Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: z: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: x: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: v: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: t: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: r: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: p: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: n: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: l: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: j: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: h: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: f: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: b: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: y: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: w: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: u: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: s: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: q: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: o: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: m: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: k: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: i: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: g: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: e: |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
File opened: c: |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File opened: a: |
Jump to behavior |
Source: MSI1304.tmp.2.dr |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: svchost.exe, 00000019.00000002.470773517.0000029D7CA14000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: svchost.exe, 00000019.00000002.470773517.0000029D7CA14000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: svchost.exe, 00000019.00000002.470773517.0000029D7CA14000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: MSI1304.tmp.2.dr |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: svchost.exe, 00000019.00000002.470491719.0000029D7C980000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: svchost.exe, 00000019.00000002.466584853.0000029D7B2A0000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate |
Source: MSI1304.tmp.2.dr |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: MSI1304.tmp.2.dr |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: MSI1304.tmp.2.dr |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: svchost.exe, 0000001F.00000002.310869374.000001DB23613000.00000004.00000001.sdmp |
String found in binary or memory: http://www.bingmapsportal.com |
Source: MSI1304.tmp.2.dr |
String found in binary or memory: http://www.flexerasoftware.com0 |
Source: Setup.exe |
String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d |
Source: Setup.exe, 00000000.00000002.263650863.000000000088A000.00000004.00000020.sdmp, msiexec.exe, 00000002.00000003.254356751.000000000341F000.00000004.00000001.sdmp |
String found in binary or memory: http://www.star4live.com |
Source: msiexec.exe, 00000002.00000003.212346389.00000000033EC000.00000004.00000001.sdmp |
String found in binary or memory: http://www.star4live.comi4w |
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp |
String found in binary or memory: https://%s.dnet.xboxlive.com |
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp |
String found in binary or memory: https://%s.xboxlive.com |
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp |
String found in binary or memory: https://activity.windows.com |
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp |
String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net |
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp |
String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp |
String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 0000001F.00000003.310023457.000001DB2364B000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations |
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/ |
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx |
Source: svchost.exe, 0000001F.00000003.310023457.000001DB2364B000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/ |
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving |
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit |
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking |
Source: svchost.exe, 0000001F.00000002.310942420.000001DB23642000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/ |
Source: svchost.exe, 0000001F.00000002.310942420.000001DB23642000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n= |
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx |
Source: svchost.exe, 0000001F.00000003.310512253.000001DB23646000.00000004.00000001.sdmp |
String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? |
Source: svchost.exe, 0000001F.00000003.310023457.000001DB2364B000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= |
Source: svchost.exe, 0000001F.00000003.310512253.000001DB23646000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= |
Source: svchost.exe, 0000001F.00000003.310512253.000001DB23646000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r= |
Source: svchost.exe, 0000001F.00000002.310997843.000001DB23664000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.310942420.000001DB23642000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.310518653.000001DB23641000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.t |
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp |
String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx |
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp |
String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 0000001F.00000003.286601390.000001DB23631000.00000004.00000001.sdmp |
String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx |
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.310869374.000001DB23613000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r= |
Source: svchost.exe, 0000001F.00000003.310525588.000001DB23645000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= |
Source: svchost.exe, 0000001F.00000003.310525588.000001DB23645000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r= |
Source: svchost.exe, 0000001F.00000003.286601390.000001DB23631000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= |
Source: svchost.exe, 0000001F.00000003.286601390.000001DB23631000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen |
Source: svchost.exe, 0000001F.00000003.310023457.000001DB2364B000.00000004.00000001.sdmp |
String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:6208:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:4084:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:6312:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:7148:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:2992:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_01 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: debuglog |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: runfromtemp |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: reboot |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: %s%s |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: tempdisk1folder |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: ISSetup.dll |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: ISSetup.dll |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: Skin |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: Startup |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: setup.isn |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: count |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: Languages |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: key%d |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: Languages |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: %s\0x%04x.ini |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: %s\0x%04x.ini |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: %s\%04x.mst |
0_2_0043E4C0 |
Source: C:\Users\user\Desktop\Setup.exe |
Command line argument: %s\%04x.mst |
0_2_0043E4C0 |
Source: C:\Windows\SysWOW64\taskkill.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpServer.exe") |
Source: C:\Windows\SysWOW64\taskkill.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpWindowPopup.exe") |
Source: C:\Windows\SysWOW64\taskkill.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpServer.exe") |
Source: C:\Windows\SysWOW64\taskkill.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpWindowPopup.exe") |
Source: unknown |
Process created: C:\Users\user\Desktop\Setup.exe 'C:\Users\user\Desktop\Setup.exe' |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Users\user\AppData\Local\Downloaded Installations\{877F9BE8-C6E2-462D-9A96-09E42390D002}\Star4Live_P2P.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='Setup.exe' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C31728C15F7B7E0360F95AF524D72042 C |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9ADD54B1DEB9106D315583847C272BCA |
|
Source: unknown |
Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe |
|
Source: unknown |
Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe |
|
Source: unknown |
Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p |
|
Source: unknown |
Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
|
Source: C:\Users\user\Desktop\Setup.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Users\user\AppData\Local\Downloaded Installations\{877F9BE8-C6E2-462D-9A96-09E42390D002}\Star4Live_P2P.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='Setup.exe' |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Process created: unknown unknown |
|
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\Setup.exe |
File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: svchost.exe, 00000001.00000002.208069130.00000213E0740000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.257719427.0000000005D00000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.275587286.00000210AF660000.00000002.00000001.sdmp, svchost.exe, 0000001C.00000002.468740260.00000268B8F40000.00000002.00000001.sdmp, svchost.exe, 00000022.00000002.300275137.0000022A9D8B0000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: svchost.exe, 00000019.00000002.470998272.0000029D7CA62000.00000004.00000001.sdmp |
Binary or memory string: @Hyper-V RAW |
Source: svchost.exe, 00000019.00000002.470937429.0000029D7CA55000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: svchost.exe, 0000001B.00000002.466063169.0000016944E02000.00000004.00000001.sdmp |
Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService |
Source: svchost.exe, 00000001.00000002.208069130.00000213E0740000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.257719427.0000000005D00000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.275587286.00000210AF660000.00000002.00000001.sdmp, svchost.exe, 0000001C.00000002.468740260.00000268B8F40000.00000002.00000001.sdmp, svchost.exe, 00000022.00000002.300275137.0000022A9D8B0000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: svchost.exe, 00000001.00000002.208069130.00000213E0740000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.257719427.0000000005D00000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.275587286.00000210AF660000.00000002.00000001.sdmp, svchost.exe, 0000001C.00000002.468740260.00000268B8F40000.00000002.00000001.sdmp, svchost.exe, 00000022.00000002.300275137.0000022A9D8B0000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: svchost.exe, 00000019.00000002.466353504.0000029D7B22A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW= |
Source: svchost.exe, 0000001B.00000002.466189907.0000016944E28000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.466613856.00000268B8266000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.466960401.0000022E5A629000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: svchost.exe, 00000001.00000002.208069130.00000213E0740000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.257719427.0000000005D00000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.275587286.00000210AF660000.00000002.00000001.sdmp, svchost.exe, 0000001C.00000002.468740260.00000268B8F40000.00000002.00000001.sdmp, svchost.exe, 00000022.00000002.300275137.0000022A9D8B0000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe |
Jump to behavior |
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Setup.exe |
Code function: 0_2_0043C9DC __EH_prolog3,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity, |
0_2_0043C9DC |
Source: svchost.exe, 0000001D.00000002.467186237.0000021752460000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: Setup.exe, svchost.exe, 0000001D.00000002.467186237.0000021752460000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: svchost.exe, 0000001D.00000002.467186237.0000021752460000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: Setup.exe |
Binary or memory string: AShell_TrayWndTahoma0x0409NoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXENAMESETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot |
Source: svchost.exe, 0000001D.00000002.467186237.0000021752460000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: Setup.exe |
Binary or memory string: AShell_TrayWnd |
Source: C:\Users\user\Desktop\Setup.exe |
Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, |
0_2_00480075 |
Source: C:\Users\user\Desktop\Setup.exe |
Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, |
0_2_0048000E |
Source: C:\Users\user\Desktop\Setup.exe |
Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, |
0_2_004800B1 |
Source: C:\Windows\SysWOW64\msiexec.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct' |
Source: C:\Windows\System32\svchost.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct |
Source: C:\Windows\System32\svchost.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct |
Source: C:\Windows\System32\svchost.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct |