Source: 4.0.csrss.exe.400000.0.unpack |
Avira: Label: TR/Crypt.XPACK.Gen2 |
Source: 0.2.yjOapKcgE1.exe.400000.0.unpack |
Avira: Label: TR/Crypt.FKM.Gen |
Source: 4.2.csrss.exe.2480000.2.unpack |
Avira: Label: TR/Crypt.FKM.Gen |
Source: 2.2.csrss.exe.400000.0.unpack |
Avira: Label: TR/Crypt.FKM.Gen |
Source: 2.2.csrss.exe.2480000.2.unpack |
Avira: Label: TR/Crypt.FKM.Gen |
Source: 0.2.yjOapKcgE1.exe.2270000.2.unpack |
Avira: Label: TR/Crypt.FKM.Gen |
Source: 2.0.csrss.exe.400000.0.unpack |
Avira: Label: TR/Crypt.XPACK.Gen2 |
Source: 0.0.yjOapKcgE1.exe.400000.0.unpack |
Avira: Label: TR/Crypt.XPACK.Gen2 |
Source: 4.2.csrss.exe.400000.0.unpack |
Avira: Label: TR/Crypt.FKM.Gen |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, |
0_2_00416D6D |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, |
2_2_00416D6D |
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp |
String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x |
Source: csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp |
String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x |
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp |
String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.23.244.244 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.23.244.244 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.23.244.244 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.23.244.244 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.23.244.244 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.23.244.244 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.23.244.244 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.23.244.244 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 76.73.17.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 76.73.17.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 76.73.17.194 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.35.32.5 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.35.32.5 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.35.32.5 |
Source: csrss.exe, 00000002.00000002.419372600.000000000298C000.00000004.00000001.sdmp, csrss.exe, 00000004.00000002.443512303.000000000298C000.00000004.00000001.sdmp |
String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo) |
Source: csrss.exe, 00000004.00000002.443512303.000000000298C000.00000004.00000001.sdmp |
String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.orgd1 equals www.yahoo.com (Yahoo) |
Source: csrss.exe, 00000002.00000002.419372600.000000000298C000.00000004.00000001.sdmp |
String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.orgml equals www.yahoo.com (Yahoo) |
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp |
String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo) |
Source: yjOapKcgE1.exe, 00000000.00000003.591659793.0000000003E4A000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.421233940.0000000003C01000.00000004.00000001.sdmp, csrss.exe, 00000004.00000002.444247411.0000000003E01000.00000004.00000001.sdmp |
String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo) |
Source: yjOapKcgE1.exe, 00000000.00000003.591659793.0000000003E4A000.00000004.00000001.sdmp |
String found in binary or memory: www.yahoo.coms equals www.yahoo.com (Yahoo) |
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp |
String found in binary or memory: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=s |
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp |
String found in binary or memory: http://whatismyipaddress.com/ |
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp |
String found in binary or memory: http://whatismyipaddress.com///whatismyipaddress.com/ip/Click |
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp |
String found in binary or memory: http://whatsmyip.net/ |
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp |
String found in binary or memory: http://www.openssl.org/support/faq.html |
Source: yjOapKcgE1.exe, 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp |
String found in binary or memory: http://www.openssl.org/support/faq.html. |
Source: yjOapKcgE1.exe, yjOapKcgE1.exe, 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, csrss.exe, csrss.exe, 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp |
String found in binary or memory: https://www.torproject.org/ |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0040AC3A __EH_prolog,_memset,SystemParametersInfoW,SystemParametersInfoW, |
0_2_0040AC3A |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0040AC3A __EH_prolog,_memset,SystemParametersInfoW,SystemParametersInfoW, |
2_2_0040AC3A |
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp |
Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST |
Source: csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp |
Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST |
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp |
Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00416D6D |
0_2_00416D6D |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0041D211 |
0_2_0041D211 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00413375 |
0_2_00413375 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00409519 |
0_2_00409519 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00405D99 |
0_2_00405D99 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00417EB5 |
0_2_00417EB5 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_005700E0 |
0_2_005700E0 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0046216A |
0_2_0046216A |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00578217 |
0_2_00578217 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_004182F7 |
0_2_004182F7 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_005702E0 |
0_2_005702E0 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0047C295 |
0_2_0047C295 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00458591 |
0_2_00458591 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00578600 |
0_2_00578600 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00412699 |
0_2_00412699 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00572886 |
0_2_00572886 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00424930 |
0_2_00424930 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0055CA56 |
0_2_0055CA56 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00448BF0 |
0_2_00448BF0 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0040AC3A |
0_2_0040AC3A |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00412CBF |
0_2_00412CBF |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0055AD61 |
0_2_0055AD61 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00574D00 |
0_2_00574D00 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00414D81 |
0_2_00414D81 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00478E5B |
0_2_00478E5B |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00572EF9 |
0_2_00572EF9 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00416D6D |
2_2_00416D6D |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00405D99 |
2_2_00405D99 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_005700E0 |
2_2_005700E0 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0046216A |
2_2_0046216A |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00578217 |
2_2_00578217 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_004182F7 |
2_2_004182F7 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_005702E0 |
2_2_005702E0 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0047C295 |
2_2_0047C295 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00458591 |
2_2_00458591 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00578600 |
2_2_00578600 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00412699 |
2_2_00412699 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00572886 |
2_2_00572886 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00424930 |
2_2_00424930 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0055CA56 |
2_2_0055CA56 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00448BF0 |
2_2_00448BF0 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0040AC3A |
2_2_0040AC3A |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00412CBF |
2_2_00412CBF |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0055AD61 |
2_2_0055AD61 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00574D00 |
2_2_00574D00 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00414D81 |
2_2_00414D81 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00478E5B |
2_2_00478E5B |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00572EF9 |
2_2_00572EF9 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00573180 |
2_2_00573180 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_004411B7 |
2_2_004411B7 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0041D211 |
2_2_0041D211 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00571230 |
2_2_00571230 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00575290 |
2_2_00575290 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00413375 |
2_2_00413375 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00559480 |
2_2_00559480 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00409519 |
2_2_00409519 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_005756D7 |
2_2_005756D7 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_005716C0 |
2_2_005716C0 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_005737C0 |
2_2_005737C0 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0041B9C0 |
2_2_0041B9C0 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00571980 |
2_2_00571980 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0054D9A0 |
2_2_0054D9A0 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00407B25 |
2_2_00407B25 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0056FD80 |
2_2_0056FD80 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0044BEFB |
2_2_0044BEFB |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00417EB5 |
2_2_00417EB5 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00457EB0 |
2_2_00457EB0 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00443FA6 |
2_2_00443FA6 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: String function: 0056F5DC appears 126 times |
|
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: String function: 0055E5C0 appears 125 times |
|
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: String function: 004427B6 appears 56 times |
|
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: String function: 0040383F appears 56 times |
|
Source: C:\ProgramData\Windows\csrss.exe |
Code function: String function: 005501C8 appears 43 times |
|
Source: C:\ProgramData\Windows\csrss.exe |
Code function: String function: 004427B6 appears 100 times |
|
Source: C:\ProgramData\Windows\csrss.exe |
Code function: String function: 0040383F appears 91 times |
|
Source: C:\ProgramData\Windows\csrss.exe |
Code function: String function: 0056F5DC appears 218 times |
|
Source: C:\ProgramData\Windows\csrss.exe |
Code function: String function: 0055E5C0 appears 191 times |
|
Source: yjOapKcgE1.exe, 00000000.00000003.356494984.0000000003275000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameWEXTRACT.EXE V vs yjOapKcgE1.exe |
Source: yjOapKcgE1.exe, 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp |
Binary or memory string: OriginalFilenameCSRSS.Exej% vs yjOapKcgE1.exe |
Source: yjOapKcgE1.exe |
Binary or memory string: OriginalFilenameWEXTRACT.EXE V vs yjOapKcgE1.exe |
Source: yjOapKcgE1.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: yjOapKcgE1.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: yjOapKcgE1.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: csrss.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: csrss.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: csrss.exe.0.dr |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, |
0_2_00449089 |
Source: yjOapKcgE1.exe |
String found in binary or memory: 7300e4301afb0f11bd3e3bbb680dcd5a4f16132b src/or/tor_main.c babb5c60712b93b4aec373dbb16184bfa538c647 src/or/addressmap.c 1c2e8b3d7f6d19f4c3fecef13d8e29ea45d69028 src/or/buffers.c 52fbb8124bfb04bb83d44f1bbaaa2a1ebfa42870 src/or/channel.c 050ce52841624546a391 |
Source: yjOapKcgE1.exe |
String found in binary or memory: 68e src/or/addressmap.h fc122cd5462d0445cb668278744dd8778472cf54 src/or/buffers.h 03bcf0ecb460f7814ab484deb6f638f727704b94 src/or/channel.h 52340d597aa7c6cc5500f654f46733a4e577905a src/or/channeltls.h ff3a5693416ccf243f608a7bb943a078418c16d8 src/or/circpa |
Source: yjOapKcgE1.exe |
String found in binary or memory: accounting/interval-start |
Source: yjOapKcgE1.exe |
String found in binary or memory: X-Your-Address-Is: |
Source: yjOapKcgE1.exe |
String found in binary or memory: X-Your-Address-Is: %s |
Source: yjOapKcgE1.exe |
String found in binary or memory: introduction-point %s ip-address %s onion-port %d onion-key %sservice-key %s |
Source: yjOapKcgE1.exe |
String found in binary or memory: %d.%d.%d.%d.in-addr.arpa |
Source: yjOapKcgE1.exe |
String found in binary or memory: set-addPolicy |
Source: yjOapKcgE1.exe |
String found in binary or memory: --help |
Source: yjOapKcgE1.exe |
String found in binary or memory: --help |
Source: yjOapKcgE1.exe |
String found in binary or memory: tor-fw-helper |
Source: yjOapKcgE1.exe |
String found in binary or memory: ip-address |
Source: yjOapKcgE1.exe |
String found in binary or memory: dir-address |
Source: yjOapKcgE1.exe |
String found in binary or memory: or-address %s:%d |
Source: yjOapKcgE1.exe |
String found in binary or memory: or-address |
Source: yjOapKcgE1.exe |
String found in binary or memory: cp+(end-start_of_annotations) == router->cache_info.signed_descriptor_body+len |
Source: yjOapKcgE1.exe |
String found in binary or memory: id-cmc-addExtensions |
Source: yjOapKcgE1.exe |
String found in binary or memory: .in-addr.arpa |
Source: yjOapKcgE1.exe |
String found in binary or memory: cffd2d9eef71f1ae5f7eb4e16aa56b728abe65aa src/common/address.h 3890e58a3754bc0de32e7cf38de8a790c2c282af src/common/backtrace.h 947ef902f15f556f176b1115f09d9966e377347d src/common/aes.h 2ad59cee80471c42536e66e24e73a8948e345dcf src/common/ciphers.inc ceaa37cf |
Source: yjOapKcgE1.exe |
String found in binary or memory: --install |
Source: yjOapKcgE1.exe |
String found in binary or memory: -install |
Source: csrss.exe |
String found in binary or memory: 7300e4301afb0f11bd3e3bbb680dcd5a4f16132b src/or/tor_main.c babb5c60712b93b4aec373dbb16184bfa538c647 src/or/addressmap.c 1c2e8b3d7f6d19f4c3fecef13d8e29ea45d69028 src/or/buffers.c 52fbb8124bfb04bb83d44f1bbaaa2a1ebfa42870 src/or/channel.c 050ce52841624546a391 |
Source: csrss.exe |
String found in binary or memory: 68e src/or/addressmap.h fc122cd5462d0445cb668278744dd8778472cf54 src/or/buffers.h 03bcf0ecb460f7814ab484deb6f638f727704b94 src/or/channel.h 52340d597aa7c6cc5500f654f46733a4e577905a src/or/channeltls.h ff3a5693416ccf243f608a7bb943a078418c16d8 src/or/circpa |
Source: csrss.exe |
String found in binary or memory: accounting/interval-start |
Source: csrss.exe |
String found in binary or memory: X-Your-Address-Is: |
Source: csrss.exe |
String found in binary or memory: X-Your-Address-Is: %s |
Source: csrss.exe |
String found in binary or memory: introduction-point %s ip-address %s onion-port %d onion-key %sservice-key %s |
Source: csrss.exe |
String found in binary or memory: %d.%d.%d.%d.in-addr.arpa |
Source: csrss.exe |
String found in binary or memory: set-addPolicy |
Source: csrss.exe |
String found in binary or memory: --help |
Source: csrss.exe |
String found in binary or memory: --help |
Source: csrss.exe |
String found in binary or memory: tor-fw-helper |
Source: csrss.exe |
String found in binary or memory: ip-address |
Source: csrss.exe |
String found in binary or memory: dir-address |
Source: csrss.exe |
String found in binary or memory: or-address %s:%d |
Source: csrss.exe |
String found in binary or memory: or-address |
Source: csrss.exe |
String found in binary or memory: cp+(end-start_of_annotations) == router->cache_info.signed_descriptor_body+len |
Source: csrss.exe |
String found in binary or memory: id-cmc-addExtensions |
Source: csrss.exe |
String found in binary or memory: .in-addr.arpa |
Source: csrss.exe |
String found in binary or memory: cffd2d9eef71f1ae5f7eb4e16aa56b728abe65aa src/common/address.h 3890e58a3754bc0de32e7cf38de8a790c2c282af src/common/backtrace.h 947ef902f15f556f176b1115f09d9966e377347d src/common/aes.h 2ad59cee80471c42536e66e24e73a8948e345dcf src/common/ciphers.inc ceaa37cf |
Source: csrss.exe |
String found in binary or memory: --install |
Source: csrss.exe |
String found in binary or memory: -install |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0055020D push ecx; ret |
0_2_00550220 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0044CC0D push ss; iretd |
0_2_0044CC11 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0055020D push ecx; ret |
2_2_00550220 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0044CC0D push ss; iretd |
2_2_0044CC11 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_0056F5DC push eax; ret |
2_2_0056F5FA |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_004016F7 push edi; retn 0014h |
2_2_004016FC |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_007E40E0 push edx; ret |
2_2_007E41F1 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_007E4080 push edx; ret |
2_2_007E408B |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 4_2_007E40E0 push edx; ret |
4_2_007E41F1 |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 4_2_007E4080 push edx; ret |
4_2_007E408B |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_0041A13C |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_0041A13C |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\Windows\csrss.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, |
0_2_00449089 |
Source: C:\Users\user\Desktop\yjOapKcgE1.exe |
Code function: 0_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, |
0_2_00416D6D |
Source: C:\ProgramData\Windows\csrss.exe |
Code function: 2_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, |
2_2_00416D6D |
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catat |
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum |
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b.manifest46\1 |
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum |
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\0S |
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45.manifest |
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp |
Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumtP |
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8.manifest |
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-o..ercommon-deployment_31bf3856ad364e35_10.0.17134.1_none_ffda9e2d3858e036.manifest |
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp |
Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumEw |
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumKk |
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcat |
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\KR |
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\]V |
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp |
Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat |
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catmgV |
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565\H |
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat |
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat |
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp |
Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmmum |
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\ |
Source: yjOapKcgE1.exe, 00000000.00000003.407891045.0000000003023000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b\7` |
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp |
Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\RemoteFileBrowse.dll.mui |
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catd64_2 |
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\ |
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat |
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\ |
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\>H |
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp |
Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cattcatHv |
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumcat |
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumm |
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp |
Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum |
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1.manifest |
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp |
Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum\* |
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp |
Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3.manifest |
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp |
Binary or memory string: amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.1_none_7305852b7c12035c\amd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_ialpss2i_gpio2_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c3ad514b87278211\3amd64_microsoft-onecore-bluetooth-bthserv_31bf3856ad364e35_10.0.17134.1_none_9e5c1f54d20f8511\amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ffa8f5f4e6504efb\amd64_ialpss2i_i2c_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_980be98350adbd52\amd64_hyperv-networking-switch-interface_31bf3856ad364e35_10.0.17134.1_none_cbcae0f157b5d02b\amd64_eventviewersettings.resources_31bf3856ad364e35_10.0.17134.1_en-us_7cb27ecefd0ec555\amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bcfb31102e62eb\2983amd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c2ed1a4d3a2524\amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1a750046421bf96\amd64_hyperv-commandline-tool.resources_31bf3856ad364e35_10.0.17134.1_en-us_d5c4e754bc26201d\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.17134.1_en-us_30ee0a3c7e36caae\amd64_hyperv-worker-events.resources_31bf3856ad364e35_10.0.17134.1_en-us_9de5622f209a7b21\bamd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.1_none_f80e1506497cdc7d\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\amd64_microsoft-hostguardianclient-service_31bf3856ad364e35_10.0.17134.1_none_a9eb3231da4732e2\amd64_microsoft-hgattest-wmi.resources_31bf3856ad364e35_10.0.17134.1_en-us_f5d00bfe514a12c1\amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\amd64_microsoft-antimalware-scan-interface_31bf3856ad364e35_10.0.17134.1_none_3c34e651403e5e41\amd64_microsoft-appmodel-exec-events_31bf3856ad364e35_10.0.17134.1_none_07677813525018a6\amd64_microsoft-analog-h2-fxpkg-baked_31bf3856ad364e35_10.0.17134.1_none_1be886b2910c8266\amd64_microsoft-composable-start-binaries_31bf3856ad364e35_10.0.17134.1_none_6e6feff719ed9f5c\amd64_microsoft-deviceproxy-wmiv2-provider_31bf3856ad364e35_10.0.17134.1_none_e9f22d8bf1fc7e92\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35 |