Windows Analysis Report yjOapKcgE1

Overview

General Information

Sample Name: yjOapKcgE1 (renamed file extension from none to exe)
Analysis ID: 492525
MD5: 1d46afb839b846ede01cb925470f0488
SHA1: 8cffc99cda16d5d6b5192c62fefae6c0ac89b33d
SHA256: d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1
Tags: exeTroldesh
Infos:

Most interesting Screenshot:

Detection

CryptOne Shade
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Shade Ransomware
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Detected CryptOne packer
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Found Tor onion address
Contains functionalty to change the wallpaper
May use the Tor software to hide its network traffic
Deletes shadow drive data (may be related to ransomware)
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: yjOapKcgE1.exe Virustotal: Detection: 67% Perma Link
Source: yjOapKcgE1.exe Metadefender: Detection: 68% Perma Link
Source: yjOapKcgE1.exe ReversingLabs: Detection: 86%
Antivirus / Scanner detection for submitted sample
Source: yjOapKcgE1.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\Windows\csrss.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Windows\csrss.exe Virustotal: Detection: 67% Perma Link
Source: C:\ProgramData\Windows\csrss.exe Metadefender: Detection: 68% Perma Link
Source: C:\ProgramData\Windows\csrss.exe ReversingLabs: Detection: 86%
Antivirus or Machine Learning detection for unpacked file
Source: 4.0.csrss.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.yjOapKcgE1.exe.400000.0.unpack Avira: Label: TR/Crypt.FKM.Gen
Source: 4.2.csrss.exe.2480000.2.unpack Avira: Label: TR/Crypt.FKM.Gen
Source: 2.2.csrss.exe.400000.0.unpack Avira: Label: TR/Crypt.FKM.Gen
Source: 2.2.csrss.exe.2480000.2.unpack Avira: Label: TR/Crypt.FKM.Gen
Source: 0.2.yjOapKcgE1.exe.2270000.2.unpack Avira: Label: TR/Crypt.FKM.Gen
Source: 2.0.csrss.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.0.yjOapKcgE1.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 4.2.csrss.exe.400000.0.unpack Avira: Label: TR/Crypt.FKM.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00525289 CryptAcquireContextA,GetLastError,CryptGenRandom, 2_2_00525289
Source: yjOapKcgE1.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

barindex
Uses 32bit PE files
Source: yjOapKcgE1.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.6:49776 version: TLS 1.2
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00416D6D
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 2_2_00416D6D
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00416AEC _memset,_memset,GetLogicalDriveStringsW,GetSystemDirectoryW,GetDriveTypeW,GetDriveTypeW, 0_2_00416AEC

Networking:

barindex
Found Tor onion address
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x
Source: csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1be3ecebe5aa9d3654e6e703d81f6928
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 154.35.32.5 154.35.32.5
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49777 -> 76.73.17.194:9090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown TCP traffic detected without corresponding DNS query: 76.73.17.194
Source: unknown TCP traffic detected without corresponding DNS query: 76.73.17.194
Source: unknown TCP traffic detected without corresponding DNS query: 76.73.17.194
Source: unknown TCP traffic detected without corresponding DNS query: 154.35.32.5
Source: unknown TCP traffic detected without corresponding DNS query: 154.35.32.5
Source: unknown TCP traffic detected without corresponding DNS query: 154.35.32.5
Source: csrss.exe, 00000002.00000002.419372600.000000000298C000.00000004.00000001.sdmp, csrss.exe, 00000004.00000002.443512303.000000000298C000.00000004.00000001.sdmp String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: csrss.exe, 00000004.00000002.443512303.000000000298C000.00000004.00000001.sdmp String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.orgd1 equals www.yahoo.com (Yahoo)
Source: csrss.exe, 00000002.00000002.419372600.000000000298C000.00000004.00000001.sdmp String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.orgml equals www.yahoo.com (Yahoo)
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: yjOapKcgE1.exe, 00000000.00000003.591659793.0000000003E4A000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.421233940.0000000003C01000.00000004.00000001.sdmp, csrss.exe, 00000004.00000002.444247411.0000000003E01000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: yjOapKcgE1.exe, 00000000.00000003.591659793.0000000003E4A000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.coms equals www.yahoo.com (Yahoo)
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp String found in binary or memory: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=s
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com///whatismyipaddress.com/ip/Click
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp String found in binary or memory: http://whatsmyip.net/
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: yjOapKcgE1.exe, 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html.
Source: yjOapKcgE1.exe, yjOapKcgE1.exe, 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, csrss.exe, csrss.exe, 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp String found in binary or memory: https://www.torproject.org/
Source: unknown HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.6:49776 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: csrss.exe, 00000002.00000002.417573745.0000000000A12000.00000004.00000001.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Shade Ransomware
Source: Yara match File source: Process Memory Space: csrss.exe PID: 5636, type: MEMORYSTR
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0040AC3A __EH_prolog,_memset,SystemParametersInfoW,SystemParametersInfoW, 0_2_0040AC3A
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0040AC3A __EH_prolog,_memset,SystemParametersInfoW,SystemParametersInfoW, 2_2_0040AC3A
Deletes shadow drive data (may be related to ransomware)
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST

System Summary:

barindex
Uses 32bit PE files
Source: yjOapKcgE1.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00416D6D 0_2_00416D6D
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0041D211 0_2_0041D211
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00413375 0_2_00413375
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00409519 0_2_00409519
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00405D99 0_2_00405D99
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00417EB5 0_2_00417EB5
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_005700E0 0_2_005700E0
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0046216A 0_2_0046216A
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00578217 0_2_00578217
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_004182F7 0_2_004182F7
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_005702E0 0_2_005702E0
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0047C295 0_2_0047C295
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00458591 0_2_00458591
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00578600 0_2_00578600
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00412699 0_2_00412699
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00572886 0_2_00572886
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00424930 0_2_00424930
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0055CA56 0_2_0055CA56
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00448BF0 0_2_00448BF0
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0040AC3A 0_2_0040AC3A
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00412CBF 0_2_00412CBF
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0055AD61 0_2_0055AD61
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00574D00 0_2_00574D00
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00414D81 0_2_00414D81
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00478E5B 0_2_00478E5B
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00572EF9 0_2_00572EF9
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00416D6D 2_2_00416D6D
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00405D99 2_2_00405D99
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_005700E0 2_2_005700E0
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0046216A 2_2_0046216A
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00578217 2_2_00578217
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_004182F7 2_2_004182F7
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_005702E0 2_2_005702E0
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0047C295 2_2_0047C295
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00458591 2_2_00458591
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00578600 2_2_00578600
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00412699 2_2_00412699
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00572886 2_2_00572886
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00424930 2_2_00424930
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0055CA56 2_2_0055CA56
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00448BF0 2_2_00448BF0
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0040AC3A 2_2_0040AC3A
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00412CBF 2_2_00412CBF
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0055AD61 2_2_0055AD61
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00574D00 2_2_00574D00
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00414D81 2_2_00414D81
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00478E5B 2_2_00478E5B
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00572EF9 2_2_00572EF9
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00573180 2_2_00573180
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_004411B7 2_2_004411B7
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0041D211 2_2_0041D211
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00571230 2_2_00571230
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00575290 2_2_00575290
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00413375 2_2_00413375
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00559480 2_2_00559480
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00409519 2_2_00409519
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_005756D7 2_2_005756D7
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_005716C0 2_2_005716C0
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_005737C0 2_2_005737C0
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0041B9C0 2_2_0041B9C0
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00571980 2_2_00571980
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0054D9A0 2_2_0054D9A0
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00407B25 2_2_00407B25
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0056FD80 2_2_0056FD80
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0044BEFB 2_2_0044BEFB
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00417EB5 2_2_00417EB5
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00457EB0 2_2_00457EB0
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00443FA6 2_2_00443FA6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: String function: 0056F5DC appears 126 times
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: String function: 0055E5C0 appears 125 times
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: String function: 004427B6 appears 56 times
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: String function: 0040383F appears 56 times
Source: C:\ProgramData\Windows\csrss.exe Code function: String function: 005501C8 appears 43 times
Source: C:\ProgramData\Windows\csrss.exe Code function: String function: 004427B6 appears 100 times
Source: C:\ProgramData\Windows\csrss.exe Code function: String function: 0040383F appears 91 times
Source: C:\ProgramData\Windows\csrss.exe Code function: String function: 0056F5DC appears 218 times
Source: C:\ProgramData\Windows\csrss.exe Code function: String function: 0055E5C0 appears 191 times
Contains functionality to communicate with device drivers
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00417871: DeviceIoControl,CloseHandle, 2_2_00417871
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: yjOapKcgE1.exe, 00000000.00000003.356494984.0000000003275000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE V vs yjOapKcgE1.exe
Source: yjOapKcgE1.exe, 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCSRSS.Exej% vs yjOapKcgE1.exe
Source: yjOapKcgE1.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE V vs yjOapKcgE1.exe
PE file contains strange resources
Source: yjOapKcgE1.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yjOapKcgE1.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yjOapKcgE1.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csrss.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csrss.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csrss.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Section loaded: mswsock.dll Jump to behavior
Source: yjOapKcgE1.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: csrss.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yjOapKcgE1.exe Virustotal: Detection: 67%
Source: yjOapKcgE1.exe Metadefender: Detection: 68%
Source: yjOapKcgE1.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\yjOapKcgE1.exe File read: C:\Users\user\Desktop\yjOapKcgE1.exe Jump to behavior
Source: yjOapKcgE1.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\yjOapKcgE1.exe 'C:\Users\user\Desktop\yjOapKcgE1.exe'
Source: unknown Process created: C:\ProgramData\Windows\csrss.exe 'C:\ProgramData\Windows\csrss.exe'
Source: unknown Process created: C:\ProgramData\Windows\csrss.exe 'C:\ProgramData\Windows\csrss.exe'
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe File created: C:\Users\user\AppData\Local\Temp\6893A5D897\ Jump to behavior
Source: classification engine Classification label: mal100.rans.evad.winEXE@3/3@0/4
Source: C:\Users\user\Desktop\yjOapKcgE1.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 0_2_00449089
Source: yjOapKcgE1.exe String found in binary or memory: 7300e4301afb0f11bd3e3bbb680dcd5a4f16132b src/or/tor_main.c babb5c60712b93b4aec373dbb16184bfa538c647 src/or/addressmap.c 1c2e8b3d7f6d19f4c3fecef13d8e29ea45d69028 src/or/buffers.c 52fbb8124bfb04bb83d44f1bbaaa2a1ebfa42870 src/or/channel.c 050ce52841624546a391
Source: yjOapKcgE1.exe String found in binary or memory: 68e src/or/addressmap.h fc122cd5462d0445cb668278744dd8778472cf54 src/or/buffers.h 03bcf0ecb460f7814ab484deb6f638f727704b94 src/or/channel.h 52340d597aa7c6cc5500f654f46733a4e577905a src/or/channeltls.h ff3a5693416ccf243f608a7bb943a078418c16d8 src/or/circpa
Source: yjOapKcgE1.exe String found in binary or memory: accounting/interval-start
Source: yjOapKcgE1.exe String found in binary or memory: X-Your-Address-Is:
Source: yjOapKcgE1.exe String found in binary or memory: X-Your-Address-Is: %s
Source: yjOapKcgE1.exe String found in binary or memory: introduction-point %s ip-address %s onion-port %d onion-key %sservice-key %s
Source: yjOapKcgE1.exe String found in binary or memory: %d.%d.%d.%d.in-addr.arpa
Source: yjOapKcgE1.exe String found in binary or memory: set-addPolicy
Source: yjOapKcgE1.exe String found in binary or memory: --help
Source: yjOapKcgE1.exe String found in binary or memory: --help
Source: yjOapKcgE1.exe String found in binary or memory: tor-fw-helper
Source: yjOapKcgE1.exe String found in binary or memory: ip-address
Source: yjOapKcgE1.exe String found in binary or memory: dir-address
Source: yjOapKcgE1.exe String found in binary or memory: or-address %s:%d
Source: yjOapKcgE1.exe String found in binary or memory: or-address
Source: yjOapKcgE1.exe String found in binary or memory: cp+(end-start_of_annotations) == router->cache_info.signed_descriptor_body+len
Source: yjOapKcgE1.exe String found in binary or memory: id-cmc-addExtensions
Source: yjOapKcgE1.exe String found in binary or memory: .in-addr.arpa
Source: yjOapKcgE1.exe String found in binary or memory: cffd2d9eef71f1ae5f7eb4e16aa56b728abe65aa src/common/address.h 3890e58a3754bc0de32e7cf38de8a790c2c282af src/common/backtrace.h 947ef902f15f556f176b1115f09d9966e377347d src/common/aes.h 2ad59cee80471c42536e66e24e73a8948e345dcf src/common/ciphers.inc ceaa37cf
Source: yjOapKcgE1.exe String found in binary or memory: --install
Source: yjOapKcgE1.exe String found in binary or memory: -install
Source: csrss.exe String found in binary or memory: 7300e4301afb0f11bd3e3bbb680dcd5a4f16132b src/or/tor_main.c babb5c60712b93b4aec373dbb16184bfa538c647 src/or/addressmap.c 1c2e8b3d7f6d19f4c3fecef13d8e29ea45d69028 src/or/buffers.c 52fbb8124bfb04bb83d44f1bbaaa2a1ebfa42870 src/or/channel.c 050ce52841624546a391
Source: csrss.exe String found in binary or memory: 68e src/or/addressmap.h fc122cd5462d0445cb668278744dd8778472cf54 src/or/buffers.h 03bcf0ecb460f7814ab484deb6f638f727704b94 src/or/channel.h 52340d597aa7c6cc5500f654f46733a4e577905a src/or/channeltls.h ff3a5693416ccf243f608a7bb943a078418c16d8 src/or/circpa
Source: csrss.exe String found in binary or memory: accounting/interval-start
Source: csrss.exe String found in binary or memory: X-Your-Address-Is:
Source: csrss.exe String found in binary or memory: X-Your-Address-Is: %s
Source: csrss.exe String found in binary or memory: introduction-point %s ip-address %s onion-port %d onion-key %sservice-key %s
Source: csrss.exe String found in binary or memory: %d.%d.%d.%d.in-addr.arpa
Source: csrss.exe String found in binary or memory: set-addPolicy
Source: csrss.exe String found in binary or memory: --help
Source: csrss.exe String found in binary or memory: --help
Source: csrss.exe String found in binary or memory: tor-fw-helper
Source: csrss.exe String found in binary or memory: ip-address
Source: csrss.exe String found in binary or memory: dir-address
Source: csrss.exe String found in binary or memory: or-address %s:%d
Source: csrss.exe String found in binary or memory: or-address
Source: csrss.exe String found in binary or memory: cp+(end-start_of_annotations) == router->cache_info.signed_descriptor_body+len
Source: csrss.exe String found in binary or memory: id-cmc-addExtensions
Source: csrss.exe String found in binary or memory: .in-addr.arpa
Source: csrss.exe String found in binary or memory: cffd2d9eef71f1ae5f7eb4e16aa56b728abe65aa src/common/address.h 3890e58a3754bc0de32e7cf38de8a790c2c282af src/common/backtrace.h 947ef902f15f556f176b1115f09d9966e377347d src/common/aes.h 2ad59cee80471c42536e66e24e73a8948e345dcf src/common/ciphers.inc ceaa37cf
Source: csrss.exe String found in binary or memory: --install
Source: csrss.exe String found in binary or memory: -install
Source: yjOapKcgE1.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: yjOapKcgE1.exe Static file information: File size 1244429 > 1048576
Source: yjOapKcgE1.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x113200

Data Obfuscation:

barindex
Detected CryptOne packer
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9} Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0055020D push ecx; ret 0_2_00550220
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0044CC0D push ss; iretd 0_2_0044CC11
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0055020D push ecx; ret 2_2_00550220
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0044CC0D push ss; iretd 2_2_0044CC11
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0056F5DC push eax; ret 2_2_0056F5FA
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_004016F7 push edi; retn 0014h 2_2_004016FC
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_007E40E0 push edx; ret 2_2_007E41F1
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_007E4080 push edx; ret 2_2_007E408B
Source: C:\ProgramData\Windows\csrss.exe Code function: 4_2_007E40E0 push edx; ret 4_2_007E41F1
Source: C:\ProgramData\Windows\csrss.exe Code function: 4_2_007E4080 push edx; ret 4_2_007E408B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0041A13C
PE file contains an invalid checksum
Source: yjOapKcgE1.exe Static PE information: real checksum: 0x139bcd should be: 0x139579
Source: csrss.exe.0.dr Static PE information: real checksum: 0x139bcd should be: 0x139579
Source: initial sample Static PE information: section name: .text entropy: 7.1245745803
Source: initial sample Static PE information: section name: .text entropy: 7.1245745803

Persistence and Installation Behavior:

barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\yjOapKcgE1.exe File created: C:\ProgramData\Windows\csrss.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\yjOapKcgE1.exe File created: C:\ProgramData\Windows\csrss.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\yjOapKcgE1.exe File created: C:\ProgramData\Windows\csrss.exe Jump to dropped file
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime Subsystem Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime Subsystem Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
May use the Tor software to hide its network traffic
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp Binary or memory string: onion-port
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0041A13C
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\yjOapKcgE1.exe TID: 6888 Thread sleep count: 780 > 30 Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe TID: 6888 Thread sleep time: -78000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe TID: 6364 Thread sleep count: 765 > 30 Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe TID: 6364 Thread sleep time: -76500s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 0_2_00449089
Is looking for software installed on the system
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Window / User API: threadDelayed 780 Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Window / User API: threadDelayed 765 Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0040AA8F __EH_prolog,GetSystemInfo, 0_2_0040AA8F
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00416D6D
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 2_2_00416D6D
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00416AEC _memset,_memset,GetLogicalDriveStringsW,GetSystemDirectoryW,GetDriveTypeW,GetDriveTypeW, 0_2_00416AEC
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catat
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b.manifest46\1
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\0S
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumtP
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..ercommon-deployment_31bf3856ad364e35_10.0.17134.1_none_ffda9e2d3858e036.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumEw
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumKk
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\KR
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\]V
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catmgV
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565\H
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmmum
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\
Source: yjOapKcgE1.exe, 00000000.00000003.407891045.0000000003023000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b\7`
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\RemoteFileBrowse.dll.mui
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catd64_2
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\>H
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cattcatHv
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumcat
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumm
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum\*
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3.manifest
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.1_none_7305852b7c12035c\amd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_ialpss2i_gpio2_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c3ad514b87278211\3amd64_microsoft-onecore-bluetooth-bthserv_31bf3856ad364e35_10.0.17134.1_none_9e5c1f54d20f8511\amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ffa8f5f4e6504efb\amd64_ialpss2i_i2c_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_980be98350adbd52\amd64_hyperv-networking-switch-interface_31bf3856ad364e35_10.0.17134.1_none_cbcae0f157b5d02b\amd64_eventviewersettings.resources_31bf3856ad364e35_10.0.17134.1_en-us_7cb27ecefd0ec555\amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bcfb31102e62eb\2983amd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c2ed1a4d3a2524\amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1a750046421bf96\amd64_hyperv-commandline-tool.resources_31bf3856ad364e35_10.0.17134.1_en-us_d5c4e754bc26201d\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.17134.1_en-us_30ee0a3c7e36caae\amd64_hyperv-worker-events.resources_31bf3856ad364e35_10.0.17134.1_en-us_9de5622f209a7b21\bamd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.1_none_f80e1506497cdc7d\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\amd64_microsoft-hostguardianclient-service_31bf3856ad364e35_10.0.17134.1_none_a9eb3231da4732e2\amd64_microsoft-hgattest-wmi.resources_31bf3856ad364e35_10.0.17134.1_en-us_f5d00bfe514a12c1\amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\amd64_microsoft-antimalware-scan-interface_31bf3856ad364e35_10.0.17134.1_none_3c34e651403e5e41\amd64_microsoft-appmodel-exec-events_31bf3856ad364e35_10.0.17134.1_none_07677813525018a6\amd64_microsoft-analog-h2-fxpkg-baked_31bf3856ad364e35_10.0.17134.1_none_1be886b2910c8266\amd64_microsoft-composable-start-binaries_31bf3856ad364e35_10.0.17134.1_none_6e6feff719ed9f5c\amd64_microsoft-deviceproxy-wmiv2-provider_31bf3856ad364e35_10.0.17134.1_none_e9f22d8bf1fc7e92\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.1_none_db29adc7273ced52\amd64_microsoft-analog-h2-animpkg-baked_31bf3856ad364e35_10.0.17134.1_none_6eba91e284242d6b\amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8\amd64_microsoft-onecore-assignedaccess
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\3U
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catf6\
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8.manifest
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\amd64_itsas35i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f441e46bcde20aea\amd64_intelpep.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_b919ba664eb8a174\amd64_ipoib6x.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_e59925927d88680e\5b86camd64_keyboard.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_14295de0d5889a92\7d2amd64_kscaptur.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c1b5d113ce4f7314\amd64_ialpssi_gpio.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_a649fe25b1990444\amd64_hyperv-vmsynthnic.resources_31bf3856ad364e35_10.0.17134.1_en-us_32a65f534e80b7d2\amd64_libressl-components-onecore_31bf3856ad364e35_10.0.17134.1_none_d4aeb1dd3dba3b92\amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d010957a22aa6cc2\amd64_hyperv-vpci-rootporterr_31bf3856ad364e35_10.0.17134.1_none_4b48602cec1be5d9\b86camd64_ipmidrv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2d93a60324c5d86c\amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.17134.1_en-us_6d3c997783423a80\amd64_iastorv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ce7487caeb282db1\444amd64_ksfilter.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_602cbe782df7c0ab\amd64_ialpssi_i2c.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_0a046d4df7f0ac7b\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_59fc9c9cf9be23f2\amd64_mdmmot64.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ff000c8ab0496599\amd64_mdmmoto1.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f75b3576214733f5\amd64_mdmbtmdm.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_96206be438f55483\amd64_mdmusrk1.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_9eb3b46050454167\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_22eea3ac5f721862\585aamd64_mediatransportcontrols-model_31bf3856ad364e35_10.0.17134.1_none_df95a0919952295e\amd64_mausbhost.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_906215b3f2b26ad5\amd64_mdmcxhv6.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_09e8c5d79af537ba\amd64_lsi_sas.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f2367d3fe2c952ed\amd64_lsi_sas2i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_95805ec2a0a23b1e\amd64_lsi_sss.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ad30da42fcd27fef\amd64_mdmhayes.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_8c57d7d49a69f653\amd64_mdmsettingsprov.resources_31bf3856ad364e35_10.0.17134.1_en-us_ad23c7918d89772c\amd64_lsi_sas3i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d9378c0cca16d307\amd64_machine.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2a8d9dcc57300c60\amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\c601amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_non
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.408543755.000000000300C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.Format.ps1xmln-US\licyg
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-firewallrules_31bf3856ad364e35_10.0.17134.1_none_b9673992b104448b.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.17134.1_none_611f8a7fa810774a.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumumLu
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1catL
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vmbus_31bf3856ad364e35_10.0.17134.1_none_bcf0637138185dcf.manifestO
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.409144898.000000000301F000.00000004.00000001.sdmp Binary or memory string: indows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b\
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat6\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64\]S
Source: yjOapKcgE1.exe, 00000000.00000003.382330764.0000000003CC1000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b.manifestt<9
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80\
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b\
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat'
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumt
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-licensing_31bf3856ad364e35_10.0.17134.1_none_369c533be4c3e496.manifestp
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\SnapInAbout.dll.muipsm1xD]
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat3dafb3
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-foundatio..rrordetails-content_31bf3856ad364e35_10.0.17134.1_none_3ab9bf148a4819e5\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.17134.1_en-us_ca3e7fd07ab37c9d\amd64_microsoft-foundatio..ostics-errordetails_31bf3856ad364e35_10.0.17134.1_none_ee9e9b835c95ca17\amd64_microsoft-client-li..platform-pkeyhelper_31bf3856ad364e35_10.0.17134.1_none_80fc199340598eb9\wow64_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_10.0.17134.1_en-us_edc9b956fc477c98\amd64_microsoft-composabl..aexchange-component_31bf3856ad364e35_10.0.17134.1_none_04e832a0b81922b5\amd64_microsoft-client-licensing-licensingcsp_31bf3856ad364e35_10.0.17134.1_none_30cd32ebc7471f35\amd64_microsoft-composable-dragdrop.resources_31bf3856ad364e35_10.0.17134.1_en-us_7f94f629bf9f24d2\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.17134.1_none_36ef8e95916610d2\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.17134.1_none_071428093ca833e3\amd64_microsoft-client-li..rm-client.resources_31bf3856ad364e35_10.0.17134.1_en-us_2e935868788b98e3\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.17134.1_none_e7a75aa65b01cbbc\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.17134.1_none_ba6872d2ad3f59a1\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.17134.1_none_5e4e1b442d078889\amd64_microsoft-hostguard..ient-service-plugin_31bf3856ad364e35_10.0.17134.1_none_3d9a07e845b32510\amd64_microsoft-devicepro..-provider.resources_31bf3856ad364e35_10.0.17134.1_en-us_c2a551b5aab687b5\amd64_microsoft-hostguard..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_9b44c1c80f7f69cb\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\0
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-foundatio..rrordetails-content_31bf3856ad364e35_10.0.17134.1_none_3ab9bf148a4819e5\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.17134.1_none_5e4e1b442d078889\amd64_microsoft-devicepro..-provider.resources_31bf3856ad364e35_10.0.17134.1_en-us_c2a551b5aab687b5\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.17134.1_en-us_ca3e7fd07ab37c9d\amd64_microsoft-composabl..aexchange-component_31bf3856ad364e35_10.0.17134.1_none_04e832a0b81922b5\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.17134.1_none_e7a75aa65b01cbbc\wow64_microsoft-windows-s..voicecommon-onecore_31bf3856ad364e35_10.0.17134.1_none_2516ae987d0f5689amd64_microsoft-client-li..rm-client.resources_31bf3856ad364e35_10.0.17134.1_en-us_2e935868788b98e3\amd64_microsoft-foundatio..ostics-errordetails_31bf3856ad364e35_10.0.17134.1_none_ee9e9b835c95ca17\amd64_microsoft-hostguard..ient-service-plugin_31bf3856ad364e35_10.0.17134.1_none_3d9a07e845b32510\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.17134.1_none_36ef8e95916610d2\amd64_microsoft-client-licensing-licensingcsp_31bf3856ad364e35_10.0.17134.1_none_30cd32ebc7471f35\amd64_microsoft-client-li..platform-pkeyhelper_31bf3856ad364e35_10.0.17134.1_none_80fc199340598eb9\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.17134.1_none_ba6872d2ad3f59a1\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.17134.1_none_071428093ca833e3\amd64_microsoft-composable-dragdrop.resources_31bf3856ad364e35_10.0.17134.1_en-us_7f94f629bf9f24d2\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\amd64_microsoft-hostguard..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_9b44c1c80f7f69cb\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\0
Source: yjOapKcgE1.exe, 00000000.00000003.412712919.0000000003DBC000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..group-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_88bd3c16c482b637.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catmn
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp Binary or memory string: amd64_hyperv-commandline-tool.resources_31bf3856ad364e35_10.0.17134.1_en-us_d5c4e754bc26201d\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.1_none_7305852b7c12035c\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.17134.1_en-us_30ee0a3c7e36caae\amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_eventviewersettings.resources_31bf3856ad364e35_10.0.17134.1_en-us_7cb27ecefd0ec555\amd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_microsoft-onecore-bluetooth-bthserv_31bf3856ad364e35_10.0.17134.1_none_9e5c1f54d20f8511\amd64_hyperv-worker-events.resources_31bf3856ad364e35_10.0.17134.1_en-us_9de5622f209a7b21\eamd64_hyperv-networking-switch-interface_31bf3856ad364e35_10.0.17134.1_none_cbcae0f157b5d02b\3amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1a750046421bf96\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bcfb31102e62eb\2983amd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c2ed1a4d3a2524\amd64_ialpss2i_gpio2_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c3ad514b87278211\amd64_ialpss2i_i2c_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_980be98350adbd52\amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ffa8f5f4e6504efb\amd64_microsoft-analog-h2-animpkg-baked_31bf3856ad364e35_10.0.17134.1_none_6eba91e284242d6b\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.1_none_f80e1506497cdc7d\amd64_microsoft-hgattest-wmi.resources_31bf3856ad364e35_10.0.17134.1_en-us_f5d00bfe514a12c1\amd64_microsoft-hostguardianclient-service_31bf3856ad364e35_10.0.17134.1_none_a9eb3231da4732e2\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\amd64_microsoft-composable-start-binaries_31bf3856ad364e35_10.0.17134.1_none_6e6feff719ed9f5c\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\amd64_microsoft-deviceproxy-wmiv2-provider_31bf3856ad364e35_10.0.17134.1_none_e9f22d8bf1fc7e92\amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\amd64_microsoft-analog-h2-fxpkg-baked_31bf3856ad364e35_10.0.17134.1_none_1be886b2910c8266\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.1_none_db29adc7273ced52\amd64_microsoft-appmodel-exec-events_31bf3856ad364e35_10.0.17134.1_none_07677813525018a6\amd64_microsoft-antimalware-scan-interface_31bf3856ad364e35_10.0.17134.1_none_3c34e651403e5e41\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f\amd64_microsoft-hyper-v-vpmem.resources_3
Source: yjOapKcgE1.exe, 00000000.00000003.407312582.0000000003022000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a\
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..vices-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_d43b74ba5db8d712.manifest!
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumm
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.18
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1t
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.379896172.0000000003E97000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385.manifest_rega~
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ers-vmswitch-common_31bf3856ad364e35_10.0.17134.1_none_156e07c0687fe777.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumd64~en-'{
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17.manifest[9U
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumt
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catum\6
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat34.1Qs
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt<
Source: yjOapKcgE1.exe, 00000000.00000003.382657092.0000000003D10000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8.manifest$
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-p..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_7fb4b9d31b9d09e8.manifest38
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1A<
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vid_31bf3856ad364e35_10.0.17134.1_none_864a29a4e381d095.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.17<S
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumfest2
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9.manifest7c\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004\'H
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.17134.1_none_0fa1f97fe68f5a84.manifest
Source: csrss.exe, 00000004.00000003.437124723.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-foundatio..rrordetails-content_31bf3856ad364e35_10.0.17134.1_none_3ab9bf148a4819e5\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.17134.1_none_5e4e1b442d078889\amd64_microsoft-devicepro..-provider.resources_31bf3856ad364e35_10.0.17134.1_en-us_c2a551b5aab687b5\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.17134.1_en-us_ca3e7fd07ab37c9d\amd64_microsoft-composabl..aexchange-component_31bf3856ad364e35_10.0.17134.1_none_04e832a0b81922b5\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.17134.1_none_e7a75aa65b01cbbc\wow64_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_10.0.17134.1_en-us_edc9b956fc477c98\amd64_microsoft-client-li..rm-client.resources_31bf3856ad364e35_10.0.17134.1_en-us_2e935868788b98e3\amd64_microsoft-foundatio..ostics-errordetails_31bf3856ad364e35_10.0.17134.1_none_ee9e9b835c95ca17\amd64_microsoft-hostguard..ient-service-plugin_31bf3856ad364e35_10.0.17134.1_none_3d9a07e845b32510\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.17134.1_none_36ef8e95916610d2\amd64_microsoft-client-licensing-licensingcsp_31bf3856ad364e35_10.0.17134.1_none_30cd32ebc7471f35\amd64_microsoft-client-li..platform-pkeyhelper_31bf3856ad364e35_10.0.17134.1_none_80fc199340598eb9\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.17134.1_none_ba6872d2ad3f59a1\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.17134.1_none_071428093ca833e3\amd64_microsoft-composable-dragdrop.resources_31bf3856ad364e35_10.0.17134.1_en-us_7f94f629bf9f24d2\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\amd64_microsoft-hostguard..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_9b44c1c80f7f69cb\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\0
Source: csrss.exe, 00000004.00000003.433142897.0000000000A4D000.00000004.00000001.sdmp Binary or memory string: MS48AF~1.CDXMSFT_NetEventVmNetworkAdatper.cdxml
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_9c1fa24ea8808bce.manifest9
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580\6b9XI
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\+Q
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_10.0.17134.1_none_8c46edec6c2bc4c5.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum*Q
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1mumqR8
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.1
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.cat|V<
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.368619961.0000000003CB8000.00000004.00000001.sdmp Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3\
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73.manifesta&
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.1m
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcs
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44.manifest>&k
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcs
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-p..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_d91519867fe67212.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.390581909.0000000003CB8000.00000004.00000001.sdmp Binary or memory string: $$_syswow64_windowspowershell_v1.0_modules_hyper-v_2.0.0.0_e405d34891a93e8b.cdf-ms67\o
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\0e5b
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum9Vq
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.11.cat
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-storvsp_31bf3856ad364e35_10.0.17134.1_none_fabc5147bcc71691.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412176983.0000000003E0C000.00000004.00000001.sdmp Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcat1a8C=
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catult l
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumW
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-guest-network-drivers_31bf3856ad364e35_10.0.17134.1_none_5c8a4254832126cf.manifestW
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\i_
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catumx
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\VmSynthFcVdev.dll.muii4.y\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9\
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum=k
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310.manifeste9o
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat6s
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6.manifesta\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45\
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catf
Source: yjOapKcgE1.exe, 00000000.00000003.396549610.0000000003BF4000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.17134.1_none_926214e59f622dbe\Hyper-V.Types.ps1xmlm11
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0.manifest=
Source: yjOapKcgE1.exe, 00000000.00000003.412399466.000000000302F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat(
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f.manifest\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum:
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catnttd6
Source: yjOapKcgE1.exe, 00000000.00000003.368508999.0000000003E39000.00000004.00000001.sdmp Binary or memory string: MSFT_NetEventVmNetworkAdatper.format.ps1xmll
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_170afe8321651ef9.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-computelib_31bf3856ad364e35_10.0.17134.1_none_9321c5b124bca3df.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-f..wallrules.resources_31bf3856ad364e35_10.0.17134.1_en-us_7d008f07cc0acfbc.manifesti
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat8\
Source: yjOapKcgE1.exe, 00000000.00000003.412712919.0000000003DBC000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum_
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumx
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b\
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor-bcd_31bf3856ad364e35_10.0.17134.1_none_fb42759451b23f2f.manifestA
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack_31bf3856ad364e35_10.0.17134.1_none_4a3dff595d47ce04.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42\
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.17134.1_none_e99c08352e0bfafa\
Source: csrss.exe, 00000004.00000003.432408369.0000000003CF4000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.17134.1_none_9cb6bf37d3c2efb9\Hyper-V.Format.ps1xmlfdC:\Windows\WinSxS\wow64_microsoft.backgroun..r.management.module_31bf3856ad364e35_10.0.17134.1_none_c9225674386b031d\BitsTransfer.Format.ps1xmlC:\Windows\WinSxS\wow64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_10.0.17134.1_none_3ad5fcef89951812\PortableDeviceTypes.dllll
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\RemoteFileBrowse.dllpsd1top.a
Source: yjOapKcgE1.exe, 00000000.00000003.382657092.0000000003D10000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84\
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\\
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\passthruparser.sys.muia
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catY
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat4.1dk
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c.manifest}8w
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05\BV
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1mum
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mummumJ
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum2
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumoI
Source: yjOapKcgE1.exe, 00000000.00000003.412378941.000000000300C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: csrss.exe, 00000002.00000003.410125040.0000000003AF6000.00000004.00000001.sdmp Binary or memory string: MSFT_NetEventPacketCaptureProvider.cdxml-nat-poMSFT_NetEventWFPCaptureProvider.format.ps1xmld4414a63ae697c\C:\Windows\WinSxS\wow64_microsofMSFT_NetEventVmSwitchProvider.format.ps1xml.0.1MSFT_NetEventNetworkAdapter.format.ps1xml\WinSxMSFT_NetEventPacketCaptureProvider.cdxml31bf385MSFT_NetEventPacketCaptureProvider.formatl\34MSFT_NetEventNetworkAdapter.format.ps1xmlxmlptMSFT_NetEventPacketCaptureProvider.cdxml1xml47MSFT_NetEventVmNetworkAdatper.format.ps1xmlOSOFMSFT_NetEventVmNetworkAdatper.format.ps1xml.0.1MSFT_NetEventNetworkAdapter.format.ps1xml\WinSxMSFT_NetEventNetworkAdapter.format.ps1xml1bf385MSFT_NetEventNetworkAdapter.format.ps1xmll\keMSFT_NetEventVmNetworkAdatper.format.ps1xmlt-poMSFT_NetEventPacketCaptureProvider.cdxml1xmld4414a63ae697c\oC:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NAT-POWERSHELL_31BF3856AD364E35_10.0.17134.1_NONE_B4D4414A63AE697C\\\\?\C:\Windows\WinSxS\wow64_microsoft-windows-nddeapi_31bf3856ad364e35_10.0.17134.1_none_2a0878d4c8eac9ec\*b\0C:\Windows\WinSxS\wow64_microsoft-windows-ndis-implatform_31bf3856ad364e35_10.0.17134.1_none_45c06433e16a291b\eC:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NAT-POWERSHELL_31BF3856AD364E35_10.0.17134.1_NONE_B4D4414A63AE697C\C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NDIS-IMPLATFORM_31BF3856AD364E35_10.0.17134.1_NONE_45C06433E16A291B\C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\MSFT_NetNat.cdxml_B4D4414A63AE697C\crC:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\C:\Windows\WinSxS\wow64_microsoft-windows-n
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806.manifestJ
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum\*{
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vpmem.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c966966d5f8cf2.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..ients-firewallrules_31bf3856ad364e35_10.0.17134.1_none_d07683518a4c2ec2.manifestF9J
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e\HyperVSysprepProvider.dll64rast
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cattat
Source: yjOapKcgE1.exe, 00000000.00000003.371378467.0000000003CBF000.00000004.00000001.sdmp Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3\c7c
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63.manifest/C
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumcat
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_c8885d1044f785b1.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.cattXfp
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49.manifest4.1
Source: csrss.exe, 00000004.00000003.433142897.0000000000A4D000.00000004.00000001.sdmp Binary or memory string: MS3E67~1.PS1MSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumcatm w
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.17134.1_none_e99c08352e0bfafa.manifest6\D&=
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0dbf3b2f0877a05\VmEmulatedStorage.dllack_S
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.382825264.0000000003D31000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0dbf3b2f0877a05.manifestcEo
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat89e18rl
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..ommon-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_f5e4ea96fd9fee6d.manifest<9
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b\sK
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumpe
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7.manifestaa\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6\)[
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22\
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt364e
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mummum3?W
Source: csrss.exe, 00000002.00000002.417573745.0000000000A12000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.17134.1_none_93bac8ae42b1f037.manifestZ
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1at
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum.Vn
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\f\
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1xs
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat_
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat\l;
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cattte
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catemory.i
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catp
Source: csrss.exe, 00000004.00000002.441820341.0000000002812000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-foundatio..rrordetails-content_31bf3856ad364e35_10.0.17134.1_none_3ab9bf148a4819e5\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.17134.1_none_5e4e1b442d078889\amd64_microsoft-devicepro..-provider.resources_31bf3856ad364e35_10.0.17134.1_en-us_c2a551b5aab687b5\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.17134.1_en-us_ca3e7fd07ab37c9d\amd64_microsoft-composabl..aexchange-component_31bf3856ad364e35_10.0.17134.1_none_04e832a0b81922b5\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.17134.1_none_e7a75aa65b01cbbc\wow64_microsoft-windows-e..d-keyboardfilterwmi_31bf3856ad364e35_10.0.17134.1_none_4c3ecb4f169ffaf8\amd64_microsoft-client-li..rm-client.resources_31bf3856ad364e35_10.0.17134.1_en-us_2e935868788b98e3\amd64_microsoft-foundatio..ostics-errordetails_31bf3856ad364e35_10.0.17134.1_none_ee9e9b835c95ca17\amd64_microsoft-hostguard..ient-service-plugin_31bf3856ad364e35_10.0.17134.1_none_3d9a07e845b32510\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.17134.1_none_36ef8e95916610d2\amd64_microsoft-client-licensing-licensingcsp_31bf3856ad364e35_10.0.17134.1_none_30cd32ebc7471f35\amd64_microsoft-client-li..platform-pkeyhelper_31bf3856ad364e35_10.0.17134.1_none_80fc199340598eb9\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.17134.1_none_ba6872d2ad3f59a1\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.17134.1_none_071428093ca833e3\amd64_microsoft-composable-dragdrop.resources_31bf3856ad364e35_10.0.17134.1_en-us_7f94f629bf9f24d2\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\amd64_microsoft-hostguard..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_9b44c1c80f7f69cb\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\0
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumi
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385\
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumient\3.5.0.0__b77a5c561934e089\*93ec\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_bae31ba10711fa29.manifestk
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat875j
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcatt
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt\f
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\5amd64_microsoft-onecore-a..sourcepolicy-server_31bf3856ad364e35_10.0.17134.1_none_8bb9bb03e61e0547\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21\amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8\amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261\amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b\amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49\amd64_microsoft-hyper-v-v
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\.R
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21\
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1Z<|
Source: yjOapKcgE1.exe, 00000000.00000003.376849424.000000000404B000.00000004.00000001.sdmp Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3.manifest5
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmdnj
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92.manifestE
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\
Source: yjOapKcgE1.exe, 00000000.00000003.396521607.0000000003CBC000.00000004.00000001.sdmp Binary or memory string: Hyper-V.Types.ps1xmlmaE
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catata\'w
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp Binary or memory string: amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d010957a22aa6cc2\44amd64_iastorv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ce7487caeb282db1\amd64_intelpep.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_b919ba664eb8a174\amd64_ksfilter.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_602cbe782df7c0ab\amd64_itsas35i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f441e46bcde20aea\amd64_ipmidrv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2d93a60324c5d86c\amd64_keyboard.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_14295de0d5889a92\amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\amd64_kscaptur.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c1b5d113ce4f7314\e79famd64_hyperv-vpci-rootporterr_31bf3856ad364e35_10.0.17134.1_none_4b48602cec1be5d9\amd64_ipoib6x.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_e59925927d88680e\amd64_ialpssi_gpio.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_a649fe25b1990444\amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.17134.1_en-us_6d3c997783423a80\amd64_libressl-components-onecore_31bf3856ad364e35_10.0.17134.1_none_d4aeb1dd3dba3b92\amd64_hyperv-vmsynthnic.resources_31bf3856ad364e35_10.0.17134.1_en-us_32a65f534e80b7d2\amd64_ialpssi_i2c.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_0a046d4df7f0ac7b\famd64_mdmcxhv6.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_09e8c5d79af537ba\585aamd64_mdmmoto1.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f75b3576214733f5\amd64_mdmusrk1.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_9eb3b46050454167\amd64_mediatransportcontrols-model_31bf3856ad364e35_10.0.17134.1_none_df95a0919952295e\amd64_lsi_sas2i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_95805ec2a0a23b1e\amd64_lsi_sss.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ad30da42fcd27fef\amd64_machine.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2a8d9dcc57300c60\amd64_mausbhost.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_906215b3f2b26ad5\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_59fc9c9cf9be23f2\amd64_mdmhayes.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_8c57d7d49a69f653\amd64_mdmmot64.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ff000c8ab0496599\amd64_mdmbtmdm.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_96206be438f55483\amd64_lsi_sas3i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d9378c0cca16d307\amd64_lsi_sas.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f2367d3fe2c952ed\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_22eea3ac5f721862\amd64_mdmsettingsprov.resources_31bf3856ad364e35_10.0.17134.1_en-us_ad23c7918d89772c\amd64_megasas2i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f6956e52f0cb7c0f\amd64_microsoft-etw-ese.resources_31bf3856ad364e35_10.0.17134.1_en-us_d9d3654b48a76eff\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\c601amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb
Source: yjOapKcgE1.exe, 00000000.00000003.412176983.0000000003E0C000.00000004.00000001.sdmp Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catnx
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_6340c1c9612e407b.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_d4bc3c4a770c0641.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1mum
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_31bb998e7ce8dbdd.manifestr
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261\cS
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumQs
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1}k
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb.manifestZ
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.1
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42.manifestl
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-windows-aadjcsp_31bf3856ad364e35_10.0.17134.1_none_600d1259ff3335b6\b9amd64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.17134.1_none_c8c8de01efac1e9a\2amd64_microsoft-windows-aclui_31bf3856ad364e35_10.0.17134.1_none_3a8aea751cd120a6\14c9amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.17134.1_none_1a4b31fb42236e50\9aamd64_microsoft-windows-acproxy_31bf3856ad364e35_10.0.17134.1_none_db8fdf238ef4ea20\5bamd64_microsoft-windows-bowser_31bf3856ad364e35_10.0.17134.1_none_0be0194b8d6af782\26amd64_microsoft-onecore-encdump_31bf3856ad364e35_10.0.17134.1_none_c9af4ac1de264540\amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.17134.1_none_8e6c6b9a9f19e7c7\amd64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.17134.1_none_b5bc4f47f4347c9a\amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.17134.1_none_492d582f5cbd45f0\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.17134.1_none_d2d7886a87bde445\amd64_microsoft-windows-acledit_31bf3856ad364e35_10.0.17134.1_none_4d620c9fc5bc5c30\amd64_microsoft-system-user-ext_31bf3856ad364e35_10.0.17134.1_none_60e18319883c0acb\b9amd64_microsoft-windows-apprep_31bf3856ad364e35_10.0.17134.1_none_f179b7188fea9ad4\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.17134.1_none_b5213c28877f9dde\amd64_microsoft-windows-audio-mci_31bf3856ad364e35_10.0.17134.1_none_028de57d556265b6\amd64_microsoft-windows-attrib_31bf3856ad364e35_10.0.17134.1_none_980ea708f55ee5fa\amd64_microsoft-windows-advpack_31bf3856ad364e35_11.0.17134.1_none_c53d6ca9c6d4d1b1\amd64_microsoft-windows-authext_31bf3856ad364e35_10.0.17134.1_none_cbbe7dc72821babf\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.17134.1_none_c77479a12aeb88d9\f1amd64_microsoft-windows-ahcache_31bf3856ad364e35_10.0.17134.1_none_18d10ab3c30df7a5\amd64_microsoft-windows-aerolite_31bf3856ad364e35_10.0.17134.1_none_bc01bd81d1468e95\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.17134.1_none_145165e81f8f518b\amd64_microsoft-windows-aero_ss_31bf3856ad364e35_10.0.17134.1_none_f198e2bda9113d3e\amd64_microsoft-windows-aero_31bf3856ad364e35_10.0.17134.1_none_91639de28293fc33\amd64_microsoft-windows-appxsip_31bf3856ad364e35_10.0.17134.1_none_aee5b406df304c07\91amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.17134.1_none_3ccc9ca31b51b1f0\amd64_microsoft-windows-appwiz_31bf3856ad364e35_10.0.17134.1_none_f146c4d490108c2f\5f1amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.17134.1_none_736718a63a4836c7\amd64_microsoft-windows-bootvid_31bf3856ad364e35_10.0.17134.1_none_1dfa07d0ef5ec285\amd64_microsoft-windows-bits-adm_31bf3856ad364e35_10.0.17134.1_none_558ef083b2ec4ecf\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_10.0.17134.1_none_f197096183727a5e\amd64_microsoft-windows-azma
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\Q
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.11catU
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: csrss.exe, 00000004.00000003.434868674.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: WMSFT_NetEventPacketCaptureProvider.formatlt-poMSFT_NetEventVmSwitchProvider.format.ps1xmlld4MSFT_NetEventNetworkAdapter.format.ps1xmlcrosofMSFT_NetEventNetworkAdapter.format.ps1xml10.0.1MSFT_NetEventPacketCaptureProvider.cdxml1xmlSxMSFT_NetEventVmNetworkAdatper.format.ps1xmlf385MSFT_NetEventVmSwitchProvider.format.ps1xml\MSFT_NetEventWFPCaptureProvider.format.ps1xmlpoMSFT_NetEventVmSwitchProvider.format.ps1xmlld4MSFT_NetEventNetworkAdapter.format.ps1xmlxmlOFMSFT_NetEventNetworkAdapter.format.ps1xml10.0.17134.1_NONE_B4D4414A63AE697C\\WC:\WINDOWS\WINSXMSFT_NetEventPacketCaptureProvider.cdxmlmlF385MSFT_NetEventVmNetworkAdatper.format.ps1xml\wiMSFT_NetEventVmNetworkAdatper.format.ps1xmlT-POMSFT_NetEventPacketCaptureProvider.cdxmlNE_B4D4414A63AE697C\qC:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NAT-POWERSHELL_31BF3856AD364E35_10.0.17134.1_NONE_B4D4414A63AE697CC:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\MSFT_NetNat.cdxmlWinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NAT-POWERSHELL_31BF3856AD364E35_10.0.17134.1_NONE_B4D4414A63AE697C\3C:\Windows\WinSxS\wow64_microsoft-windows-ndis-implatform_31bf3856ad364e35_10.0.17134.1_none_45c06433e16a291b\C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\fC:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\oC:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat4.1.inf_amd64_9f5493180b1252cf\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catpk
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_356d3b5898bc1c7d.manifestL
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.11
Source: yjOapKcgE1.exe, 00000000.00000003.408955641.0000000003000000.00000004.00000001.sdmp Binary or memory string: Hyper-V\Team\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.cat
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e.manifest`
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat\Kl
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum.mum
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cate0416
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat8
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catxs
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7\=K
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mummmm7v
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat_amd649l
Source: yjOapKcgE1.exe, 00000000.00000003.382825264.0000000003D31000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.14.1+k
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcatt
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catf54688>
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4.manifestl
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-computelib_31bf3856ad364e35_10.0.17134.1_none_9321c5b124bca3df\
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb\
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.1
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mume3
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6\
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\WindowsHyperVCluster.V2.mofe"\
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-system-user-ext_31bf3856ad364e35_10.0.17134.1_none_60e18319883c0acb\a6amd64_microsoft-windows-acledit_31bf3856ad364e35_10.0.17134.1_none_4d620c9fc5bc5c30\aamd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\amd64_microsoft-windows-aadjcsp_31bf3856ad364e35_10.0.17134.1_none_600d1259ff3335b6\7amd64_microsoft-onecore-encdump_31bf3856ad364e35_10.0.17134.1_none_c9af4ac1de264540\5bamd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.17134.1_none_d2d7886a87bde445\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.17134.1_none_1a4b31fb42236e50\4c9amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.17134.1_none_8e6c6b9a9f19e7c7\amd64_microsoft-windows-bowser_31bf3856ad364e35_10.0.17134.1_none_0be0194b8d6af782\26amd64_microsoft-windows-acproxy_31bf3856ad364e35_10.0.17134.1_none_db8fdf238ef4ea20\7amd64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.17134.1_none_c8c8de01efac1e9a\2amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.17134.1_none_492d582f5cbd45f0\amd64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.17134.1_none_b5bc4f47f4347c9a\amd64_microsoft-windows-aclui_31bf3856ad364e35_10.0.17134.1_none_3a8aea751cd120a6\14c9amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580\amd64_microsoft-windows-aero_ss_31bf3856ad364e35_10.0.17134.1_none_f198e2bda9113d3e\amd64_microsoft-windows-advpack_31bf3856ad364e35_11.0.17134.1_none_c53d6ca9c6d4d1b1\amd64_microsoft-windows-aero_31bf3856ad364e35_10.0.17134.1_none_91639de28293fc33\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.17134.1_none_3ccc9ca31b51b1f0\amd64_microsoft-windows-appwiz_31bf3856ad364e35_10.0.17134.1_none_f146c4d490108c2f\amd64_microsoft-windows-authext_31bf3856ad364e35_10.0.17134.1_none_cbbe7dc72821babf\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.17134.1_none_c77479a12aeb88d9\amd64_microsoft-windows-appxsip_31bf3856ad364e35_10.0.17134.1_none_aee5b406df304c07\amd64_microsoft-windows-aerolite_31bf3856ad364e35_10.0.17134.1_none_bc01bd81d1468e95\amd64_microsoft-windows-apprep_31bf3856ad364e35_10.0.17134.1_none_f179b7188fea9ad4\amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.17134.1_none_736718a63a4836c7\1amd64_microsoft-windows-attrib_31bf3856ad364e35_10.0.17134.1_none_980ea708f55ee5fa\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.17134.1_none_b5213c28877f9dde\1amd64_microsoft-windows-ahcache_31bf3856ad364e35_10.0.17134.1_none_18d10ab3c30df7a5\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.17134.1_none_145165e81f8f518b\amd64_microsoft-windows-audio-mci_31bf3856ad364e35_10.0.17134.1_none_028de57d556265b6\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.17134.1_none_d40d1fc458900e79\amd64_microsoft-windows-beepsys_31bf3856ad364e35_10.0.17134.1_none_a9a12daa70c7ae45\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_10.0.17134.1_none_f197096183727a5e\amd64_microsoft-windows-bootm
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumcat6s
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..wallrules.resources_31bf3856ad364e35_10.0.17134.1_en-us_c011eec82bd47853.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat%u
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.368571550.0000000003E06000.00000004.00000001.sdmp Binary or memory string: C:\Windows\WinSxS\wow64_microsoft-windows-label.resources_31bf3856ad364e35_10.0.17134.1_en-us_d69cf21a41b75966\label.exe.muiEventVmNetworkAdatper.format.ps1xmls1xml74d26b1ffcdc7c\*ile.dllioclltication.Identity.Provider.dll
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat02!
Source: yjOapKcgE1.exe, 00000000.00000003.382657092.0000000003D10000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b.manifestst
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mummmm
Source: yjOapKcgE1.exe, 00000000.00000003.412712919.0000000003DBC000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catRk
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49\|YC
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1m
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.418759784.0000000003DB5000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.muml
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catm
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\amd64_microsoft-onecore-a..sourcepolicy-server_31bf3856ad364e35_10.0.17134.1_none_8bb9bb03e61e0547\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49\amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8\amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c\amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385\amd64_microsoft-hyper-v-
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.1!
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8\
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503.manifest3
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum"k
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1at
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f\
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1m
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-storflt_31bf3856ad364e35_10.0.17134.1_none_fc7308d7bbb0dfd6.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt&?`
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c.manifestn
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c\FS
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catR
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catinf_amd
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catWV
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat1
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49.manifesturc
Source: yjOapKcgE1.exe, 00000000.00000003.382825264.0000000003D31000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vdev-offline_31bf3856ad364e35_10.0.17134.1_none_c190bdf9d967faea.manifestfD
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8.manifest1\[&
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat\*\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumeV
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908.manifestiCe
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3\wT
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_705250041d8b5452.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catwu
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.403819221.0000000003097000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\(
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\4
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\7\N_
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd.manifestC
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat34.1
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-vpmem.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c966966d5f8cf2\dQM
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catc
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-o..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_ca9236a4769cd0cd.manifest^8R
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmum
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat[r
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0054FAAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0054FAAD
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 0_2_00449089
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0041A13C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_005664B0 TlsGetValue,TlsGetValue,TlsGetValue,TlsGetValue,CreateWaitableTimerA,SetWaitableTimer,WaitForMultipleObjects,CloseHandle,Sleep,CloseHandle,TlsGetValue,ResetEvent,__CxxThrowException@8,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_005664B0
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Memory protected: page write copy | page execute and read and write | page execute and write copy | page guard | page no cache Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00550F9A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00550F9A
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00550F9A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00550F9A
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0054FAAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0054FAAD
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_0054DB9A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0054DB9A

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privileges
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_004078E6 Wow64DisableWow64FsRedirection,GetForegroundWindow,ShellExecuteW,Wow64RevertWow64FsRedirection, 2_2_004078E6
Source: yjOapKcgE1.exe, 00000000.00000002.871799609.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: yjOapKcgE1.exe, 00000000.00000002.871799609.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: yjOapKcgE1.exe, 00000000.00000002.871799609.0000000000D80000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: yjOapKcgE1.exe, 00000000.00000002.871799609.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\ProgramData\Windows\csrss.exe Code function: GetLocaleInfoA, 2_2_0055F513
Contains functionality to query CPU information (cpuid)
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00573480 cpuid 2_2_00573480
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_0054E1CE GetSystemTimeAsFileTime,__aulldiv, 0_2_0054E1CE
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_00560999 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 2_2_00560999
Source: C:\Users\user\Desktop\yjOapKcgE1.exe Code function: 0_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 0_2_00449089
Source: C:\ProgramData\Windows\csrss.exe Code function: 2_2_004176EB _memset,GetUserNameW, 2_2_004176EB
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492525 Sample: yjOapKcgE1 Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected Shade Ransomware 2->26 28 3 other signatures 2->28 5 yjOapKcgE1.exe 3 6 2->5         started        10 csrss.exe 2 2->10         started        12 csrss.exe 2 2->12         started        process3 dnsIp4 16 127.0.0.1 unknown unknown 5->16 18 154.35.32.5, 443, 49871 RETHEMHOSTINGUS United States 5->18 20 2 other IPs or domains 5->20 14 C:\ProgramData\Windows\csrss.exe, PE32 5->14 dropped 30 Detected CryptOne packer 5->30 32 Contains functionalty to change the wallpaper 5->32 34 Drops PE files with benign system names 5->34 36 Antivirus detection for dropped file 10->36 38 Multi AV Scanner detection for dropped file 10->38 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.35.32.5
 unknown United States
14987 RETHEMHOSTINGUS false
76.73.17.194
 unknown United States
25921 LUS-FIBER-LCGUS false
193.23.244.244
 unknown Germany
50472 CHAOS-ASDE false

Private
IP
127.0.0.1