Source: |
Binary string: System.Configuration.Install.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Data.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Core.pdbSystem.Transactions.ni.dlliy source: WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.pdbMZ@ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Numerics.pdbp source: WER8767.tmp.dmp.10.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Xml.pdbp source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Windows.Forms.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Drawing.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Drawing.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Xml.ni.pdbRSDS# source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.pdbP source: WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Core.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Numerics.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.DirectoryServices.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Drawing.pdb0 source: WER8767.tmp.dmp.10.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceProcess.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Management.ni.pdbRSDSJ< source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Configuration.Install.pdb }b source: WER8767.tmp.dmp.10.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: mscorlib.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: WINLOA~1.PDB source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.ServiceProcess.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Configuration.Install.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: mscorlib.pdb:\W source: WER8767.tmp.dmp.10.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Configuration.ni.pdbRSDScUN source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Xml.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.DirectoryServices.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.CSharp.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Management.pdbP4 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Configuration.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Configuration.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Data.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Data.ni.pdbRSDSC source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Windows.Forms.pdb` source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Xml.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Management.Automation.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Numerics.ni.pdbRSDSautg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Management.Automation.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Data.pdbH source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Windows.Forms.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Management.Automation.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: mscorlib.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Management.Automation.pdb3 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Management.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Drawing.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.Management.Infrastructure.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Management.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Core.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Transactions.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Configuration.Install.pdbh source: WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Core.pdbiy source: WER8767.tmp.dmp.10.dr |
Source: |
Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.PowerShell.Commands.Utility.pdbP source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Transactions.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: Microsoft.Powershell.PSReadline.pdb N source: WER643A.tmp.dmp.27.dr |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: System.Transactions.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Numerics.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: Microsoft.CSharp.pdb@ source: WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: |
Binary string: System.Core.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C2D894 FindFirstFileExW, |
18_2_0000022123C2D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
18_2_0000022123C2DA18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C5D894 FindFirstFileExW, |
18_2_0000022123C5D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
18_2_0000022123C5DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
19_2_0000013F08E6DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E6D894 FindFirstFileExW, |
19_2_0000013F08E6D894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
19_2_0000013F08E9DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E9D894 FindFirstFileExW, |
19_2_0000013F08E9D894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 36_2_000001FD186DD894 FindFirstFileExW, |
36_2_000001FD186DD894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 36_2_000001FD186DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
36_2_000001FD186DDA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DABDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
37_2_0000017C6DABDA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DABD894 FindFirstFileExW, |
37_2_0000017C6DABD894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DD7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
37_2_0000017C6DD7DA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DD7D894 FindFirstFileExW, |
37_2_0000017C6DD7D894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
38_2_00000225DC64DA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC64D894 FindFirstFileExW, |
38_2_00000225DC64D894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
38_2_00000225DC67DA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC67D894 FindFirstFileExW, |
38_2_00000225DC67D894 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
39_2_00000202C0AEDA18 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0AED894 FindFirstFileExW, |
39_2_00000202C0AED894 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
39_2_00000202C0B1DA18 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0B1D894 FindFirstFileExW, |
39_2_00000202C0B1D894 |
Source: C:\Windows\System32\svchost.exe |
Code function: 40_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
40_2_000002A66130DA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 40_2_000002A66130D894 FindFirstFileExW, |
40_2_000002A66130D894 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
41_2_000002BAAEDCDA18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDCD894 FindFirstFileExW, |
41_2_000002BAAEDCD894 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDFDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
41_2_000002BAAEDFDA18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDFD894 FindFirstFileExW, |
41_2_000002BAAEDFD894 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_2_000002705306DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
42_2_000002705306DA18 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_2_000002705306D894 FindFirstFileExW, |
42_2_000002705306D894 |
Source: Microsoft-Windows-LiveId%4Operational.evtx.49.dr |
String found in binary or memory: http://Passport.NET/tb |
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0 |
Source: powershell.exe, 00000007.00000002.2143087471.000001A697909000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2475973230.000002A7E1F25000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0? |
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0 |
Source: lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: lsass.exe, 00000027.00000002.3028177697.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475625757.00000202C0200000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 |
Source: lsass.exe, 00000027.00000002.3016592946.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475206356.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: powershell.exe, 00000007.00000002.2385169405.000001A6A96E0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F2783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0H |
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: svchost.exe, 00000032.00000002.3031906020.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://schemas.micro |
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy |
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust |
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2477927278.000002A7E2571000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3016592946.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475206356.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy |
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties |
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/ |
Source: Amcache.hve.10.dr |
String found in binary or memory: http://upx.sf.net |
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0~ |
Source: powershell.exe, 00000019.00000002.3053661070.0000016A83A50000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.co |
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, Null.25.dr, Null.7.dr |
String found in binary or memory: https://aka.ms/pscore6 |
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2477927278.000002A7E2571000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6xGa |
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E3703000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000007.00000002.2385169405.000001A6A96E0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.dr |
String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B80E0EA NtWriteVirtualMemory, |
35_2_00007FFD9B80E0EA |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B80E112 NtSetContextThread, |
35_2_00007FFD9B80E112 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B80E132 NtResumeThread, |
35_2_00007FFD9B80E132 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B80E0B8 NtUnmapViewOfSection, |
35_2_00007FFD9B80E0B8 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B810FF4 NtResumeThread, |
35_2_00007FFD9B810FF4 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B810F30 NtSetContextThread, |
35_2_00007FFD9B810F30 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B810A4E NtUnmapViewOfSection, |
35_2_00007FFD9B810A4E |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B80E122 NtSetContextThread, |
35_2_00007FFD9B80E122 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B810C6D NtWriteVirtualMemory, |
35_2_00007FFD9B810C6D |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B80E088 NtUnmapViewOfSection, |
35_2_00007FFD9B80E088 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle, |
37_2_0000000140001868 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC642C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, |
38_2_00000225DC642C80 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0AE2300 NtQuerySystemInformation,StrCmpNIW, |
39_2_00000202C0AE2300 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDF2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue, |
41_2_000002BAAEDF2C80 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_2_0000027053062300 NtQuerySystemInformation,StrCmpNIW, |
42_2_0000027053062300 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_3_0000022123BFCC94 |
18_3_0000022123BFCC94 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_3_0000022123BF23F0 |
18_3_0000022123BF23F0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_3_0000022123BFCE18 |
18_3_0000022123BFCE18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_3_0000022123BCCC94 |
18_3_0000022123BCCC94 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_3_0000022123BC23F0 |
18_3_0000022123BC23F0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_3_0000022123BCCE18 |
18_3_0000022123BCCE18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C2D894 |
18_2_0000022123C2D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C22FF0 |
18_2_0000022123C22FF0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C2DA18 |
18_2_0000022123C2DA18 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C5D894 |
18_2_0000022123C5D894 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C52FF0 |
18_2_0000022123C52FF0 |
Source: C:\Windows\System32\cmd.exe |
Code function: 18_2_0000022123C5DA18 |
18_2_0000022123C5DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_3_0000013F081CCE18 |
19_3_0000013F081CCE18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_3_0000013F081C23F0 |
19_3_0000013F081C23F0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_3_0000013F081CCC94 |
19_3_0000013F081CCC94 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E6DA18 |
19_2_0000013F08E6DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E62FF0 |
19_2_0000013F08E62FF0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E6D894 |
19_2_0000013F08E6D894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E9DA18 |
19_2_0000013F08E9DA18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E92FF0 |
19_2_0000013F08E92FF0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 19_2_0000013F08E9D894 |
19_2_0000013F08E9D894 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B80DD68 |
35_2_00007FFD9B80DD68 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 35_2_00007FFD9B80E339 |
35_2_00007FFD9B80E339 |
Source: C:\Windows\System32\conhost.exe |
Code function: 36_3_000001FD1776CE18 |
36_3_000001FD1776CE18 |
Source: C:\Windows\System32\conhost.exe |
Code function: 36_3_000001FD1776CC94 |
36_3_000001FD1776CC94 |
Source: C:\Windows\System32\conhost.exe |
Code function: 36_3_000001FD177623F0 |
36_3_000001FD177623F0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 36_2_000001FD186D2FF0 |
36_2_000001FD186D2FF0 |
Source: C:\Windows\System32\conhost.exe |
Code function: 36_2_000001FD186DD894 |
36_2_000001FD186DD894 |
Source: C:\Windows\System32\conhost.exe |
Code function: 36_2_000001FD186DDA18 |
36_2_000001FD186DDA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_3_0000017C6DA823F0 |
37_3_0000017C6DA823F0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_3_0000017C6DA8CE18 |
37_3_0000017C6DA8CE18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_3_0000017C6DA8CC94 |
37_3_0000017C6DA8CC94 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000000140001CF0 |
37_2_0000000140001CF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000000140002D4C |
37_2_0000000140002D4C |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000000140003204 |
37_2_0000000140003204 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000000140002434 |
37_2_0000000140002434 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000000140001274 |
37_2_0000000140001274 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DAB2FF0 |
37_2_0000017C6DAB2FF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DABDA18 |
37_2_0000017C6DABDA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DABD894 |
37_2_0000017C6DABD894 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DD72FF0 |
37_2_0000017C6DD72FF0 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DD7DA18 |
37_2_0000017C6DD7DA18 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 37_2_0000017C6DD7D894 |
37_2_0000017C6DD7D894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_3_00000225DC61CE18 |
38_3_00000225DC61CE18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_3_00000225DC6123F0 |
38_3_00000225DC6123F0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_3_00000225DC61CC94 |
38_3_00000225DC61CC94 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC64DA18 |
38_2_00000225DC64DA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC642FF0 |
38_2_00000225DC642FF0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC64D894 |
38_2_00000225DC64D894 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC67DA18 |
38_2_00000225DC67DA18 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC672FF0 |
38_2_00000225DC672FF0 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 38_2_00000225DC67D894 |
38_2_00000225DC67D894 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_3_00000202C0ABCE18 |
39_3_00000202C0ABCE18 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_3_00000202C0ABCC94 |
39_3_00000202C0ABCC94 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_3_00000202C0AB23F0 |
39_3_00000202C0AB23F0 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0AEDA18 |
39_2_00000202C0AEDA18 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0AED894 |
39_2_00000202C0AED894 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0AE2FF0 |
39_2_00000202C0AE2FF0 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0B1DA18 |
39_2_00000202C0B1DA18 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0B1D894 |
39_2_00000202C0B1D894 |
Source: C:\Windows\System32\lsass.exe |
Code function: 39_2_00000202C0B12FF0 |
39_2_00000202C0B12FF0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 40_3_000002A6612DCE18 |
40_3_000002A6612DCE18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 40_3_000002A6612D23F0 |
40_3_000002A6612D23F0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 40_3_000002A6612DCC94 |
40_3_000002A6612DCC94 |
Source: C:\Windows\System32\svchost.exe |
Code function: 40_2_000002A66130DA18 |
40_2_000002A66130DA18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 40_2_000002A661302FF0 |
40_2_000002A661302FF0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 40_2_000002A66130D894 |
40_2_000002A66130D894 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_3_000002BAAEDCCE18 |
41_3_000002BAAEDCCE18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_3_000002BAAEDC23F0 |
41_3_000002BAAEDC23F0 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_3_000002BAAEDCCC94 |
41_3_000002BAAEDCCC94 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_3_000002BAAED9CE18 |
41_3_000002BAAED9CE18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_3_000002BAAED923F0 |
41_3_000002BAAED923F0 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_3_000002BAAED9CC94 |
41_3_000002BAAED9CC94 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDCDA18 |
41_2_000002BAAEDCDA18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDC2FF0 |
41_2_000002BAAEDC2FF0 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDCD894 |
41_2_000002BAAEDCD894 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDFDA18 |
41_2_000002BAAEDFDA18 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDF2FF0 |
41_2_000002BAAEDF2FF0 |
Source: C:\Windows\System32\dwm.exe |
Code function: 41_2_000002BAAEDFD894 |
41_2_000002BAAEDFD894 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_3_0000027052A123F0 |
42_3_0000027052A123F0 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_3_0000027052A1CC94 |
42_3_0000027052A1CC94 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_3_0000027052A1CE18 |
42_3_0000027052A1CE18 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_2_0000027053062FF0 |
42_2_0000027053062FF0 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_2_000002705306DA18 |
42_2_000002705306DA18 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Code function: 42_2_000002705306D894 |
42_2_000002705306D894 |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr |
Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr |
Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr |
Binary string: \Device\NetbiosSmb |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr |
Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys |
Source: System.evtx.49.dr |
Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4 |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr |
Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe |
Source: System.evtx.49.dr |
Binary string: C:\Device\HarddiskVolume3` |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: System.evtx.49.dr |
Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH** |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr |
Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr |
Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe |
Source: System.evtx.49.dr |
Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.49.dr |
Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr |
Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr |
Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr |
Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe |
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr |
Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr |
Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe |
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr |
Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1} |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: NULL |
Source: C:\Windows\System32\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8184 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\6983353 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\5387306 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:7196:120:WilError_03 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Mutant created: \Sessions\1\BaseNamedObjects\8404857 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03 |
Source: C:\Windows\System32\wbem\WMIADAP.exe |
Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib |
Source: C:\Windows\System32\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3852 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03 |