Source: | Binary string: C:\Windows\Fallkyriya.pdbpdbiya.pdb> source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe |
Source: | Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdbX source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: Fallkyriya.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: indoC:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Xml.ni.pdbRSDS# source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Core.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: Microsoft.VisualBasic.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: assembly\GAC_MSC:\Users\user\Desktop\Fallkyriya.pdb3f@ source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Fallkyriya.pdbpdbE source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Drawing.pdbMicrosoft.VisualBasic.ni.dll source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: mscorlib.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.pdb; source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdba@V source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Configuration.ni.pdbRSDScUN source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Users\user\Desktop\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdbll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\exe\Fallkyriya.pdb< source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.VisualBasic.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Xml.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: n.pdb source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: symbols\exe\Fallkyriya.pdbbg source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbF source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Configuration.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: mscorlib.pdb0 source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: 8C:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: ~1.PDB @ source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Configuration.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Xml.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: aspnet_wp.pdb source: aspnet_wp.exe, 00000003.00000003.2096098027.000001F51DBF0000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, 00000011.00000002.2098760613.00007FF69A507000.00000004.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe, 00000011.00000000.2098305062.00007FF69A507000.00000002.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe.3.dr |
Source: | Binary string: n.pdb? source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdbp source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Windows.Forms.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbON.dll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Fallkyriya.pdbp< source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Core.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\Fallkyriya.pdbf source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: .pdbH source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb {a source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbY source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Xml.pdb@ source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Core.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: C:\Users.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://3csp.icrosof4m/ocp0 |
Source: svchost.exe, 00000014.00000003.2159700453.000001D26FB78000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://Passport.NET/STS |
Source: svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd |
Source: Microsoft-Windows-LiveId%4Operational.evtx.29.dr | String found in binary or memory: http://Passport.NET/tb |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://Passport.NET/tb:pp |
Source: svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://Passport.NET/tb_ |
Source: lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0 |
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0 |
Source: svchost.exe, 00000014.00000002.3365424692.000001D26F2C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.2137719803.000001428B134000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3406124581.000001428B161000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl.ver) |
Source: lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07 |
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0 |
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/ |
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120712175.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085061.22.dr, 77EC63BDA74BD0D0E0426DC8F80085062.22.dr, 77EC63BDA74BD0D0E0426DC8F80085060.22.dr | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9749 |
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabab |
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe.comfc |
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3405495654.000001428B113000.00000004.00000001.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.22.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.20.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.22.dr | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab |
Source: svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabI7w |
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401378467.000001428A85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3406124581.000001428B161000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97492.22.dr, FB0D848F74F70BB2EAA93746D24D97490.22.dr, FB0D848F74F70BB2EAA93746D24D97491.22.dr | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab |
Source: svchost.exe, 00000016.00000000.2120843468.000001428A879000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab$ |
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?40a06a98da234 |
Source: svchost.exe, 00000016.00000002.3405495654.000001428B113000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?40a06a98da |
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702 |
Source: lsass.exe, 00000012.00000000.2099376620.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3359488205.00000140AD850000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512 |
Source: svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd |
Source: svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA |
Source: svchost.exe, 00000014.00000003.2166505496.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes |
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166505496.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2179854209.000001D26FB76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds |
Source: svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
Source: svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA |
Source: svchost.exe, 00000014.00000003.2187849238.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds |
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID |
Source: svchost.exe, 00000016.00000000.2120943673.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120712175.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A0.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB6151870.22.dr, 80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB041.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB040.22.dr | String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN |
Source: svchost.exe, 00000016.00000003.2890179341.000001428B139000.00000004.00000001.00020000.00000000.sdmp, EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A.22.dr | String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuN |
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.digicert.com0 |
Source: lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.digicert.com0: |
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.digicert.com0I |
Source: lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.msocsp. |
Source: lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.msocsp.com0 |
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://passport.net/tb |
Source: svchost.exe, 0000001E.00000000.2163309909.000001A204EE0000.00000002.00000001.00040000.00000000.sdmp | String found in binary or memory: http://schemas.micro |
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous |
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy |
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80601 |
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc |
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scrf |
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust |
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue |
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee |
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesue |
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueure |
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3387513797.000001D2700ED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3363431912.000001D26F29F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue |
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue |
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn |
Source: lsass.exe, 00000012.00000000.2099376620.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3359488205.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy |
Source: lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/ |
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties |
Source: lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/ |
Source: Amcache.hve.12.dr | String found in binary or memory: http://upx.sf.net |
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: svchost.exe, 00000026.00000002.3402968021.000001E709ED9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.2186905204.000001E709ED9000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://www.msftconnecttest.com |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502.live.com/ |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601?id=80600 |
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600 |
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601 |
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603 |
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604 |
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605 |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600- |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601Connect |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603up.aspx?iw |
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604Login.srf? |
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605OOBESignUp |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107572404.000001D26FB57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://account.live.com/msangcwam |
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr | String found in binary or memory: https://g.live.com/odclientsettings/Prod |
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr | String found in binary or memory: https://g.live.com/odclientsettings/ProdC: |
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr | String found in binary or memory: https://g.live.com/odclientsettings/ProdV2C: |
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr | String found in binary or memory: https://g.live.com/odclientsettings/ProdV2f% |
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ApproveSession.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ApproveSession.srfr.srf |
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600 |
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601 |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600 |
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601 |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ListSessions.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ManageApprover.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ManageLoginKeys.srf |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2129547954.000001D27003C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/RST2.srf |
Source: svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/RST2.srfd |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/didtou.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/getrealminfo.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/getuserrealm.srf |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfIssuerP |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf |
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf |
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf |
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf |
Source: svchost.exe, 00000014.00000002.3385230486.000001D2700A7000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dn |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600ve.com/si |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601xists.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603ecure/Inl |
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604//account |
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf |
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502&id=806 |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600avor=4& |
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601/Password/C |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806014 |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603IDs |
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604 |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806043 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604in.live.com |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604nkId=253457 |
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605nAuthUp |
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606d=80601 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107572404.000001D26FB57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608 |
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp |
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107231250.000001D26FB5A000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpBk0 |
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605 |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605600 |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf |
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfDW |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/resetpw.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/resetpw.srf.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/retention.srf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com/retention.srfce |
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3387513797.000001D2700ED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3363431912.000001D26F29F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3362248015.000001D26F285000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com:443/RST2.srf |
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com:443/RST2.srf56 |
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.comepp |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf( |
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf |
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfData.srf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf |
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM |
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf |
Source: svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://signup.live.com/signup.aspx |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F14EC0 | 0_2_00007FF848F14EC0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F21175 | 0_2_00007FF848F21175 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F1B060 | 0_2_00007FF848F1B060 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F1E369 | 0_2_00007FF848F1E369 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F16F71 | 0_2_00007FF848F16F71 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F1DBBA | 0_2_00007FF848F1DBBA |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F1E7F1 | 0_2_00007FF848F1E7F1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F163F3 | 0_2_00007FF848F163F3 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Code function: 0_2_00007FF848F111FA | 0_2_00007FF848F111FA |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0000000140003B30 | 3_2_0000000140003B30 |
Source: C:\Windows\System32\dialer.exe | Code function: 5_2_000000014000226C | 5_2_000000014000226C |
Source: C:\Windows\System32\dialer.exe | Code function: 5_2_00000001400014D8 | 5_2_00000001400014D8 |
Source: C:\Windows\System32\dialer.exe | Code function: 5_2_0000000140002560 | 5_2_0000000140002560 |
Source: C:\Windows\System32\winlogon.exe | Code function: 10_2_000001E858951F2C | 10_2_000001E858951F2C |
Source: C:\Windows\System32\winlogon.exe | Code function: 10_2_000001E8589638A8 | 10_2_000001E8589638A8 |
Source: C:\Windows\System32\winlogon.exe | Code function: 10_2_000001E85895D0E0 | 10_2_000001E85895D0E0 |
Source: C:\Windows\System32\winlogon.exe | Code function: 10_2_000001E858982B2C | 10_2_000001E858982B2C |
Source: C:\Windows\System32\winlogon.exe | Code function: 10_2_000001E8589944A8 | 10_2_000001E8589944A8 |
Source: C:\Windows\System32\winlogon.exe | Code function: 10_2_000001E85898DCE0 | 10_2_000001E85898DCE0 |
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 17_2_00007FF69A50307C | 17_2_00007FF69A50307C |
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 17_2_00007FF69A501E74 | 17_2_00007FF69A501E74 |
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 17_2_00007FF69A505ED0 | 17_2_00007FF69A505ED0 |
Source: C:\Windows\System32\lsass.exe | Code function: 18_2_00000140ADFC1F2C | 18_2_00000140ADFC1F2C |
Source: C:\Windows\System32\lsass.exe | Code function: 18_2_00000140ADFCD0E0 | 18_2_00000140ADFCD0E0 |
Source: C:\Windows\System32\lsass.exe | Code function: 18_2_00000140ADFD38A8 | 18_2_00000140ADFD38A8 |
Source: C:\Windows\System32\lsass.exe | Code function: 18_2_00000140AE86DCE0 | 18_2_00000140AE86DCE0 |
Source: C:\Windows\System32\lsass.exe | Code function: 18_2_00000140AE8744A8 | 18_2_00000140AE8744A8 |
Source: C:\Windows\System32\lsass.exe | Code function: 18_2_00000140AE862B2C | 18_2_00000140AE862B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 19_2_00000195DD59D0E0 | 19_2_00000195DD59D0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 19_2_00000195DD5A38A8 | 19_2_00000195DD5A38A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 19_2_00000195DD591F2C | 19_2_00000195DD591F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 19_2_00000195DD5CDCE0 | 19_2_00000195DD5CDCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 19_2_00000195DD5D44A8 | 19_2_00000195DD5D44A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 19_2_00000195DD5C2B2C | 19_2_00000195DD5C2B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 20_2_000001D2702444A8 | 20_2_000001D2702444A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 20_2_000001D27023DCE0 | 20_2_000001D27023DCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 20_2_000001D270232B2C | 20_2_000001D270232B2C |
Source: C:\Windows\System32\dwm.exe | Code function: 21_2_000001160CB81F2C | 21_2_000001160CB81F2C |
Source: C:\Windows\System32\dwm.exe | Code function: 21_2_000001160CB8D0E0 | 21_2_000001160CB8D0E0 |
Source: C:\Windows\System32\dwm.exe | Code function: 21_2_000001160CB938A8 | 21_2_000001160CB938A8 |
Source: C:\Windows\System32\dwm.exe | Code function: 21_2_000001160CBB2B2C | 21_2_000001160CBB2B2C |
Source: C:\Windows\System32\dwm.exe | Code function: 21_2_000001160CBBDCE0 | 21_2_000001160CBBDCE0 |
Source: C:\Windows\System32\dwm.exe | Code function: 21_2_000001160CBC44A8 | 21_2_000001160CBC44A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 22_2_000001428DCCD0E0 | 22_2_000001428DCCD0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 22_2_000001428DCD38A8 | 22_2_000001428DCD38A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 22_2_000001428DCC1F2C | 22_2_000001428DCC1F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 22_2_000001428DCFDCE0 | 22_2_000001428DCFDCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 22_2_000001428DD044A8 | 22_2_000001428DD044A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 22_2_000001428DCF2B2C | 22_2_000001428DCF2B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00000257E10838A8 | 23_2_00000257E10838A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00000257E107D0E0 | 23_2_00000257E107D0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00000257E1071F2C | 23_2_00000257E1071F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00000257E10B44A8 | 23_2_00000257E10B44A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00000257E10ADCE0 | 23_2_00000257E10ADCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00000257E10A2B2C | 23_2_00000257E10A2B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 24_2_000001F28C1E38A8 | 24_2_000001F28C1E38A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 24_2_000001F28C1DD0E0 | 24_2_000001F28C1DD0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 24_2_000001F28C1D1F2C | 24_2_000001F28C1D1F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 24_2_000001F28C9444A8 | 24_2_000001F28C9444A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 24_2_000001F28C93DCE0 | 24_2_000001F28C93DCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 24_2_000001F28C932B2C | 24_2_000001F28C932B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 25_2_000001CA97FD1F2C | 25_2_000001CA97FD1F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 25_2_000001CA97FDD0E0 | 25_2_000001CA97FDD0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 25_2_000001CA97FE38A8 | 25_2_000001CA97FE38A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 25_2_000001CA98542B2C | 25_2_000001CA98542B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 25_2_000001CA9854DCE0 | 25_2_000001CA9854DCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 25_2_000001CA985544A8 | 25_2_000001CA985544A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D2652F38A8 | 26_2_000001D2652F38A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D2652ED0E0 | 26_2_000001D2652ED0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D2652E1F2C | 26_2_000001D2652E1F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D2653244A8 | 26_2_000001D2653244A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D26531DCE0 | 26_2_000001D26531DCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D26532AEC2 | 26_2_000001D26532AEC2 |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D265312B2C | 26_2_000001D265312B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 27_2_00000254A27D2B2C | 27_2_00000254A27D2B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 27_2_00000254A27E44A8 | 27_2_00000254A27E44A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 27_2_00000254A27DDCE0 | 27_2_00000254A27DDCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 28_2_0000024B87DDDCE0 | 28_2_0000024B87DDDCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 28_2_0000024B87DE44A8 | 28_2_0000024B87DE44A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 28_2_0000024B87DD2B2C | 28_2_0000024B87DD2B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 29_2_00000205FB3CD0E0 | 29_2_00000205FB3CD0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 29_2_00000205FB3D38A8 | 29_2_00000205FB3D38A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 29_2_00000205FB3C1F2C | 29_2_00000205FB3C1F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 29_2_00000205FD402B2C | 29_2_00000205FD402B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 29_2_00000205FD4144A8 | 29_2_00000205FD4144A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 29_2_00000205FD40DCE0 | 29_2_00000205FD40DCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 30_2_000001A2056A2B2C | 30_2_000001A2056A2B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 30_2_000001A2056ADCE0 | 30_2_000001A2056ADCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 30_2_000001A2056B44A8 | 30_2_000001A2056B44A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 31_2_0000018EC1F3D0E0 | 31_2_0000018EC1F3D0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 31_2_0000018EC1F438A8 | 31_2_0000018EC1F438A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 31_2_0000018EC1F31F2C | 31_2_0000018EC1F31F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 31_2_0000018EC1F6DCE0 | 31_2_0000018EC1F6DCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 31_2_0000018EC1F744A8 | 31_2_0000018EC1F744A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 31_2_0000018EC1F62B2C | 31_2_0000018EC1F62B2C |
Source: C:\Windows\System32\svchost.exe | Code function: 32_2_0000025CE3BCD0E0 | 32_2_0000025CE3BCD0E0 |
Source: C:\Windows\System32\svchost.exe | Code function: 32_2_0000025CE3BD38A8 | 32_2_0000025CE3BD38A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 32_2_0000025CE3BC1F2C | 32_2_0000025CE3BC1F2C |
Source: C:\Windows\System32\svchost.exe | Code function: 32_2_0000025CE3E0DCE0 | 32_2_0000025CE3E0DCE0 |
Source: C:\Windows\System32\svchost.exe | Code function: 32_2_0000025CE3E144A8 | 32_2_0000025CE3E144A8 |
Source: C:\Windows\System32\svchost.exe | Code function: 32_2_0000025CE3E02B2C | 32_2_0000025CE3E02B2C |
Source: | Binary string: C:\Windows\Fallkyriya.pdbpdbiya.pdb> source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe |
Source: | Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdbX source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: Fallkyriya.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: indoC:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Xml.ni.pdbRSDS# source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Core.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: Microsoft.VisualBasic.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: assembly\GAC_MSC:\Users\user\Desktop\Fallkyriya.pdb3f@ source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Fallkyriya.pdbpdbE source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Drawing.pdbMicrosoft.VisualBasic.ni.dll source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: mscorlib.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.pdb; source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdba@V source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Configuration.ni.pdbRSDScUN source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Users\user\Desktop\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdbll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\exe\Fallkyriya.pdb< source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.VisualBasic.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Xml.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: n.pdb source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: symbols\exe\Fallkyriya.pdbbg source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbF source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Configuration.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: mscorlib.pdb0 source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: 8C:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: ~1.PDB @ source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Configuration.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Xml.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: aspnet_wp.pdb source: aspnet_wp.exe, 00000003.00000003.2096098027.000001F51DBF0000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, 00000011.00000002.2098760613.00007FF69A507000.00000004.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe, 00000011.00000000.2098305062.00007FF69A507000.00000002.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe.3.dr |
Source: | Binary string: n.pdb? source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdbp source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Windows.Forms.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbON.dll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Fallkyriya.pdbp< source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Core.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: \??\C:\Windows\Fallkyriya.pdbf source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: .pdbH source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb {a source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbY source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp |
Source: | Binary string: System.Xml.pdb@ source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.ni.pdb source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: System.Core.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr |
Source: | Binary string: C:\Users.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\svchost.exe | Process information set: NOOPENFILEERRORBOX | |
Source: Amcache.hve.12.dr | Binary or memory string: VMware |
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.29.dr | Binary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00 |
Source: svchost.exe, 0000001D.00000000.2155812268.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3363230253.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: svchost.exe, 0000001D.00000002.3363969303.00000205FAC43000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: (@vmci |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: VMware SATA CD00 |
Source: Amcache.hve.12.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: svchost.exe, 0000001B.00000002.3359707590.00000254A202B000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: NECVMWarVMware SATA CD00 |
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: NXTcpV6VMWare |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a |
Source: WerFault.exe, 0000000C.00000003.2198697961.000002A6707A7000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2196345877.000002A6707AA000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2201679415.000002A6707AC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3365424692.000001D26F2C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3405102430.000001428B106000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWARE |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000= |
Source: Amcache.hve.12.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: WerFault.exe, 0000000C.00000003.2198447758.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2202009507.000002A670BA6000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2196103434.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2195755219.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW` |
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.29.dr | Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS |
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr | Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap |
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value) |
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 |
Source: svchost.exe, 0000001D.00000002.3365803568.00000205FAC96000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: VMCI: Using capabilities (0x1c). |
Source: Amcache.hve.12.dr | Binary or memory string: vmci.sys |
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr | Binary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588 |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmware |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: nonicNECVMWarVMware SATA CD00 |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr | Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@ |
Source: svchost.exe, 0000001D.00000000.2157231187.00000205FB933000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: vmcir:m |
Source: Amcache.hve.12.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.12.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.12.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.12.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.12.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.12.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.12.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD')) |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: VMware |
Source: Amcache.hve.12.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.12.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.12.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58 |
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter')) |
Source: Amcache.hve.12.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.29.dr | Binary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS |
Source: Amcache.hve.12.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: pvmicvssNT SERVICE |
Source: Amcache.hve.12.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.12.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.12.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.12.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.12.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.12.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr | Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8 |
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: PointVMware&P |
Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.29.dr | Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00 |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: storahciNECVMWarVMware SATA CD00 |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMware SVGA II |
Source: Amcache.hve.12.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58 |
Source: Amcache.hve.12.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: lsass.exe, 00000012.00000000.2099340676.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3357881957.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.2102698505.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3358537577.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120894664.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3358126937.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2137095808.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2138316510.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3350863396.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.2142892913.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.3360387148.00000254A2043000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: pvmicshutdownNT SERVICE |
Source: Amcache.hve.12.dr | Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.12.dr | Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.12.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: @Hyper-V RAW%\System32\ci.dll,-101 |
Source: Amcache.hve.12.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: lsass.exe, 00000012.00000002.3377900817.00000140AE209000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: NXTVMWare |
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr | Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a |
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value) |
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value) |
Source: svchost.exe, 00000013.00000003.2651893903.00000195DD66A000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 |
Source: svchost.exe, 00000025.00000002.3353534450.000001B278E02000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc |
Source: Amcache.hve.12.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: pvmicheartbeatNT SERVICE |
Source: svchost.exe, 00000014.00000002.3359539176.000001D26F227000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW@ |
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware')) |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe | Code function: 3_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit, | 3_2_0000000140001160 |
Source: C:\Windows\System32\winlogon.exe | Code function: 10_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 10_2_000001E858987D90 |
Source: C:\Windows\System32\winlogon.exe | Code function: 10_2_000001E85898D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 10_2_000001E85898D2A4 |
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 17_2_00007FF69A505D44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 17_2_00007FF69A505D44 |
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 17_2_00007FF69A505AB4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 17_2_00007FF69A505AB4 |
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe | Code function: 17_2_00007FF69A505C50 SetUnhandledExceptionFilter, | 17_2_00007FF69A505C50 |
Source: C:\Windows\System32\lsass.exe | Code function: 18_2_00000140AE867D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 18_2_00000140AE867D90 |
Source: C:\Windows\System32\lsass.exe | Code function: 18_2_00000140AE86D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 18_2_00000140AE86D2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 19_2_00000195DD5CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 19_2_00000195DD5CD2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 19_2_00000195DD5C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 19_2_00000195DD5C7D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 20_2_000001D270237D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 20_2_000001D270237D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 20_2_000001D27023D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 20_2_000001D27023D2A4 |
Source: C:\Windows\System32\dwm.exe | Code function: 21_2_000001160CBBD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 21_2_000001160CBBD2A4 |
Source: C:\Windows\System32\dwm.exe | Code function: 21_2_000001160CBB7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 21_2_000001160CBB7D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 22_2_000001428DCFD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 22_2_000001428DCFD2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 22_2_000001428DCF7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 22_2_000001428DCF7D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00000257E10AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 23_2_00000257E10AD2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 23_2_00000257E10A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 23_2_00000257E10A7D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 24_2_000001F28C937D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 24_2_000001F28C937D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 24_2_000001F28C93D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 24_2_000001F28C93D2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 25_2_000001CA9854D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 25_2_000001CA9854D2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 25_2_000001CA98547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 25_2_000001CA98547D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D265317D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 26_2_000001D265317D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 26_2_000001D26531D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 26_2_000001D26531D2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 27_2_00000254A27DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 27_2_00000254A27DD2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 27_2_00000254A27D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 27_2_00000254A27D7D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 28_2_0000024B87DDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 28_2_0000024B87DDD2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 28_2_0000024B87DD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 28_2_0000024B87DD7D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 29_2_00000205FD40D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 29_2_00000205FD40D2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 29_2_00000205FD407D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 29_2_00000205FD407D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 30_2_000001A2056AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 30_2_000001A2056AD2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 30_2_000001A2056A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 30_2_000001A2056A7D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 31_2_0000018EC1F67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 31_2_0000018EC1F67D90 |
Source: C:\Windows\System32\svchost.exe | Code function: 31_2_0000018EC1F6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 31_2_0000018EC1F6D2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 32_2_0000025CE3E0D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 32_2_0000025CE3E0D2A4 |
Source: C:\Windows\System32\svchost.exe | Code function: 32_2_0000025CE3E07D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 32_2_0000025CE3E07D90 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 195DD590000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\dwm.exe base: 1160CB80000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 257E1070000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1F28C1D0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1CA97FD0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1D2652E0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 24B87DA0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 205FB3C0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1A205670000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 18EC1F30000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 25CE3BC0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 26238950000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 2786E560000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1611FF70000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 27C0F350000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1B279570000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1E70A460000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 22D13120000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 22C8C580000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 2825F1D0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 20BAEC90000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1C782530000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\spoolsv.exe base: A60000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 24066EB0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 181CEDB0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 2A142790000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 195B6F30000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1428DCC0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1D76CCC0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1A239D90000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 17CFA390000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 23FB7270000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1DF53B50000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 164E88A0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 25177B50000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 28D5D340000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\sihost.exe base: 24EB5E10000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 20859990000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1F153C20000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1D241D40000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 16FADAD0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\ctfmon.exe base: 20E03070000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 15204DB0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\explorer.exe base: 87B0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 175C5280000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 22EF1B30000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 261DE4D0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\smartscreen.exe base: 226D8930000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 13E5E930000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 28AF9060000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 27234C50000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 28543540000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\audiodg.exe base: 2B684340000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\conhost.exe base: 19842D80000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\conhost.exe base: 1C5C1BA0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1067B150000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\dllhost.exe base: 1E9FB500000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 286545D0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1FAD81D0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\svchost.exe base: 1D270200000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000 protect: page execute and read and write | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000 protect: page execute and read and write | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dwm.exe base: 1160CB80000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 254A27A0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 22D13120000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DCC0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\explorer.exe base: 87B0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 28AF9060000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\conhost.exe base: 19842D80000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\conhost.exe base: 1C5C1BA0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1067B150000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dllhost.exe base: 1E9FB500000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 286545D0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1FAD81D0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D270200000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000 value starts with: 4D5A | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000 value starts with: 4D5A | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140001000 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140008000 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 14000A000 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BD000 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BE000 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BF000 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402C0000 | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe | Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 44B80EB010 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 195DD590000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dwm.exe base: 1160CB80000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 257E1070000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 254A27A0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1A205670000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 26238950000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 2786E560000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1B279570000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 22D13120000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1C782530000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\spoolsv.exe base: A60000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 2A142790000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DCC0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 25177B50000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 20859990000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\explorer.exe base: 87B0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 175C5280000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 28AF9060000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 27234C50000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 28543540000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\conhost.exe base: 19842D80000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\conhost.exe base: 1C5C1BA0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1067B150000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\dllhost.exe base: 1E9FB500000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 286545D0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1FAD81D0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D270200000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000 | Jump to behavior |
Source: C:\Windows\System32\dialer.exe | Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF60000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FFE0000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1D26FFF0000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000 | Jump to behavior |
Source: C:\Windows\System32\lsass.exe | Memory written: C:\Windows\System32\svchost.exe base: 1428D8A0000 | Jump to behavior |