Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA2496 CryptDestroyHash, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA24F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA2406 CryptDuplicateHash, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA2466 CryptEncrypt,CryptDestroyHash, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA2595 CryptVerifySignatureW,CryptDestroyHash, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA22C9 CryptGetHashParam, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA2279 CryptExportKey, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA23B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA2399 CryptGenKey,CryptDestroyKey,CryptReleaseContext, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA2335 CryptImportKey,LocalFree,CryptReleaseContext, |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA2314 CryptReleaseContext, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_01582496 CryptDestroyHash, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_01582314 CryptDecodeObjectEx,CryptReleaseContext, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_01582335 CryptImportKey,LocalFree,CryptReleaseContext, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_01582399 CryptGenKey,CryptDestroyKey,CryptReleaseContext, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_015823B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_01582279 CryptExportKey, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_015822F5 CryptAcquireContextW, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_01582595 CryptVerifySignatureW,CryptDestroyHash, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_01582466 CryptEncrypt,CryptDestroyHash, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_01582406 CryptDuplicateHash, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_015824F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash, |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_015822C9 CryptGetHashParam, |
Source: msrarunning.exe, 00000006.00000003.315865067.00000000012D4000.00000004.00000001.sdmp | String found in binary or memory: http://105.228.198.254:7080/ |
Source: msrarunning.exe, 00000006.00000003.315865067.00000000012D4000.00000004.00000001.sdmp | String found in binary or memory: http://105.228.198.254:7080/E |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://169.0.142.82:8080/ |
Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmp | String found in binary or memory: http://169.0.142.82:8080/54 |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://169.0.142.82:8080/nd |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://169.0.142.82:8080/vd |
Source: msrarunning.exe, 00000006.00000002.480504793.0000000000EFC000.00000004.00000001.sdmp, msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://187.205.170.3:990/ |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://187.205.170.3:990/.95.159:990/ |
Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmp | String found in binary or memory: http://187.205.170.3:990/54 |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://187.205.170.3:990/Nd |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://187.205.170.3:990/fd |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://189.152.183.239/ |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://189.152.183.239/Y |
Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmp | String found in binary or memory: http://189.152.183.239/t |
Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmp | String found in binary or memory: http://83.110.95.159:990/ |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | String found in binary or memory: http://83.110.95.159:990/&d7- |
Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmp | String found in binary or memory: http://83.110.95.159:990/0 |
Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmp | String found in binary or memory: http://83.110.95.159:990/54Q |
Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmp | String found in binary or memory: http://83.110.95.159:990/V |
Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmp | String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.digicert.com0: |
Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.msocsp.com0 |
Source: svchost.exe, 00000009.00000002.484840244.000002EC13B10000.00000002.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: svchost.exe, 00000011.00000002.308960216.000001569B613000.00000004.00000001.sdmp | String found in binary or memory: http://www.bingmapsportal.com |
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp | String found in binary or memory: https://%s.dnet.xboxlive.com |
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp | String found in binary or memory: https://%s.xboxlive.com |
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp | String found in binary or memory: https://activity.windows.com |
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp | String found in binary or memory: https://activity.windows.comr |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net |
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp | String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp | String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device |
Source: svchost.exe, 00000011.00000003.308467618.000001569B65A000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations |
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/ |
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/ |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx |
Source: svchost.exe, 00000011.00000003.308432109.000001569B648000.00000004.00000001.sdmp | String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/ |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations |
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/ |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking |
Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/ |
Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n= |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx |
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp | String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log? |
Source: svchost.exe, 00000011.00000003.308467618.000001569B65A000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000011.00000003.308397736.000001569B664000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.t |
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp | String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx |
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp | String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/ |
Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmp | String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v= |
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx |
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.308960216.000001569B613000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r= |
Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r= |
Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r= |
Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r= |
Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmp | String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen |
Source: svchost.exe, 00000011.00000003.308432109.000001569B648000.00000004.00000001.sdmp | String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen |
Source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Emotet Payload Author: kevoreilly |
Source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Emotet Payload Author: kevoreilly |
Source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPE | Matched rule: Emotet Payload Author: kevoreilly |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 0_2_00B3A692 |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 0_2_00B3B060 |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 0_2_00B3B8D4 |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 0_2_00B35CC0 |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 0_2_00B3A330 |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 0_2_00B34D6F |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 0_2_00B31357 |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA56EF |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Code function: 1_2_00AA56EF |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 5_2_00B156EF |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 5_2_00B156EF |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_015856EF |
Source: C:\Windows\SysWOW64\msrarunning.exe | Code function: 6_2_015856EF |
Source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORY | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPE | Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload |
Source: unknown | Process created: C:\Users\user\Desktop\HU4TEm4Vr7.exe 'C:\Users\user\Desktop\HU4TEm4Vr7.exe' |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Process created: C:\Users\user\Desktop\HU4TEm4Vr7.exe C:\Users\user\Desktop\HU4TEm4Vr7.exe |
Source: unknown | Process created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exe |
Source: C:\Windows\SysWOW64\msrarunning.exe | Process created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exe |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p |
Source: unknown | Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe |
Source: unknown | Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc |
Source: unknown | Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p |
Source: C:\Windows\System32\svchost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Process created: C:\Users\user\Desktop\HU4TEm4Vr7.exe C:\Users\user\Desktop\HU4TEm4Vr7.exe |
Source: C:\Windows\SysWOW64\msrarunning.exe | Process created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exe |
Source: C:\Windows\System32\svchost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable |
Source: svchost.exe, 00000007.00000002.250563753.0000023BACEA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.299633906.0000021FC0F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.482752660.000001879E740000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.345743598.000001FAAE860000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAWP |
Source: svchost.exe, 00000009.00000002.484316810.000002EC13860000.00000004.00000001.sdmp | Binary or memory string: @Hyper-V RAW |
Source: msrarunning.exe, 00000006.00000003.315865067.00000000012D4000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.484208899.000002EC13853000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW |
Source: svchost.exe, 0000000D.00000002.480691086.0000021AD4602000.00000004.00000001.sdmp | Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService |
Source: svchost.exe, 00000009.00000002.480719156.000002EC0E229000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW@Q |
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW%q |
Source: svchost.exe, 00000007.00000002.250563753.0000023BACEA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.299633906.0000021FC0F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.482752660.000001879E740000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.345743598.000001FAAE860000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: svchost.exe, 00000007.00000002.250563753.0000023BACEA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.299633906.0000021FC0F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.482752660.000001879E740000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.345743598.000001FAAE860000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.480907992.00000251E1029000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: svchost.exe, 00000007.00000002.250563753.0000023BACEA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.299633906.0000021FC0F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.482752660.000001879E740000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.345743598.000001FAAE860000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: svchost.exe, 0000000D.00000002.480881764.0000021AD463E000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll @ |
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\SysWOW64\msrarunning.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\svchost.exe | Queries volume information: C:\ VolumeInformation |