Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
Source: |
Binary string: mshtml.pdb source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp |
Source: |
Binary string: mshtml.pdbUGP source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_0040626D FindFirstFileA,FindClose, |
2_2_0040626D |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
2_2_00405732 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_004026FE FindFirstFileA, |
2_2_004026FE |
Source: Traffic |
Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49802 -> 185.246.220.85:80 |
Source: Traffic |
Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49802 -> 185.246.220.85:80 |
Source: Traffic |
Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.11.20:49802 -> 185.246.220.85:80 |
Source: Traffic |
Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49802 -> 185.246.220.85:80 |
Source: Traffic |
Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.11.20:49802 -> 185.246.220.85:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.246.220.85 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 9.9.9.9 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference. |
Source: HfJLn9erXb.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: HfJLn9erXb.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: HfJLn9erXb.exe, 00000007.00000002.1394683653.0000000002310000.00000004.00000020.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1394683653.00000000022A8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ruhsalgelisim.com/jgEyxsZj50.ttf |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.gopher.ftp://ftp. |
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000626000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD |
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.00000000005F2000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd |
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.00000000005F2000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd |
Source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214 |
Source: HfJLn9erXb.exe, 00000007.00000003.1356636697.0000000032480000.00000004.00001000.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000003.1356636697.000000003248A000.00000004.00001000.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1394683653.00000000022A8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/ |
Source: HfJLn9erXb.exe, 00000007.00000003.1356636697.000000003248A000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com// |
Source: HfJLn9erXb.exe, 00000007.00000003.1356636697.000000003248A000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/https://login.live.com/ |
Source: HfJLn9erXb.exe, 00000007.00000002.1394683653.00000000022A8000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/tft |
Source: HfJLn9erXb.exe, 00000007.00000003.1356636697.000000003248A000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/v104 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_004051CF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
2_2_004051CF |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
2_2_004031D6 |
Source: unknown |
Process created: C:\Users\user\Desktop\HfJLn9erXb.exe C:\Users\user\Desktop\HfJLn9erXb.exe |
|
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process created: C:\Users\user\Desktop\HfJLn9erXb.exe C:\Users\user\Desktop\HfJLn9erXb.exe |
|
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1368 |
|
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process created: C:\Users\user\Desktop\HfJLn9erXb.exe C:\Users\user\Desktop\HfJLn9erXb.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
2_2_004031D6 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_0040449B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
2_2_0040449B |
Source: |
Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\AEGISIIIRadeonHelper.pdb source: HfJLn9erXb.exe, 00000002.00000003.1006931572.00000000028E7000.00000004.00000020.00020000.00000000.sdmp, AEGISIIIRadeonHelper.dll.2.dr |
Source: |
Binary string: mshtml.pdb source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp |
Source: |
Binary string: mshtml.pdbUGP source: HfJLn9erXb.exe, 00000007.00000001.1217313379.0000000000649000.00000020.00000001.01000000.00000007.sdmp |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_735D2F20 push eax; ret |
2_2_735D2F4E |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_03335F04 push es; ret |
2_2_03335F06 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_033303E6 push 620F66DAh; iretd |
2_2_033303EB |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_03330E2F push ds; ret |
2_2_03330E38 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_0333208F push edx; retf |
2_2_03332090 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 7_2_01665F04 push es; ret |
7_2_01665F06 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 7_2_016603E6 push 620F66DAh; iretd |
7_2_016603EB |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 7_2_01660E2F push ds; ret |
7_2_01660E38 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 7_2_0166208F push edx; retf |
7_2_01662090 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_735D1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
2_2_735D1A9C |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Process information set: NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
File opened: C:\Program Files\qga\qga.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_0040626D FindFirstFileA,FindClose, |
2_2_0040626D |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_00405732 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
2_2_00405732 |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_004026FE FindFirstFileA, |
2_2_004026FE |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
API call chain: ExitProcess graph end node |
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicshutdown |
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicvss |
Source: HfJLn9erXb.exe, 00000007.00000002.1394683653.0000000002318000.00000004.00000020.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1394683653.0000000002324000.00000004.00000020.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1394683653.00000000022A8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: HfJLn9erXb.exe, 00000002.00000002.1392688379.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: HfJLn9erXb.exe, 00000007.00000002.1396621417.0000000003E99000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_735D1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
2_2_735D1A9C |
Source: C:\Users\user\Desktop\HfJLn9erXb.exe |
Code function: 2_2_004031D6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
2_2_004031D6 |