000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://x1.i.lencr.org/0 |
Source: powershell.exe, 00000002.00000002.1453682043.0000018D59FDD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000002.00000002.1453682043.0000018D5A044000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1399989665.000001B2A2B21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000004.00000002.1415526929.000001B2B2B99000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000004.00000002.1415526929.000001B2B2B99000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000004.00000002.1415526929.000001B2B2B99000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A2D42000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: AddInProcess32.exe |
String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A315C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B2DE3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC: |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A3B9C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000004.00000002.1399307336.000001B2A0BB0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A3B9C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.arX |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A3B9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1399989665.000001B2A2D42000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.archive.org |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A2D42000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A3B9C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtYSD;$base64Content |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A2D42000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtYSD;dk7base64Content |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A447C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B2B99000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A4290000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A4290000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://oneget.orgX |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A2F57000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pub-26ee9be236b54d0cb1b570a203543b93.r2.dev |
Source: powershell.exe, 00000004.00000002.1399989665.000001B2A2F57000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://pub-26ee9be236b54d0cb1b570a203543b93.r2.dev/onye.txt |
Source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, softokn3.dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: 4.2.powershell.exe.1b2b2de3860.4.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 4.2.powershell.exe.1b2b2de3860.4.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 4.2.powershell.exe.1b2b2de3860.4.unpack, type: UNPACKEDPE |
Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 00000004.00000002.1399989665.000001B2A315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown |
Source: 00000004.00000002.1415526929.000001B2B2DE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7816, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 1352, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: 4.2.powershell.exe.1b2b2de3860.4.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 4.2.powershell.exe.1b2b2de3860.4.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 4.2.powershell.exe.1b2b2de3860.4.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23 |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 5.2.AddInProcess32.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23 |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 5.2.AddInProcess32.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23 |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 4.2.powershell.exe.1b2b2de3860.4.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 00000004.00000002.1399989665.000001B2A315C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23 |
Source: 00000004.00000002.1415526929.000001B2B2DE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23 |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23 |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: Process Memory Space: powershell.exe PID: 7816, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: Process Memory Space: powershell.exe PID: 1352, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: SELECT ALL * FROM %s LIMIT 0; |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID; |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1); |
Source: AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); |
Source: AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m |
Source: AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2); |
Source: AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID; |
Source: AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); |
Source: AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0 |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB); |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB); |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx)); |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: UPDATE %s SET %s WHERE id=$ID; |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: SELECT ALL id FROM %s WHERE %s; |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: SELECT ALL id FROM %s; |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s); |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s; |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB); |
Source: AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */); |
Source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2); |
Source: AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d: |
Source: nEofbjk.tmp.5.dr, .zyDKbw.tmp.5.dr |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: atl.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: appxsip.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: opcservices.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: devenum.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: msdmo.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: vaultcli.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: |
Binary string: vcruntime140.i386.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000005.00000002.2645142075.0000000073BD1000.00000020.00000001.01000000.00000007.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.5.dr |
Source: |
Binary string: vcruntime140.i386.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.2645142075.0000000073BD1000.00000020.00000001.01000000.00000007.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.5.dr |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2642667288.000000007024F000.00000002.00000001.01000000.0000000B.sdmp, freebl3.dll.5.dr |
Source: |
Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000005.00000002.2628713134.0000000003613000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msvcp140.i386.pdbGCTL source: AddInProcess32.exe, 00000005.00000002.2644081524.00000000702D1000.00000020.00000001.01000000.00000006.sdmp, AddInProcess32.exe, 00000005.00000002.2627316202.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.5.dr |
Source: |
Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: powershell.exe, 00000004.00000002.1399989665.000001B2A315C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B2DE3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: powershell.exe, 00000004.00000002.1399989665.000001B2A315C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B2DE3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2626601197.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Source: |
Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msvcp140.i386.pdb source: AddInProcess32.exe, 00000005.00000002.2644081524.00000000702D1000.00000020.00000001.01000000.00000006.sdmp, AddInProcess32.exe, 00000005.00000002.2627316202.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.5.dr |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss3.pdb source: AddInProcess32.exe, 00000005.00000002.2635422321.0000000004FD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2641402406.000000006CD50000.00000002.00000001.01000000.00000009.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr |
Source: |
Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000005.00000002.2628713134.0000000003613000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2643512971.00000000702B9000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.5.dr |
Source: |
Binary string: System.Data.Linq.pdb source: powershell.exe, 00000004.00000002.1443666553.000001B2BB240000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1415526929.000001B2B3B23000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2629190725.0000000004470000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2643512971.00000000702B9000.00000002.00000001.01000000.00000008.sdmp, mozglue.dll.5.dr |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: AddInProcess32.exe, 00000005.00000002.2643159235.000000007028D000.00000002.00000001.01000000.0000000A.sdmp, AddInProcess32.exe, 00000005.00000002.2631215858.0000000004920000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr |
Source: |
Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: AddInProcess32.exe, 00000005.00000002.2629588584.0000000004502000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2631497769.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2642667288.000000007024F000.00000002.00000001.01000000.0000000B.sdmp, freebl3.dll.5.dr |
Source: |
Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: AddInProcess32.exe, 00000005.00000002.2630145863.0000000004573000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC78DF1 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, |
5_2_6CC78DF1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC78D29 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset, |
5_2_6CC78D29 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC9CE08 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset, |
5_2_6CC9CE08 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC9AF89 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64, |
5_2_6CC9AF89 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC78F4E sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset, |
5_2_6CC78F4E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC7EF13 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,sqlite3_bind_int64,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,sqlite3_bind_int64,sqlite3_step,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_bind_int,sqlite3_column_int,sqlite3_bind_int,sqlite3_column_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset, |
5_2_6CC7EF13 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC78954 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code, |
5_2_6CC78954 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC804F3 sqlite3_bind_int64,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset, |
5_2_6CC804F3 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CCC6464 PR_Bind, |
5_2_6CCC6464 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC80588 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset, |
5_2_6CC80588 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC7C7C5 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset, |
5_2_6CC7C7C5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CCC67ED PR_Listen, |
5_2_6CCC67ED |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC7C0AA sqlite3_bind_int64,sqlite3_step,sqlite3_reset, |
5_2_6CC7C0AA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC821F1 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_free,sqlite3_step,sqlite3_reset, |
5_2_6CC821F1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC7C103 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_free,sqlite3_free,memcpy,memcpy,memcpy,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_reset, |
5_2_6CC7C103 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC822C4 sqlite3_bind_int64,sqlite3_step,sqlite3_reset, |
5_2_6CC822C4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC662EB sqlite3_value_text,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value, |
5_2_6CC662EB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC8231A sqlite3_bind_null,sqlite3_step,sqlite3_reset, |
5_2_6CC8231A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC7BDCA sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset, |
5_2_6CC7BDCA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC9BDE9 sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int,sqlite3_reset,__allrem,__allrem,memset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_free,sqlite3_free, |
5_2_6CC9BDE9 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC81D03 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free, |
5_2_6CC81D03 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Code function: 5_2_6CC7BEC2 memset,sqlite3_malloc,memset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_reset, |
5_2_6CC7BEC2 |