Source: |
Binary string: System.Configuration.Install.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Data.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdbSystem.DirectoryServices.dll source: WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Windows.Forms.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.pdb` source: WER8C9.tmp.dmp.27.dr |
Source: |
Binary string: System.ServiceProcess.pdbp}Y source: WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Drawing.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Core.pdb`- source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Drawing.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.pdbP< source: WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: mscorlib.pdbh source: WER8C9.tmp.dmp.27.dr |
Source: |
Binary string: System.Xml.ni.pdbRSDS# source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Core.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Numerics.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.DirectoryServices.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.ServiceProcess.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Numerics.pdbP source: WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.ni.pdbRSDSJ< source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: mscorlib.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceProcess.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Configuration.Install.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Xml.pdbP4 source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Configuration.ni.pdbRSDScUN source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Configuration.Install.pdbMicrosoft.PowerShell.Commands.Utility.dllH source: WER8C9.tmp.dmp.27.dr |
Source: |
Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.pdb@y' source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Xml.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.DirectoryServices.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.CSharp.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Management.pdb`*?@_*? source: WER8C9.tmp.dmp.27.dr |
Source: |
Binary string: System.Configuration.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Configuration.Install.pdbH source: WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Data.ni.pdbRSDSC source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Data.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Configuration.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Xml.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbcache source: svchost.exe, 00000030.00000000.2811892265.000002259585D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3403906582.000002259585D000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Numerics.ni.pdbRSDSautg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Data.pdbH source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Management.Automation.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Windows.Forms.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: 7\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: mscorlib.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.pdbpl source: WER8C9.tmp.dmp.27.dr |
Source: |
Binary string: System.Management.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Drawing.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Management.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.Powershell.PSReadline.pdbH source: WER8C9.tmp.dmp.27.dr |
Source: |
Binary string: System.Core.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.DirectoryServices.pdbx*? source: WER8C9.tmp.dmp.27.dr |
Source: |
Binary string: System.Transactions.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Transactions.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000000.2811717839.000002259582B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000030.00000000.2811800023.0000022595840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3402915190.0000022595840000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Numerics.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Transactions.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.3402005843.000002259582B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.ni.pdb source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: |
Binary string: System.Core.ni.pdbRSDS source: WER8C9.tmp.dmp.27.dr, WER6AC3.tmp.dmp.11.dr |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC40D894 FindFirstFileExW, |
17_2_00000253FC40D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC40DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
17_2_00000253FC40DA18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC43D894 FindFirstFileExW, |
17_2_00000253FC43D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC43DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
17_2_00000253FC43DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 18_2_000002A5AF36D894 FindFirstFileExW, |
18_2_000002A5AF36D894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 18_2_000002A5AF36DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
18_2_000002A5AF36DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 37_2_000001780DD2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
37_2_000001780DD2DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 37_2_000001780DD2D894 FindFirstFileExW, |
37_2_000001780DD2D894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EBDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
38_2_0000020175EBDA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EBD894 FindFirstFileExW, |
38_2_0000020175EBD894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
38_2_0000020175EEDA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EED894 FindFirstFileExW, |
38_2_0000020175EED894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D0165ED894 FindFirstFileExW, |
39_2_000002D0165ED894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D0165EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
39_2_000002D0165EDA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D01661D894 FindFirstFileExW, |
39_2_000002D01661D894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D01661DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
39_2_000002D01661DA18 |
Source: Microsoft-Windows-LiveId%4Operational.evtx.49.dr |
String found in binary or memory: http://Passport.NET/tb |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0 |
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0 |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0? |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~ |
Source: lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: lsass.exe, 00000028.00000000.2769648555.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C00000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 |
Source: lsass.exe, 00000028.00000000.2769294113.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3406704355.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: powershell.exe, 00000008.00000002.2649694624.000001D4A93CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4C31000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3421815626.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770090274.000002D6F0CF2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3424186913.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0H |
Source: lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0I |
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy |
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust |
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2775061134.000001B4A4A21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: lsass.exe, 00000028.00000000.2769294113.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3406704355.000002D6F064E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy |
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties |
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/ |
Source: lsass.exe, 00000028.00000002.3405683588.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769244391.000002D6F062F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P |
Source: Amcache.hve.11.dr |
String found in binary or memory: http://upx.sf.net |
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: lsass.exe, 00000028.00000000.2770662119.000002D6F0E13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770382971.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769648555.000002D6F0C44000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3426941259.000002D6F0DBD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3413839757.000002D6F0C43000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2769397436.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2770242861.000002D6F0D9A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3408803122.000002D6F0688000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: powershell.exe, 00000019.00000002.3432949177.0000021404730000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co.1mmi |
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, Null.25.dr, Null.8.dr |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2775061134.000001B4A4A21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000008.00000002.2406288380.000001D499341000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3449074236.0000021404D91000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6xG |
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A4C4C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000024.00000002.2775061134.000001B4A5B64000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000008.00000002.2649694624.000001D4A93CC000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.3001705922.000001B4B4A8B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EE0C8 NtUnmapViewOfSection, |
36_2_00007FFD343EE0C8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EE122 NtSetContextThread, |
36_2_00007FFD343EE122 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EE142 NtResumeThread, |
36_2_00007FFD343EE142 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EE0FA NtWriteVirtualMemory, |
36_2_00007FFD343EE0FA |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EE0A8 NtUnmapViewOfSection, |
36_2_00007FFD343EE0A8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343F0C7D NtWriteVirtualMemory, |
36_2_00007FFD343F0C7D |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EE098 NtUnmapViewOfSection, |
36_2_00007FFD343EE098 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EE132 NtSetContextThread, |
36_2_00007FFD343EE132 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343F0A5E NtUnmapViewOfSection, |
36_2_00007FFD343F0A5E |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343F0F40 NtSetContextThread, |
36_2_00007FFD343F0F40 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343F1004 NtResumeThread, |
36_2_00007FFD343F1004 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, |
38_2_0000000140001868 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D0165E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, |
39_2_000002D0165E2C80 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_3_00000253FC3DCC94 |
17_3_00000253FC3DCC94 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_3_00000253FC3DCE18 |
17_3_00000253FC3DCE18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_3_00000253FC3D23F0 |
17_3_00000253FC3D23F0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC40D894 |
17_2_00000253FC40D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC40DA18 |
17_2_00000253FC40DA18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC402FF0 |
17_2_00000253FC402FF0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC43D894 |
17_2_00000253FC43D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC43DA18 |
17_2_00000253FC43DA18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 17_2_00000253FC432FF0 |
17_2_00000253FC432FF0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 18_3_000002A5AF33CC94 |
18_3_000002A5AF33CC94 |
Source: C:\Windows\System32\conhost.exe |
Code function: 18_3_000002A5AF3323F0 |
18_3_000002A5AF3323F0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 18_3_000002A5AF33CE18 |
18_3_000002A5AF33CE18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 18_2_000002A5AF36D894 |
18_2_000002A5AF36D894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 18_2_000002A5AF362FF0 |
18_2_000002A5AF362FF0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 18_2_000002A5AF36DA18 |
18_2_000002A5AF36DA18 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EDD78 |
36_2_00007FFD343EDD78 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343E6CE5 |
36_2_00007FFD343E6CE5 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343E9DA8 |
36_2_00007FFD343E9DA8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343E25DD |
36_2_00007FFD343E25DD |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343EE349 |
36_2_00007FFD343EE349 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343E3AFB |
36_2_00007FFD343E3AFB |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343E2EF2 |
36_2_00007FFD343E2EF2 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343E36F1 |
36_2_00007FFD343E36F1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD343E2775 |
36_2_00007FFD343E2775 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD34666B0D |
36_2_00007FFD34666B0D |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD34666F01 |
36_2_00007FFD34666F01 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD34664FD1 |
36_2_00007FFD34664FD1 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD34665442 |
36_2_00007FFD34665442 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 36_2_00007FFD34660000 |
36_2_00007FFD34660000 |
Source: C:\Windows\System32\conhost.exe |
Code function: 37_3_000001780D3E23F0 |
37_3_000001780D3E23F0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 37_3_000001780D3ECE18 |
37_3_000001780D3ECE18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 37_3_000001780D3ECC94 |
37_3_000001780D3ECC94 |
Source: C:\Windows\System32\conhost.exe |
Code function: 37_2_000001780DD22FF0 |
37_2_000001780DD22FF0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 37_2_000001780DD2DA18 |
37_2_000001780DD2DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 37_2_000001780DD2D894 |
37_2_000001780DD2D894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_3_0000020175E8CE18 |
38_3_0000020175E8CE18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_3_0000020175E8CC94 |
38_3_0000020175E8CC94 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_3_0000020175E823F0 |
38_3_0000020175E823F0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000000140001CF0 |
38_2_0000000140001CF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000000140002D4C |
38_2_0000000140002D4C |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000000140003204 |
38_2_0000000140003204 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000000140002434 |
38_2_0000000140002434 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000000140001274 |
38_2_0000000140001274 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EBDA18 |
38_2_0000020175EBDA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EBD894 |
38_2_0000020175EBD894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EB2FF0 |
38_2_0000020175EB2FF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EEDA18 |
38_2_0000020175EEDA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EED894 |
38_2_0000020175EED894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 38_2_0000020175EE2FF0 |
38_2_0000020175EE2FF0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_3_000002D0165823F0 |
39_3_000002D0165823F0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_3_000002D01658CC94 |
39_3_000002D01658CC94 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_3_000002D01658CE18 |
39_3_000002D01658CE18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D0165E2FF0 |
39_2_000002D0165E2FF0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D0165ED894 |
39_2_000002D0165ED894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D0165EDA18 |
39_2_000002D0165EDA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D016612FF0 |
39_2_000002D016612FF0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D01661D894 |
39_2_000002D01661D894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 39_2_000002D01661DA18 |
39_2_000002D01661DA18 |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr |
Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}( |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr |
Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr |
Binary string: \Device\NetbiosSmb |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: System.evtx.49.dr |
Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4lt |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr |
Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys |
Source: System.evtx.49.dr |
Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exeh |
Source: System.evtx.49.dr |
Binary string: C:\Device\HarddiskVolume3`& |
Source: System.evtx.49.dr |
Binary string: C:\Device\HarddiskVolume3 |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeP** |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr |
Binary string: N\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr |
Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe |
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.49.dr |
Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: System.evtx.49.dr |
Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe8 |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr |
Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr |
Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: System.evtx.49.dr |
Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4A |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr |
Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |