Source: SC_TR11670000.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mshtml.pdb source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
Source: |
Binary string: mshtml.pdbUGP source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_0040626D FindFirstFileA,FindClose, |
1_2_0040626D |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
1_2_00405732 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_004026FE FindFirstFileA, |
1_2_004026FE |
Source: Traffic |
Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49842 -> 171.22.30.147:80 |
Source: Traffic |
Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49842 -> 171.22.30.147:80 |
Source: Traffic |
Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.11.20:49842 -> 171.22.30.147:80 |
Source: Traffic |
Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49842 -> 171.22.30.147:80 |
Source: Traffic |
Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.11.20:49842 -> 171.22.30.147:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 171.22.30.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 171.22.30.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 171.22.30.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 171.22.30.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 171.22.30.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 171.22.30.147 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: SC_TR11670000.exe, 00000004.00000003.24262321810.000000000760C000.00000004.00000020.00020000.00000000.sdmp, SC_TR11670000.exe, 00000004.00000003.24248619646.000000000760C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: SC_TR11670000.exe, 00000004.00000003.24262321810.000000000760C000.00000004.00000020.00020000.00000000.sdmp, SC_TR11670000.exe, 00000004.00000003.24248619646.000000000760C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference. |
Source: SC_TR11670000.exe, SC_TR11670000.exe, 00000001.00000000.23291984818.0000000000409000.00000008.00000001.01000000.00000003.sdmp, SC_TR11670000.exe, 00000001.00000002.24270690849.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SC_TR11670000.exe, 00000004.00000000.24087597436.0000000000409000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: SC_TR11670000.exe, 00000001.00000000.23291984818.0000000000409000.00000008.00000001.01000000.00000003.sdmp, SC_TR11670000.exe, 00000001.00000002.24270690849.0000000000409000.00000004.00000001.01000000.00000003.sdmp, SC_TR11670000.exe, 00000004.00000000.24087597436.0000000000409000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.gopher.ftp://ftp. |
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000626000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD |
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.00000000005F2000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd |
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.00000000005F2000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd |
Source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214 |
Source: SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375DA000.00000004.00001000.00020000.00000000.sdmp, SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375D0000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/ |
Source: SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375DA000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com// |
Source: SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375DA000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/https://login.live.com/ |
Source: SC_TR11670000.exe, 00000004.00000003.24249648061.00000000375DA000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/v104 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
1_2_004051CF |
Source: SC_TR11670000.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031D6 |
Source: SC_TR11670000.exe |
Virustotal: Detection: 47% |
Source: SC_TR11670000.exe |
ReversingLabs: Detection: 51% |
Source: unknown |
Process created: C:\Users\user\Desktop\SC_TR11670000.exe C:\Users\user\Desktop\SC_TR11670000.exe |
|
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process created: C:\Users\user\Desktop\SC_TR11670000.exe C:\Users\user\Desktop\SC_TR11670000.exe |
|
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 212 |
|
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process created: C:\Users\user\Desktop\SC_TR11670000.exe C:\Users\user\Desktop\SC_TR11670000.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031D6 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
1_2_0040449B |
Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: SC_TR11670000.exe, 00000001.00000003.23295089803.00000000028DA000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: mshtml.pdb source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
Source: |
Binary string: mshtml.pdbUGP source: SC_TR11670000.exe, 00000004.00000001.24088641658.0000000000649000.00000020.00000001.01000000.00000006.sdmp |
Source: Yara match |
File source: Process Memory Space: SC_TR11670000.exe PID: 2852, type: MEMORYSTR |
Source: Yara match |
File source: 00000001.00000002.24272353899.0000000003E2A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000003.23294314112.00000000028DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.24273911659.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.24272353899.0000000003330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\fumigatorium\Tertser\Omstrukturdnr\Lejningerne\Krugerite.Fri, type: DROPPED |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_73EC2F20 push eax; ret |
1_2_73EC2F4E |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_03338B42 pushad ; retf |
1_2_03338B48 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_03335941 push eax; ret |
1_2_0333594B |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_033383A3 push edx; retf |
1_2_033383A6 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_03336BE4 push cs; iretd |
1_2_03336BF6 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_03338A2A pushad ; ret |
1_2_03338A30 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_03333403 push esi; ret |
1_2_03333407 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_03336EA5 pushfd ; retf |
1_2_03336EA6 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_73EC1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
1_2_73EC1A9C |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_0040626D FindFirstFileA,FindClose, |
1_2_0040626D |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
1_2_00405732 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_004026FE FindFirstFileA, |
1_2_004026FE |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
API call chain: ExitProcess graph end node |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicshutdown |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicvss |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: SC_TR11670000.exe, 00000001.00000002.24400891966.00000000090B9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_73EC1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
1_2_73EC1A9C |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_00402D63 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer, |
1_2_00402D63 |
Source: C:\Users\user\Desktop\SC_TR11670000.exe |
Code function: 1_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
1_2_004031D6 |