Source: |
Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: WINLOA~1.PDB source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000017.00000000.1840558344.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2941691166.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000017.00000002.2940183395.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1840509505.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp |
Source: |
Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000017.00000000.1840584622.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2942503144.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Jump to behavior |
Source: C:\Users\Public\DeadCodeRootKit.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Jump to behavior |
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000243F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://api.telegram.org |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0 |
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0? |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774915423.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0 |
Source: lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: lsass.exe, 0000000C.00000002.2957284217.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C0200000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 |
Source: lsass.exe, 0000000C.00000002.2949177193.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763357769.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.dr |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: powershell.exe, 00000004.00000002.1899586399.0000011113902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1899586399.0000011113AA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1839365843.000002DE90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763590382.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2952382254.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774915423.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0H |
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0I |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763730672.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: svchost.exe, 0000001A.00000002.2962138490.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://schemas.micro |
Source: svchost.exe, 00000016.00000002.3001209327.000001845BB84000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.msoftP |
Source: powershell.exe, 00000007.00000002.1786234964.000002DE80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy |
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust |
Source: DeadXClient.exe, 00000001.00000002.2955878706.0000000002901000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.0000000002311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1779642673.0000011103891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1786234964.000002DE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081411000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: lsass.exe, 0000000C.00000002.2949177193.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763357769.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy |
Source: powershell.exe, 00000007.00000002.1786234964.000002DE80229000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties |
Source: lsass.exe, 0000000C.00000000.1763228169.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2948416778.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/ |
Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: lsass.exe, 0000000C.00000002.2974624894.00000202C0400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774441153.00000202C0402000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: lsass.exe, 0000000C.00000000.1774122233.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1774122233.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.2189100927.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2969201803.00000202C03B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000003.1786428389.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000002.2967895483.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000C.00000000.1766962440.00000202C037F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0~ |
Source: svchost.exe, 00000028.00000002.3011157363.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1926814755.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.msftconnecttest.com |
Source: svchost.exe, 00000028.00000002.3011157363.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.1926814755.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.msftconnecttest.com/ |
Source: powershell.exe, 00000004.00000002.1779642673.0000011103891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1786234964.000002DE80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1922708453.000001F081411000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org |
Source: mIURiU8n2P.exe, 00000000.00000002.1703934967.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp, DeadROOTkit.exe, 00000002.00000000.1701692705.00000000001A2000.00000002.00000001.01000000.00000008.sdmp, DeadROOTkit.exe.2.dr |
String found in binary or memory: https://api.telegram.org/bot |
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text= |
Source: DeadROOTkit.exe, 00000002.00000002.2956134718.000000000235B000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.telegram.org/botYour_Token/sendMessage?chat_id=Your_ID&text=%E2%98%A0%20%5BXWorm%20V3.0% |
Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000001D.00000002.1922708453.000001F081639000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.1779642673.0000011104DE4000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000004.00000002.1899586399.0000011113902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1839365843.000002DE90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2052291589.000001F091483000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.dr |
String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq |
Source: C:\Users\user\Desktop\mIURiU8n2P.exe |
Code function: 0_2_00007FFD9B800C11 |
0_2_00007FFD9B800C11 |
Source: C:\Users\Public\DeadXClient.exe |
Code function: 1_2_00007FFD9B7F6F66 |
1_2_00007FFD9B7F6F66 |
Source: C:\Users\Public\DeadXClient.exe |
Code function: 1_2_00007FFD9B7F7D12 |
1_2_00007FFD9B7F7D12 |
Source: C:\Users\Public\DeadXClient.exe |
Code function: 1_2_00007FFD9B7F0E79 |
1_2_00007FFD9B7F0E79 |
Source: C:\Users\Public\DeadXClient.exe |
Code function: 1_2_00007FFD9B7F1799 |
1_2_00007FFD9B7F1799 |
Source: C:\Users\Public\DeadROOTkit.exe |
Code function: 2_2_00007FFD9B8012E9 |
2_2_00007FFD9B8012E9 |
Source: C:\Users\Public\DeadROOTkit.exe |
Code function: 2_2_00007FFD9B805F06 |
2_2_00007FFD9B805F06 |
Source: C:\Users\Public\DeadROOTkit.exe |
Code function: 2_2_00007FFD9B8021D1 |
2_2_00007FFD9B8021D1 |
Source: C:\Users\Public\DeadROOTkit.exe |
Code function: 2_2_00007FFD9B806CB2 |
2_2_00007FFD9B806CB2 |
Source: C:\Users\Public\DeadROOTkit.exe |
Code function: 2_2_00007FFD9B8046DD |
2_2_00007FFD9B8046DD |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 4_2_00007FFD9B7EF649 |
4_2_00007FFD9B7EF649 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 4_2_00007FFD9B7EB2FA |
4_2_00007FFD9B7EB2FA |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 4_2_00007FFD9B7EE319 |
4_2_00007FFD9B7EE319 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 4_2_00007FFD9B7EFDD9 |
4_2_00007FFD9B7EFDD9 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_3_000002E86A06F418 |
6_3_000002E86A06F418 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_3_000002E86A06B150 |
6_3_000002E86A06B150 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_3_000002E86A06B35C |
6_3_000002E86A06B35C |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_3_000002E86A071778 |
6_3_000002E86A071778 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_0000000140001CDC |
6_2_0000000140001CDC |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_0000000140002D54 |
6_2_0000000140002D54 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_0000000140002430 |
6_2_0000000140002430 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_00000001400031D8 |
6_2_00000001400031D8 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_0000000140001274 |
6_2_0000000140001274 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_000002E86A0A0018 |
6_2_000002E86A0A0018 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_000002E86A09BD50 |
6_2_000002E86A09BD50 |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_000002E86A09BF5C |
6_2_000002E86A09BF5C |
Source: C:\Windows\System32\dllhost.exe |
Code function: 6_2_000002E86A0A2378 |
6_2_000002E86A0A2378 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Code function: 7_2_00007FFD9B8A30E9 |
7_2_00007FFD9B8A30E9 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 11_3_00000225DC621778 |
11_3_00000225DC621778 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 11_3_00000225DC61B35C |
11_3_00000225DC61B35C |
Source: C:\Windows\System32\winlogon.exe |
Code function: 11_3_00000225DC61F418 |
11_3_00000225DC61F418 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 11_3_00000225DC61B150 |
11_3_00000225DC61B150 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 11_2_00000225DC652378 |
11_2_00000225DC652378 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 11_2_00000225DC64BF5C |
11_2_00000225DC64BF5C |
Source: C:\Windows\System32\winlogon.exe |
Code function: 11_2_00000225DC650018 |
11_2_00000225DC650018 |
Source: C:\Windows\System32\winlogon.exe |
Code function: 11_2_00000225DC64BD50 |
11_2_00000225DC64BD50 |
Source: C:\Windows\System32\lsass.exe |
Code function: 12_3_00000202C0AC1778 |
12_3_00000202C0AC1778 |
Source: C:\Windows\System32\lsass.exe |
Code function: 12_3_00000202C0ABB35C |
12_3_00000202C0ABB35C |
Source: C:\Windows\System32\lsass.exe |
Code function: 12_3_00000202C0ABF418 |
12_3_00000202C0ABF418 |
Source: C:\Windows\System32\lsass.exe |
Code function: 12_3_00000202C0ABB150 |
12_3_00000202C0ABB150 |
Source: C:\Windows\System32\lsass.exe |
Code function: 12_2_00000202C0AF2378 |
12_2_00000202C0AF2378 |
Source: C:\Windows\System32\lsass.exe |
Code function: 12_2_00000202C0AEBF5C |
12_2_00000202C0AEBF5C |
Source: C:\Windows\System32\lsass.exe |
Code function: 12_2_00000202C0AF0018 |
12_2_00000202C0AF0018 |
Source: C:\Windows\System32\lsass.exe |
Code function: 12_2_00000202C0AEBD50 |
12_2_00000202C0AEBD50 |
Source: C:\Users\Public\Deadsvchost.exe |
Code function: 13_2_00007FFD9B800E79 |
13_2_00007FFD9B800E79 |
Source: C:\Users\Public\Deadsvchost.exe |
Code function: 13_2_00007FFD9B801799 |
13_2_00007FFD9B801799 |
Source: C:\Windows\System32\svchost.exe |
Code function: 14_3_000002A6612DB35C |
14_3_000002A6612DB35C |
Source: C:\Windows\System32\svchost.exe |
Code function: 14_3_000002A6612E1778 |
14_3_000002A6612E1778 |
Source: C:\Windows\System32\svchost.exe |
Code function: 14_3_000002A6612DB150 |
14_3_000002A6612DB150 |
Source: C:\Windows\System32\svchost.exe |
Code function: 14_3_000002A6612DF418 |
14_3_000002A6612DF418 |
Source: C:\Windows\System32\svchost.exe |
Code function: 14_2_000002A66130BF5C |
14_2_000002A66130BF5C |
Source: C:\Windows\System32\svchost.exe |
Code function: 14_2_000002A661312378 |
14_2_000002A661312378 |
Source: C:\Windows\System32\svchost.exe |
Code function: 14_2_000002A66130BD50 |
14_2_000002A66130BD50 |
Source: C:\Windows\System32\svchost.exe |
Code function: 14_2_000002A661310018 |
14_2_000002A661310018 |
Source: C:\Windows\System32\dwm.exe |
Code function: 16_3_000002BAAF1F1778 |
16_3_000002BAAF1F1778 |
Source: C:\Windows\System32\dwm.exe |
Code function: 16_3_000002BAAF1EB35C |
16_3_000002BAAF1EB35C |
Source: C:\Windows\System32\dwm.exe |
Code function: 16_3_000002BAAF1EB150 |
16_3_000002BAAF1EB150 |
Source: C:\Windows\System32\dwm.exe |
Code function: 16_3_000002BAAF1EF418 |
16_3_000002BAAF1EF418 |
Source: C:\Windows\System32\dwm.exe |
Code function: 16_2_000002BAAF21BF5C |
16_2_000002BAAF21BF5C |
Source: C:\Windows\System32\dwm.exe |
Code function: 16_2_000002BAAF222378 |
16_2_000002BAAF222378 |
Source: C:\Windows\System32\dwm.exe |
Code function: 16_2_000002BAAF21BD50 |
16_2_000002BAAF21BD50 |
Source: C:\Windows\System32\dwm.exe |
Code function: 16_2_000002BAAF220018 |
16_2_000002BAAF220018 |
Source: C:\Windows\System32\svchost.exe |
Code function: 17_3_0000026A8799F418 |
17_3_0000026A8799F418 |
Source: C:\Windows\System32\svchost.exe |
Code function: 17_3_0000026A8799B35C |
17_3_0000026A8799B35C |
Source: C:\Windows\System32\svchost.exe |
Code function: 17_3_0000026A879A1778 |
17_3_0000026A879A1778 |
Source: C:\Windows\System32\svchost.exe |
Code function: 17_3_0000026A8799B150 |
17_3_0000026A8799B150 |
Source: C:\Windows\System32\svchost.exe |
Code function: 17_2_0000026A879D0018 |
17_2_0000026A879D0018 |
Source: C:\Windows\System32\svchost.exe |
Code function: 17_2_0000026A879CBF5C |
17_2_0000026A879CBF5C |
Source: C:\Windows\System32\svchost.exe |
Code function: 17_2_0000026A879D2378 |
17_2_0000026A879D2378 |
Source: C:\Windows\System32\svchost.exe |
Code function: 17_2_0000026A879CBD50 |
17_2_0000026A879CBD50 |
Source: C:\Windows\System32\svchost.exe |
Code function: 19_3_000001795377B150 |
19_3_000001795377B150 |
Source: C:\Windows\System32\svchost.exe |
Code function: 19_3_0000017953781778 |
19_3_0000017953781778 |
Source: C:\Windows\System32\svchost.exe |
Code function: 19_3_000001795377B35C |
19_3_000001795377B35C |
Source: C:\Windows\System32\svchost.exe |
Code function: 19_3_000001795377F418 |
19_3_000001795377F418 |
Source: C:\Windows\System32\svchost.exe |
Code function: 19_2_00000179537ABD50 |
19_2_00000179537ABD50 |
Source: C:\Windows\System32\svchost.exe |
Code function: 19_2_00000179537B2378 |
19_2_00000179537B2378 |
Source: C:\Windows\System32\svchost.exe |
Code function: 19_2_00000179537ABF5C |
19_2_00000179537ABF5C |
Source: C:\Windows\System32\svchost.exe |
Code function: 19_2_00000179537B0018 |
19_2_00000179537B0018 |
Source: C:\Windows\System32\svchost.exe |
Code function: 20_3_000002295D53B150 |
20_3_000002295D53B150 |
Source: C:\Windows\System32\svchost.exe |
Code function: 20_3_000002295D53F418 |
20_3_000002295D53F418 |
Source: C:\Windows\System32\svchost.exe |
Code function: 20_3_000002295D53B35C |
20_3_000002295D53B35C |
Source: C:\Windows\System32\svchost.exe |
Code function: 20_3_000002295D541778 |
20_3_000002295D541778 |
Source: C:\Windows\System32\svchost.exe |
Code function: 20_2_000002295D56BD50 |
20_2_000002295D56BD50 |
Source: C:\Windows\System32\svchost.exe |
Code function: 20_2_000002295D570018 |
20_2_000002295D570018 |
Source: C:\Windows\System32\svchost.exe |
Code function: 20_2_000002295D56BF5C |
20_2_000002295D56BF5C |
Source: C:\Windows\System32\svchost.exe |
Code function: 20_2_000002295D572378 |
20_2_000002295D572378 |